Supply Chain & AI-Driven Infostealers: AMOS, Lumma, and GlassWorm Campaigns — OTX Pulse Analysis | Security Arsenal

Recent OTX pulses reveal a convergence of sophisticated supply chain attacks and novel social engineering vectors targeting developers and enterprise sectors. Threat actors, including the group known as TeamPCP, are leveraging compromised repositories (PyPI, Docker Hub) and AI development environments (Cursor) to deliver information stealers such as Lumma, Vidar, Redline, and the macOS-specific AMOS Stealer. The overarching objective across these campaigns is the theft of cloud credentials, cryptocurrency wallets, and developer session tokens, facilitated by Living-Off-The-Land (LotL) binaries and obfuscated payloads.

The attack chains typically begin with a poisoned package or a deceptive prompt within an AI agent, leading to the execution of base64-encoded scripts or PowerShell commands. These initial access vectors bypass traditional perimeter defenses by utilizing trusted infrastructure (e.g., official Docker images) or manipulating users into running native tools (ClickFix technique).

Threat Actor / Malware Profile

Malware Families

Lumma Stealer / Vidar / Redline: Information stealers targeting browser data, cryptocurrency wallets, and system credentials. Often distributed via the "ClickFix" social engineering technique, where users are tricked into running fake browser update scripts.
AMOS Stealer: A macOS-focused infostealer delivered via malicious AppleScript. In the observed campaign, it is distributed through social engineering within Cursor AI agent sessions, prompting the operator to execute obfuscated code that performs sandbox evasion before data exfiltration.
GlassWorm: A sophisticated malware targeting developers through compromised repositories. It uses a multi-stage execution chain, fingerprinting the machine and fetching payloads via the Solana blockchain. It installs a fake browser extension for surveillance and steals development credentials.
Canister Worm: A worm component associated with the TeamPCP supply chain attack, capable of propagation via npm and affecting VS Code extensions.

Tactics, Techniques, and Procedures (TTPs)

Distribution: Supply chain poisoning (Xinference PyPI packages, Checkmarx KICS Docker images), AI Agent exploitation (Cursor), and Social Engineering (ClickFix).
Execution: Heavy use of Base64 encoding within __init__.py files (Python) and AppleScript loaders. Use of Living-Off-The-Land binaries (LOLBins) to evade detection.
C2 & Exfiltration: Encrypted channel communication; GlassWorm utilizes the Solana blockchain for payload retrieval; AMOS connects to specific C2 IPs (45.94.47.204, 92.246.136.14).
Persistence: VS Code extensions, malicious Docker containers, and fake browser updates installed via startup folders or scheduled tasks.

IOC Analysis

The provided Indicators of Compromise (IOCs) consist of network infrastructure and file artifacts associated with these campaigns.

Network Infrastructure: Key IP addresses such as 94.154.172.43 (KICS C2) and 45.94.47.204 (AMOS C2) are critical for blocking. Domains like arkypc.com and mpasvw.com serve as C2 servers for the AMOS campaign and should be sinkholed or blocked at the DNS layer.
File Hashes: Numerous MD5, SHA1, and SHA256 hashes are provided for the trojanized KICS binaries and malicious Python packages. These hashes are essential for EDR correlation and scanning artifact repositories.
Operationalization: SOC teams should immediately ingest these IOCs into SIEM platforms for alerting on outbound traffic. For file hashes, YARA rules should be deployed to scan code repositories and Docker image layers.

Detection Engineering

Sigma Rules

YAML

---
title: Potential ClickFix PowerShell Execution Pattern
id: 9c2e4d5f-1a3b-4c5d-9e6f-7a8b9c0d1e2f
description: Detects PowerShell commands often used in ClickFix campaigns to copy binaries or execute encoded scripts mimicking browser updates.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Copy-Item'
      - 'FromBase64String'
      - 'iex'
    CommandLine|contains:
      - 'chrome_update'
      - 'edge_update'
      - 'browser_fix'
  condition: selection
falsepositives:
  - Legitimate system administration scripts
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: Malicious Python Package Import (Xinference Supply Chain)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects the execution of specific Python versions or scripts associated with the malicious Xinference packages containing base64-encoded payloads.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/python3'
    CommandLine|contains:
      - 'xinference'
      - '__init__.py'
    CommandLine|contains:
      - 'base64'
      - 'exec('
  condition: selection
falsepositives:
  - Legitimate usage of xinference library (verify versions)
level: critical
tags:
  - attack.initial_access
  - attack.t1195.002
---
title: Suspicious AppleScript Execution via Cursor AI
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects macOS processes spawning osascript or AppleScript execution from Cursor AI related directories, indicative of AMOS Stealer delivery.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  product: macos
  category: process_creation
detection:
  selection_parent:
    Image|contains: 'Cursor'
  selection_child:
    Image|endswith:
      - '/osascript'
      - '/AppleScript'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate automation scripts run by developers
level: high
tags:
  - attack.execution
  - attack.t1059.002

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for network connections to known malicious IPs and domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("94.154.172.43", "45.94.47.204", "92.246.136.14") 
   or RemoteUrl has_any ("arkypc.com", "mpasvw.com", "ustazazharidrus.com", "account-help.info")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend FullUrl = strcat("scheme://", RemoteUrl, ":", RemotePort)
| sort by Timestamp desc

// Hunt for suspicious PowerShell execution patterns related to ClickFix
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has "Copy-Item" and ProcessCommandLine has_any ("FromBase64String", "iex")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell

# IOC Hunt Script for AMOS Stealer and TeamPCP C2 Infrastructure
# Checks for active network connections and suspicious processes

$MaliciousIPs = @(
    "94.154.172.43",
    "45.94.47.204",
    "92.246.136.14"
)

$MaliciousDomains = @(
    "arkypc.com",
    "mpasvw.com",
    "ustazazharidrus.com",
    "account-help.info",
    "elive123go.com"
)

Write-Host "[+] Checking for active network connections to known C2 IPs..." -ForegroundColor Cyan
$ActiveConnections = Get-NetTCPConnection -State Established | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

foreach ($IP in $MaliciousIPs) {
    $Found = $ActiveConnections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Found) {
        Write-Host "[!] WARNING: Connection to malicious IP $IP detected (PID: $($Found.OwningProcess))" -ForegroundColor Red
        try {
            $Process = Get-Process -Id $Found.OwningProcess -ErrorAction Stop
            Write-Host "    Process Name: $($Process.ProcessName)" -ForegroundColor Yellow
            Write-Host "    Path: $($Process.Path)" -ForegroundColor Yellow
        } catch {
            Write-Host "    Could not retrieve process details." -ForegroundColor Gray
        }
    }
}

Write-Host "[+] Checking for suspicious processes (osascript, python specific paths)..." -ForegroundColor Cyan
$SuspiciousProcesses = @("osascript", "python", "node")

foreach ($Proc in Get-Process) {
    if ($Proc.ProcessName -in $SuspiciousProcesses) {
        # Check if process is connecting to non-standard ports or known bad IPs (simplified logic)
        $Connections = $ActiveConnections | Where-Object { $_.OwningProcess -eq $Proc.Id }
        if ($Connections) {
            Write-Host "[*] Suspicious process found: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor DarkYellow
        }
    }
}

Response Priorities

Immediate:
- Block all identified IOCs (IPs, Domains, Hashes) at the firewall, proxy, and EDR levels.
- Scan all Docker images and Python package repositories (requirements.txt, package.) for the identified file hashes (e.g., d47de3772f2d61a043e7047431ef4cf4).
- Isolate hosts exhibiting ClickFix-like behavior or PowerShell anomalies.
24 Hours:
- If credential-stealing malware (Lumma, AMOS, GlassWorm) is suspected, force a password reset for all developer and cloud accounts (AWS, Azure, GCP) in the affected environment.
- Revoke and regenerate API keys and tokens used by CI/CD pipelines that may have touched the compromised Docker or PyPI packages.
1 Week:
- Implement strict package pinning and integrity verification (checking signatures/hashes) for all internal and third-party libraries.
- Review and restrict the usage of AI coding assistants (e.g., Cursor) within the network; implement sandboxing for AI-generated code execution.
- Conduct a security audit of the software supply chain, specifically focusing on Docker Hub and public repository interactions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Supply Chain & AI-Driven Infostealers: AMOS, Lumma, and GlassWorm Campaigns — OTX Pulse Analysis