Back to Intelligence

TeamPCP, LofyStealer & GhostSocks: OTX Threat Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 30, 2026
5 min read

Recent OTX pulses indicate a convergence of high-risk threats ranging from sophisticated supply chain compromises to targeted credential theft and botnet commercialization.

  • TeamPCP has weaponized the Telnyx Python SDK (750k monthly downloads), utilizing a three-stage architecture involving steganography to deploy credential harvesters.
  • LofyGang is actively distributing LofyStealer, a dual-stage infostealer targeting Minecraft players, utilizing a Node.js loader to drop a C++ memory-only payload.
  • GhostSocks, a GoLang-based Malware-as-a-Service (MaaS), is turning infected devices into residential proxy nodes, facilitating further attacks and partnering with Lumma Stealer.

Collectively, these campaigns emphasize a shift toward abusing trusted developer tools (PyPI), legitimate gaming platforms for social engineering, and monetizing compromised infrastructure via proxy services.

Threat Actor / Malware Profile

TeamPCP (Telnyx SDK Supply Chain)

  • Distribution: Malicious Python packages uploaded to PyPI (telnyx SDK spoofing).
  • Payload Behavior:
    • Stage 1: Trojanized package triggers a platform-specific loader.
    • Stage 2: Downloads payload hidden inside a WAV file using steganography.
    • Stage 3: Credential harvester (steals, encrypts, exfiltrates).
  • Persistence: Uses msbuild.exe and scripts like sysmon.py to maintain access and evade detection.

LofyGang (LofyStealer)

  • Distribution: Social engineering targeting Minecraft players.
  • Payload Behavior:
    • Stage 1: 53.5MB Node.js-based loader (disguised as libraries).
    • Stage 2: 1.4MB native C++ payload executes directly in memory.
  • Target: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers (Chrome, Edge, etc.).
  • Evasion: Uses syscalls evasion and process hollowing techniques (via chromelevator).

GhostSocks

  • Distribution: Marketed on Russian underground forums as MaaS.
  • Payload Behavior: GoLang binary that implements SOCKS5 proxy.
  • Objective: Converts victim devices into residential proxy nodes to bypass security controls. Partners with Lumma Stealer to double-monetize infections.
  • C2: Uses TLS encryption to blend malicious traffic with normal web activity.

IOC Analysis

The provided indicators span multiple infrastructure types utilized for C2 and payload delivery:

  • Domains & Hostnames: Include C2 infrastructure such as scan.aquasecurtiy.org (TeamPCP) and retreaw.click (GhostSocks). SOC teams should immediately block these at the perimeter and DNS layer.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes corresponding to the Node.js loaders, C++ payloads, and GoLang binaries. These should be added to EDR blocklists.
  • IP Addresses: Specific IPs (e.g., 24.152.36.241) associated with LofyStealer infrastructure.

Operational Guidance:

  • SIEM: Correlate hashes against DeviceProcessEvents and domains/IPs against DeviceNetworkEvents.
  • EDR: Hunt for processes matching the provided hashes and investigate msbuild.exe executions not spawned by legitimate development environments.

Detection Engineering

YAML
---
title: Suspicious MSBuild Execution - TeamPCP Activity
id: 3f8a9b12-4c5d-4e2a-9b1a-8c7d6e5f4a3b
date: 2026/05/01
status: experimental
description: Detects MSBuild.exe (often used by TeamPCP in supply chain attacks) executing suspicious child processes or scripts.
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
author: Security Arsenal
tags:
    - attack.execution
    - attack.defense_evasion
    - teampcp
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msbuild.exe'
        CommandLine|contains:
            - 'cmd.exe'
            - 'powershell.exe'
    filter:
        ParentImage|endswith:
            - '\devenv.exe'
            - '\MSBuild.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate build scripts
level: high
---
title: Node.js Loader Spawning Shell - LofyStealer
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
date: 2026/05/01
status: experimental
description: Detects Node.js processes spawning cmd.exe or powershell.exe, typical of LofyStealer's Node.js loader executing its second stage.
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
tags:
    - attack.execution
    - attack.initial_access
    - lofystealer
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate Node.js development tools
level: high
---
title: Go Binary Network Activity - GhostSocks
id: 12345678-90ab-cdef-1234-567890abcdef
date: 2026/05/01
status: experimental
description: Detects unknown Go binaries initiating network connections, potentially indicative of GhostSocks proxy malware.
references:
    - https://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware
author: Security Arsenal
tags:
    - attack.command_and_control
    - attack.defense_evasion
    - ghostsocks
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        Company|contains: 'Go'
        Initiated: 'true'
    filter_legit:
        Image|contains:
            - '\Program Files\'
            - '\ProgramData\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Go applications
level: medium


kql
// Hunt for TeamPCP, LofyStealer, and GhostSocks Indicators
let IOCs = dynamic([
    "scan.aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "aquasecurtiy.org", "retreaw.click", "w2.bruggebogeyed.site",
    "24.152.36.241",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb", "97e073abd819d9cdc07705aeaa481f59",
    "d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf",
    "ddd2994acd25bde5ac32a03f1cf30b41", "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1", "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
]);
DeviceNetworkEvents
| where RemoteUrl in IOCs or RemoteIP in IOCs
| summarize Timestamp=arg_max(Timestamp, *) by DeviceName, RemoteUrl, RemoteIP
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessAccountName
| join kind=inner (
    DeviceProcessEvents
    | where SHA256 in IOCs or MD5 in IOCs
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, MD5
) on DeviceName
| order by Timestamp desc


powershell
# IOC Hunt Script for TeamPCP, LofyStealer, and GhostSocks
$TargetHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "97e073abd819d9cdc07705aeaa481f59", "3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a",
    "d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf",
    "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148", "f9fe23f24d45eae418c60819c523a83ddba4ca50",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "ddd2994acd25bde5ac32a03f1cf30b41", "10f928e00a1ed0181992a1e4771673566a02f4e3",
    "3d9d7a7905e46a3e39a45405cb010c1baa735f9e", "9b90c62299d4bed2e0752e2e1fc777ac50308534",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
)
Write-Host "Scanning for malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TargetHashes -contains $hash) {
        Write-Host "MATCH FOUND: $($_.FullName) - Hash: $hash" -ForegroundColor Red
    }
}
Write-Host "Scanning for suspicious network connections (GhostSocks/LofyStealer C2)..."
$Domains = @("scan.aquasecurtiy.org", "aquasecurtiy.org", "retreaw.click", "w2.bruggebogeyed.site")
Get-Content "C:\Windows\System32\drivers\etc\hosts" | Select-String -Pattern ($Domains -join '|')

Response Priorities

  • Immediate:
    • Block all listed domains and IPs at the firewall and proxy.
    • Scan all endpoints for the listed file hashes.
    • Investigate any recent installations of the telnyx Python SDK or unusual msbuild.exe executions.
  • 24 Hours:
    • If LofyStealer or GhostSocks is detected, force a password reset for affected user accounts and rotate API keys.
    • Isolate infected hosts to prevent lateral movement or proxy usage.
  • 1 Week:
    • Audit Python environments (PyPI usage) to prevent supply chain ingestion.
    • Implement strict application whitelisting for Node.js and Go binaries in user directories.
    • Review network logs for signs of SOCKS5 proxy traffic originating from internal endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptteampcplofystealerghostsockssupply-chaininfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action