Supply Chain Attack: TeamPCP Telnyx SDK, LofyStealer & GhostSocks — OTX Pulse Analysis | Security Arsenal

Threat Summary

Recent OTX pulses highlight a convergence of high-risk supply chain compromises and sophisticated Malware-as-a-Service (MaaS) operations. TeamPCP has weaponized the popular telnyx Python SDK on PyPI (750k+ downloads), utilizing a three-stage architecture involving steganography to deploy credential harvesters. Simultaneously, the LofyGang group is actively distributing LofyStealer (aka GrabBot), a Node.js and C++ based infostealer targeting the gaming ecosystem. Furthermore, the GhostSocks MaaS is gaining traction on Russian forums, turning compromised devices into residential proxy nodes via GoLang binaries to facilitate traffic evasion.

Collectively, these threats indicate a shift toward complex loading mechanisms (Node.js, Python, GoLang) and the abuse of legitimate infrastructure (PyPI, residential proxies) to conduct widespread credential theft and anonymization for downstream attacks.

Threat Actor / Malware Profile

TeamPCP (Telnyx SDK Compromise)

Distribution Method: Supply chain attack via malicious Python package (telnyx) on PyPI.
Payload Behavior: Three-stage attack. Stage 1 triggers a platform-specific loader. Stage 2 downloads a payload hidden within a WAV audio file using steganography. Stage 3 deploys a credential harvester.
C2 Communication: Encrypted exfiltration to attacker-controlled infrastructure (e.g., scan.aquasecurtiy.org).
Persistence: Established via the trojanized package persistence mechanism; likely scheduled tasks or startup scripts.
Anti-Analysis: Steganography is used to hide the second-stage payload, bypassing basic signature detection.

LofyStealer (LofyGang)

Distribution Method: Social engineering targeting Minecraft players; distributed via malicious links or mods.
Payload Behavior: Two-stage loader. A large 53.5MB Node.js loader drops a 1.4MB C++ payload that executes directly in memory (fileless).
Objective: Theft of cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
Anti-Analysis: Uses syscalls evasion and a bulky loader (Node.js) to confuse analysis tools.

GhostSocks

Distribution Method: Malware-as-a-Service (MaaS) sold on Russian underground forums.
Payload Behavior: GoLang binary that installs a SOCKS5 proxy on the victim's machine, effectively turning it into a residential proxy node.
C2 Communication: Uses TLS encryption to blend malicious traffic with legitimate web traffic.
Associations: Partnerships with Lumma Stealer suggest data theft may follow proxy infection.

IOC Analysis

The provided indicators reveal a hybrid infrastructure leveraging cloud and residential networks:

Domains & Hostnames: Typosquatting and subdomains are prevalent. aquasecurtiy.org (note the typo) and retreaw.click are critical C2 domains to block immediately. Hostnames like w2.bruggebogeyed.site suggest dynamic DNS usage.
IP Addresses: 24.152.36.241 (LofyStealer) should be blocked at the perimeter.
File Hashes: A mix of MD5, SHA1, and SHA256 hashes for loaders (Node.js) and payloads (C++, GoLang).

Operational Guidance: SOC teams should ingest these IOCs into EDR and SIEM solutions immediately. Focus on correlating network connections to the listed domains with process execution of python.exe, node.exe, or unsigned Go binaries.

Detection Engineering

Sigma Rules

YAML

---
title: TeamPCP PyPI Supply Chain Attack - Suspicious Python Network Connection
id: 66a8b8c1-9e1f-4f3d-a9c2-b12345678901
description: Detects potential TeamPCP activity involving Python processes connecting to suspicious domains or downloading unusual file types like WAV files often used in steganography.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66a8b8c1-9e1f-4f3d-a9c2-b12345678901
tags:
    - attack.initial_access
    - attack.supply_chain
    - attack.t1195.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
        Initiated: 'true'
    filter_legit:
        DestinationHostname|contains:
            - 'pypi.org'
            - 'files.pythonhosted.org'
    selection_suspicious:
        DestinationHostname|contains:
            - 'icp0.io'
            - 'aquasecurtiy.org'
    condition: selection and not filter_legit or selection_suspicious
falsepositives:
    - Legitimate developer tools accessing similar APIs
level: high
---
title: LofyStealer - Node.js Loader Spawning Suspicious Child Processes
id: 77a8b8c1-9e1f-4f3d-a9c2-b12345678902
description: Detects LofyStealer behavior where a large Node.js process spawns suspicious child processes or loads unsigned binaries, indicative of the C++ payload injection.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/77a8b8c1-9e1f-4f3d-a9c2-b12345678902
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\node.exe'
        CommandLine|contains: 'npm' # Often disguised as npm scripts
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    filter_legit:
        ParentCommandLine|contains:
            - 'node_modules'
            - 'webpack'
            - 'vite'
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Legitimate Node.js build scripts spawning shells
level: high
---
title: GhostSocks MaaS - Suspicious GoLang Binary Network Activity
id: 88a8b8c1-9e1f-4f3d-a9c2-b12345678903
description: Detects potential GhostSocks activity involving unsigned GoLang binaries making high-volume network connections or connecting to non-standard ports associated with proxying.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/88a8b8c1-9e1f-4f3d-a9c2-b12345678903
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '.exe'
        Company: ''
    filter_go:
        Imphash|contains: 'd6ac0c2d' # Common GoLang imphash pattern start
    selection_ports:
        DestinationPort in range:
            - 1080
            - 8080
            - 443
    condition: selection and filter_go and selection_ports
falsepositives:
    - Other unsigned Go applications
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TeamPCP and LofyStealer Network IOCs
let IOCs = dynamic(["24.152.36.241", "retreaw.click", "aquasecurtiy.org", "w2.bruggebogeyed.site"]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessFileName = InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# IOC Hunter for TeamPCP and LofyStealer Hashes
# Checks specific file paths for malicious hashes

$TargetHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1"
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "Scanning for TeamPCP and LofyStealer artifacts..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $Hash" -ForegroundColor Yellow
            }
        }
    }
}

# Check for suspicious Telnyx package installations (TeamPCP)
Write-Host "Checking for telnyx package in Python environments..." -ForegroundColor Cyan
Get-ChildItem -Path "C:\Users\*\AppData\Local\Programs\Python\" -Filter "telnyx*" -Recurse -ErrorAction SilentlyContinue | Select-Object FullName

Response Priorities

Immediate:
- Block all listed IOCs (IPs, Domains, Hostnames) at the firewall and proxy level.
- Run the PowerShell hunt script across endpoints to identify active infections.
- Quarantine systems matching the detection logic (Python downloading WAVs, Node.js spawning shells).
24 Hours:
- Review Python package repositories for the presence of the telnyx SDK; audit versions if installed.
- Initiate forced password resets and identity verification for accounts accessed from infected endpoints (credential theft concern).
- Hunt for evidence of browser data dumping (LofyStealer).
1 Week:
- Implement strict allow-listing for PyPI and NPM registry access.
- Review supply chain security policies for open-source dependencies.
- Harden network segmentation to prevent lateral movement from compromised proxy nodes (GhostSocks).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Supply Chain Attack: TeamPCP Telnyx SDK, LofyStealer & GhostSocks — OTX Pulse Analysis