Threat Summary
Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns targeting both enterprise infrastructure and end-users. The threat landscape is dominated by TeamPCP leveraging a software supply chain compromise (PyPI), LofyStealer targeting gamers with Node.js loaders, GhostSocks proxy botnets delivering Lumma Stealer, and KYCShadow, an Android banking trojan. The collective objective across these disparate actors is the harvest of authentication credentials, cookies, and financial data, utilizing evasion techniques such as steganography, TLS-encrypted proxying, and DLL sideloading.
Threat Actor / Malware Profile
TeamPCP (Telnyx SDK Supply Chain)
- Distribution: Malicious versions of the
telnyxPython SDK uploaded to PyPI (750k+ downloads). - Behavior: Three-stage architecture. Stage 1 (Trojanized package) triggers a platform-specific loader. Stage 2 retrieves a payload hidden via steganography inside a WAV file.
- C2 & Persistence: Deploys a credential harvester; communicates over HTTP/HTTPS.
- Techniques: Steganography, Supply Chain Compromise, MSBuild Abuse.
LofyStealer (LofyGang)
- Distribution: Social engineering targeting Minecraft players.
- Behavior: Node.js-based loader (53.5MB) disguised as legitimate libraries, dropping a 1.4MB C++ payload that executes in-memory.
- Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
GhostSocks
- Behavior: GoLang malware turning devices into residential proxy nodes.
- Partnership: Integrates with Lumma Stealer to double-dip on victim monetization (proxy access + data theft).
- Techniques: SOCKS5, TLS encryption to blend traffic.
Lumma Stealer (ClickFix Campaign)
- Distribution: "ClickFix" phishing—social engineering users into running PowerShell commands to "fix" browser errors.
- Behavior: Downloads a malicious MSI, utilizes HijackLoader, and employs DLL sideloading with renamed binaries.
KYCShadow (Android)
- Target: Finance sector in India/British Indian Ocean Territory.
- Distribution: WhatsApp messages posing as bank KYC verification.
- Behavior: Multi-stage dropper, Firebase C2, WebView phishing, SMS interception for OTP theft.
IOC Analysis
The provided IOCs span multiple vectors requiring tiered operationalization:
- Network Infrastructure (Domains/IPs):
raw.icp0.io(TeamPCP C2)retreaw.click,bruggebogeyed.site(GhostSocks)85.11.161.198(ClickFix/Lumma)serv.biz,serv.xyz(KYCShadow)- Action: Immediate blocking on perimeter firewalls and DNS resolvers (RPZ).
- File Hashes:
- Includes MD5, SHA1, and SHA256 for loaders (Node.js), payloads (C++/Go), and trojanized packages.
- Action: Ingest into EDR solutions for retrospective hunting and real-time alerting.
- URLs:
- Specific download paths for MSI payloads (
robinhuds.com:9658). - Action: Configure Secure Web Gateways (SWG) to block these specific paths and domains.
- Specific download paths for MSI payloads (
Detection Engineering
Sigma Rules
YAML
title: Potential TeamPCP C2 Communication via ICP0 Domains
id: 4f8c9a12-5a6b-4c7d-8e9f-1a2b3c4d5e6f
description: Detects outbound connections to ICP0.io domains, specifically raw subnets associated with TeamPCP steganography payload delivery.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b8c9a0
logsource:
category: network_connection
detection:
selection:
DestinationHostname|contains: '.raw.icp0.io'
filter:
DestinationPort: 443
condition: selection and filter
falsepositives:
- Legitimate use of Dfinity Internet Computer infrastructure (rare in enterprise)
level: high
tags:
- attack.command_and_control
- attack.t1102
---
title: Suspicious MSI Download via PowerShell (ClickFix/Lumma)
id: 5a7d8b23-6b7c-5d8e-9f0a-2b3c4d5e6f70
description: Detects PowerShell processes downloading .msi files, a technique used in ClickFix campaigns to deliver HijackLoader and Lumma Stealer.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b8c9b1
logsource:
category: process_creation
detection:
selection_img:
Image|endswith: '\powershell.exe'
selection_cli:
CommandLine|contains: '.msi'
selection_net:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'IWR'
- 'DownloadFile'
condition: all of selection_*
falsepositives:
- System administration software installation
level: high
tags:
- attack.initial_access
- attack.t1189
---
title: Node.js Loader with Network Connection (LofyStealer)
id: 6c8e9c34-7c8d-6e9f-0a1b-3c4d5e6f7081
description: Detects Node.js processes initiating network connections, potentially indicating LofyStealer C2 beaconing or payload retrieval.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b8c9c2
logsource:
category: network_connection
detection:
selection:
Image|endswith: '\node.exe'
filter:
DestinationPort:
- 80
- 443
- 8080
condition: selection and filter
falsepositives:
- Legitimate development server traffic
level: medium
tags:
- attack.execution
- attack.t1059
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP, GhostSocks, and KYCShadow Network IOCs
let IOCs = dynamic(["raw.icp0.io", "retreaw.click", "bruggebogeyed.site", "85.11.161.198", "serv.biz", "serv.xyz", "api.biz"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any(IOCs) or RemoteIP has_any(IOCs)
| extend ThreatCategory = iff(RemoteUrl contains "icp0", "TeamPCP", iff(RemoteUrl contains "retreaw", "GhostSocks", "KYCShadow"))
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ThreatCategory
PowerShell Hunt Script
PowerShell
# IOC Hunter for LofyStealer and TeamPCP File Hashes
$TargetHashes = @(
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", # TeamPCP
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2", # TeamPCP
"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", # LofyStealer
"45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7" # LofyStealer
)
Write-Host "Scanning for malicious file hashes..."
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
Write-Host "Scanning drive $($Drive.Root)..."
Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$File = $_
if ($File.Length -gt 0 -and $File.Length -lt 100MB) {
try {
$Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[ALERT] Malicious file found: $($File.FullName)" -ForegroundColor Red
}
} catch {
# Ignore access errors
}
}
}
}
Response Priorities
Immediate (0-24h)
- Block IOCs: Push all listed domains (
*.raw.icp0.io,serv.biz,retreaw.click) and IPs to firewall blocklists and DNS sinkholes. - Hunt for Malicious Python Packages: Audit developer environments for
telnyxSDK versions matching the malicious hashes (TeamPCP). - Scan for Node.js Loaders: EDR searches for
node.exespawning child processes or making suspicious network connections (LofyStealer).
Short Term (24-48h)
- Identity Verification: Force password resets and token revocation for accounts potentially accessed from infected endpoints (GhostSocks/Lumma victims).
- Mobile Threat Check: If MDM is in place, query devices for the presence of the KYCShadow Android package hashes or the Firebase C2 endpoints.
Long Term (1 Week)
- Supply Chain Policy: Implement a software composition analysis (SCA) tool for internal Python/Node.js development to prevent malicious package ingestion.
- Phishing Resistance: Conduct security awareness training specifically regarding "ClickFix" fake error pages and fake KYC verification requests.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attackcredential-theftandroid-malwarebanking-trojan
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.