Recent OTX pulses indicate a coordinated surge in credential theft campaigns leveraging diverse infection vectors. The intelligence highlights a concerning shift towards supply chain compromise and social engineering targeting specific developer and gaming communities.
TeamPCP has weaponized the popular telnyx Python SDK on PyPI, utilizing a three-stage architecture that deploys a credential harvester via steganography-hidden payloads in WAV files. Simultaneously, LofyStealer is actively targeting Minecraft players via a sophisticated Node.js loader and in-memory C++ payload to steal browser data and financial credentials. Additionally, a ClickFix-style phishing campaign is distributing Lumma Stealer and HijackLoader via obfuscated PowerShell, while KYCShadow targets Indian banking users via mobile malware to intercept OTPs. The collective objective is mass harvesting of credentials, cookies, and financial data for sale on dark web markets.
Threat Actor / Malware Profile
TeamPCP (Telnyx SDK Supply Chain)
- Distribution: Malicious Python packages uploaded to PyPI (supply chain attack).
- Payload Behavior: Three-stage architecture. Stage 1 is a trojanized package; Stage 2 is a platform-specific loader; Stage 3 is a credential harvester hidden inside a WAV file using steganography.
- Persistence & Execution: Abuses
msbuild.exefor execution to evade application control. - C2 Communication: Encrypted C2 channels; exfiltrates harvested credentials.
LofyGang (LofyStealer)
- Distribution: Social engineering targeting Minecraft players.
- Payload Behavior: 53.5MB Node.js loader disguised as legitimate libraries; drops 1.4MB native C++ payload executed directly in memory (fileless).
- Target: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
- Anti-Analysis: Uses syscalls evasion and Node.js obfuscation.
GhostSocks & Lumma Stealer
- GhostSocks: Malware-as-a-Service written in GoLang. Turns compromised devices into residential proxy nodes (SOCKS5) with TLS encryption to blend traffic.
- Lumma Stealer: Often distributed alongside GhostSocks or via ClickFix campaigns. Hijacks browser sessions and steals login data.
- Technique: DLL sideloading and HijackLoader used to establish persistence.
KYCShadow (Android)
- Distribution: WhatsApp distribution masquerading as bank KYC verification.
- Payload Behavior: Multi-stage dropper with native code obfuscation.
- Technique: VPN-based traffic manipulation, WebView phishing, and Firebase-based C2 for remote execution and OTP interception.
IOC Analysis
The provided indicators cover a broad spectrum of the attack infrastructure:
- Domains & Hostnames: Include C2 infrastructure such as
serv.biz(KYCShadow),retreaw.click(GhostSocks), andaquasecurtiy.org(TeamPCP typo-squatting). SOC teams should block these at the perimeter and DNS layer. - IP Addresses: Includes
24.152.36.241(LofyStealer) and85.11.161.198(ClickFix/Lumma). These should be blocked on firewalls and added to threat intel feeds. - File Hashes: A mix of MD5, SHA1, and SHA256 hashes for loaders, payloads, and malicious installers (MSI). EDR tools should be configured to block execution of these specific hashes.
- URLs: Direct download links for malicious payloads (e.g.,
.msifiles on port 6600).
Operational Guidance:
- Blocklist: Immediately ingest all domains and IPs into your firewall and Secure Web Gateway (SWG).
- Hunt: Use the provided hashes to scan Windows Event Logs (Sysmon ID 1/6) and EDR telemetry for historical execution.
- Decode: The PowerShell commands in the ClickFix campaign are heavily obfuscated; utilize sandbox detonation or script analysis logs (Sysmon ID 1 with command line logging) to extract the second-stage URLs.
Detection Engineering
The following detection rules and hunt queries are tailored to the specific behaviors observed in these pulses.
YAML
title: Suspicious MSBuild Execution from Python (TeamPCP Supply Chain)
id: 0a3b1c8d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects the execution of msbuild.exe spawned by python.exe or unusual processes, indicative of a supply chain attack or abuse of the build process.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
tags:
- attack.execution
- attack.t1127.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\python.exe'
- '\python3.exe'
Image|endswith:
- '\msbuild.exe'
condition: selection
falsepositives:
- Legitimate developer builds
level: high
---
title: PowerShell Downloading Malicious MSI (ClickFix/Lumma)
id: b4c5d6e7-f8a9-0b1c-2d3e-4f5a6b7c8d9e
description: Detects PowerShell commands downloading .msi files from the internet, a common technique in ClickFix campaigns delivering HijackLoader and Lumma Stealer.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000000
tags:
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmd:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'DownloadFile'
- 'IWR'
selection_file:
CommandLine|contains:
- '.msi'
condition: all of selection_*
falsepositives:
- Legitimate software installation scripts
level: high
---
title: Node.js Spawning Unusual Child Processes (LofyStealer)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects Node.js processes spawning cmd.exe, powershell.exe, or unknown binaries, characteristic of the LofyStealer Node.js loader decrypting and executing its C++ payload.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
- attack.defense_evasion
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\node.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
filter_legit:
CommandLine|contains:
- 'npm'
- 'node-gyp'
condition: selection_parent and selection_child and not filter_legit
falsepositives:
- Legitimate Node.js development toolchains
level: medium
kql
// KQL Hunt for Network IOCs related to Infostealers
// Hunt for specific C2 domains and IPs mentioned in the pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
"serv.biz",
"serv.xyz",
"api.biz",
"retreaw.click",
"aquasecurtiy.org",
"scan.aquasecurtiy.org"
)
or RemoteIP in~ (
"24.152.36.241",
"85.11.161.198"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCPulse = case(
RemoteUrl has "serv", "KYCShadow",
RemoteUrl has "retreaw", "GhostSocks",
RemoteUrl has "aquasecurtiy", "TeamPCP",
RemoteIP == "24.152.36.241", "LofyStealer",
RemoteIP == "85.11.161.198", "ClickFix/Lumma",
"Unknown"
)
powershell
# PowerShell IOC Hunt Script
# Scans C:\ for specific SHA256 hashes associated with TeamPCP, LofyStealer, and Lumma
$TargetHashes = @(
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", # TeamPCP
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2", # TeamPCP
"d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb", # TeamPCP
"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", # LofyStealer
"45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7", # LofyStealer
"f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc", # ClickFix/Lumma
"c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728" # ClickFix/Lumma
)
Write-Host "[+] Starting IOC Hunt for Infostealer Hashes..." -ForegroundColor Cyan
# Get all files on C: drive (filter for common executable extensions for performance)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.msi, *.bin, *.py, *.wav | ForEach-Object {
$file = $_
$hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $hash) {
Write-Host "[!] MATCH FOUND: $($file.FullName)" -ForegroundColor Red
Write-Host " Hash: $hash" -ForegroundColor Yellow
}
}
Write-Host "[+] Scan Complete." -ForegroundColor Green
# Check for suspicious Hostname resolution in DNS cache (Requires Admin)
$SuspiciousHosts = @("scan.aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "w2.bruggebogeyed.site")
Write-Host "[+] Checking DNS Cache for Suspicious Hosts..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $SuspiciousHosts -contains $_.Entry } | ForEach-Object {
Write-Host "[!] Suspicious DNS Entry Found: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}
Response Priorities
- Immediate (0-4h): Block all IOCs (Domains, IPs, Hashes) at the firewall, proxy, and EDR levels. Isolate any endpoints with confirmed hits on the file hashes or PowerShell command lines.
- 24h: Initiate credential rotation for accounts identified on compromised endpoints, particularly developer accounts (TeamPCP) and gaming/service accounts (LofyStealer). Conduct forensic analysis of the Python package repository usage within the enterprise.
- 1 Week: Harden the software supply chain by enforcing pinning of PyPI packages (
pip hash) and requiring code review for build scripts. Review and restrict the usage of Node.js and Python in production environments to signed, approved repositories.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerteam-pcplofystealerlumma-stealersupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.