Recent OTX pulses indicate a convergence of advanced credential theft tactics spanning supply chain attacks, social engineering, and mobile malware. Key adversaries, including TeamPCP and LofyGang, are leveraging trusted development platforms (PyPI) and gaming communities to deploy payloads like LofyStealer and malicious Python loaders. Concurrently, the "ClickFix" campaign utilizes obfuscated PowerShell to deliver Lumma Stealer, while KYCShadow targets banking customers via WhatsApp. The collective objective is exfiltration of session tokens, banking credentials, and personal identifiable information (PII) through diverse vectors.
Threat Actor / Malware Profile
TeamPCP (Supply Chain)
- Distribution: Malicious version of the
telnyxPython SDK on PyPI. - Payload Behavior: Three-stage architecture. Initial trojanized package triggers a platform-specific loader.
- C2 Communication: Downloads second-stage payloads hosted on external infrastructure; hides payloads in WAV files via steganography.
- Persistence: Uses
msbuild.exeandsysmon.pyto maintain access. - Anti-Analysis: Steganography to hide malicious code within benign audio files.
LofyStealer / GrabBot (Infostealer)
- Distribution: Social engineering targeting Minecraft players; disguised as legitimate game mods/tools.
- Payload Behavior: Node.js loader (53.5MB) dropping a C++ in-memory payload (1.4MB).
- Data Exfiltration: Targets cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
- Evasion: Uses syscall evasion techniques and in-memory execution to avoid disk scanning.
GhostSocks (Proxy/Stealer)
- Distribution: Malware-as-a-Service (MaaS) on Russian forums.
- Payload Behavior: GoLang binary turning devices into residential proxy nodes (SOCKS5).
- Partnerships: Bundles with Lumma Stealer for credential theft.
- C2 Communication: Uses TLS encryption to blend in with normal traffic.
KYCShadow (Mobile)
- Distribution: WhatsApp messages posing as bank KYC verification apps.
- Payload Behavior: Multi-stage dropper targeting Android OS.
- Capabilities: WebView phishing, OTP theft, SMS interception, VPN manipulation.
- C2 Communication: Firebase-based remote execution and C2.
IOC Analysis
The provided IOCs include a mix of network infrastructure and file artifacts:
- Network: Domains like
aquasecurtiy.org(note the typosquatting),retreaw.click, andserv[.]biz. These should be blocked immediately on DNS and web proxies. - IPs: IPs such as
85.11.161.198(associated with the ClickFix MSI download) and24.152.36.241(LofyStealer C2). - Hashes: Multiple MD5, SHA1, and SHA256 hashes for the Node.js loaders, C++ payloads, and Python components. SOC teams should use EDR tools to hunt for these specific hashes on endpoints.
- URLs: Specific URLs hosting malicious MSI payloads (e.g.,
http://85.11.161.198:6600/...).
Detection Engineering
Sigma Rules
YAML
---
title: Potential ClickFix PowerShell Downloader
id: 7b3b1f1e-6a2c-4f5b-9a8d-1c2e3f4a5b6c
description: Detects obfuscated PowerShell commands downloading MSI files, typical of ClickFix campaigns delivering Lumma Stealer.
status: stable
author: Security Arsenal
date: 2026/05/02
references:
- https://otx.alienvault.com/pulse/placeholdertags:
- attack.execution
- attack.initial_access
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'IWR'
- 'DownloadString'
selection_download:
CommandLine|contains: '.msi'
condition: selection and selection_download
falsepositives:
- Legitimate software installation scripts
level: high
---
title: Suspicious MSBuild Execution from User Context
id: 9c4d2e2f-7b3d-4e6c-8a9b-2d3e4f5a6b7c
description: Detects MSBuild.exe execution triggered by suspicious parent processes or scripts, indicative of TeamPCP Python SDK payload activity.
status: stable
author: Security Arsenal
date: 2026/05/02
references:
- https://otx.alienvault.com/pulse/placeholdertags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\msbuild.exe'
filter_legit:
ParentImage|contains:
- '\Visual Studio'
- '\MSBuild\'
- '\devenv.exe'
condition: selection and not filter_legit
falsepositives:
- Developer build scripts not running from standard IDEs
level: medium
---
title: Suspicious Go Binary Network Activity
id: 0e5f3a4b-8c4d-4e7f-9b1c-3f4e5a6b7c8d
description: Detects unsigned Go binaries establishing network connections, potential GhostSocks or LofyStealer loader activity.
status: stable
author: Security Arsenal
date: 2026/05/02
references:
- https://otx.alienvault.com/pulse/placeholdertags:
- attack.command_and_control
- attack.execution
logsource:
product: windows
category: network_connection
detection:
selection_path:
Image|not contains:
- ':\Program Files'
- ':\Program Files (x86)'
InitiatingProcessFileName|endswith: '.exe'
condition: selection_path
falsepositives:
- Legitimate unsigned tools
level: low
**KQL (Microsoft Sentinel)**
kql
// Hunt for ClickFix PowerShell Activity
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName has "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "IWR", "DownloadFile", "msi")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
// Hunt for TeamPCP Python SDK Indicators (Domains and Hashes)
let IoC_Domains = dynamic(["aquasecurtiy.org", "retreaw.click", "serv.biz", "serv.xyz", "api.biz"]);
let IoC_Hashes = dynamic(["6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "d21a5d08b4614005c8fcd9d0068f0190", "ddd2994acd25bde5ac32a03f1cf30b41", "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc"]);
union DeviceNetworkEvents, DeviceFileEvents
| where Timestamp >= ago(3d)
| where RemoteUrl has_any (IoC_Domains) or SHA256 has_any (IoC_Hashes) or MD5 has_any (IoC_Hashes)
| project Timestamp, DeviceName, ActionType, RemoteUrl, SHA256, MD5, InitiatingProcessAccountName
**PowerShell Hunt Script**
powershell
# IOC Hunt Script for TeamPCP, LofyStealer, and GhostSocks Activity
# Requires Administrator privileges
Write-Host "Starting Dark Web Credential Theft IOC Hunt..." -ForegroundColor Cyan
# 1. Check for File Hash Presence
Write-Host "`n[+] Checking for malicious file hashes..." -ForegroundColor Yellow
$hashes = @(
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
"d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
"d21a5d08b4614005c8fcd9d0068f0190",
"fb203c0ac030a97281960d7c28d86ebf",
"ddd2994acd25bde5ac32a03f1cf30b41",
"f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
"c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728"
)
$drives = @("C:\", "D:\")
foreach ($hash in $hashes) {
foreach ($drive in $drives) {
if (Test-Path $drive) {
Write-Host "Scanning $drive for hash $hash..."
Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($fileHash -eq $hash) {
Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
}
}
# 2. Check Network Connections for Suspicious Domains
Write-Host "`n[+] Checking active network connections for suspicious domains..." -ForegroundColor Yellow
$suspiciousDomains = @("aquasecurtiy.org", "retreaw.click", "serv.biz", "serv.xyz", "api.biz", "robinhuds.com")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($conn in $connections) {
$process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
if ($process -and $conn.RemoteAddress -ne "0.0.0.0") {
try {
$remoteHost = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress).HostName
if ($suspiciousDomains | Where-Object { $remoteHost -like "*$_*" }) {
Write-Host "Suspicious Connection: PID $($conn.OwningProcess) ($($process.ProcessName)) connected to $remoteHost ($($conn.RemoteAddress))" -ForegroundColor Red
}
} catch {
# Ignore DNS resolution failures
}
}
}
Write-Host "`n[+] Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block IOCs: Add all domains, IPs, and URLs from the IOC list to your firewall, proxy, and DNS blocklists. Pay special attention to the typo-squatted
aquasecurtiy.org. - Endpoint Isolation: Isolate any endpoints returning hits for the file hashes (MSI or Python payloads).
- Hunt for Persistence: Search for unexpected MSBuild executions and scheduled tasks related to
sysmon.py.
- Block IOCs: Add all domains, IPs, and URLs from the IOC list to your firewall, proxy, and DNS blocklists. Pay special attention to the typo-squatted
-
24 Hours:
- Credential Reset: If LofyStealer or Lumma Stealer is suspected, trigger a forced password reset and session invalidation for affected users across all SaaS applications.
- Mobile Check: Communicate with the security team to scan BYOD and corporate mobile devices for the KYCShadow Android package (hash
1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb). - Python Environment Audit: Audit developer environments for the malicious
telnyxpackage version and verify package integrity.
-
1 Week:
- Supply Chain Hardening: Implement strict PyPI/NPM registry checks and require package signing or hashing verification for internal builds.
- PowerShell Constrained Language Mode: Enforce Constrained Language Mode (CLM) for general users to prevent obfuscated script execution like ClickFix.
- Proxy Awareness: Configure EDR to detect and alert on traffic routed through non-standard residential proxies to identify GhostSocks infections.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerlumma-stealersupply-chainandroid-malwareteampcp
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.