Back to Intelligence

TeamPCP PyPI Supply Chain Attack & LofyStealer/GhostSocks Campaigns: OTX Pulse Analysis

SA
Security Arsenal Team
May 1, 2026
5 min read

Recent OTX Pulse data reveals a convergence of supply chain exploitation, credential theft, and infrastructure abuse. Three distinct threat clusters—TeamPCP, LofyGang, and GhostSocks—demonstrate a shift towards complex delivery mechanisms and stealthy persistence.

  • TeamPCP has weaponized the popular telnyx Python SDK on PyPI, utilizing a three-stage architecture involving steganography (hiding payloads in WAV files) to deploy credential harvesters.
  • LofyGang continues to evolve LofyStealer (aka GrabBot/Slinky), targeting the gaming sector with a sophisticated Node.js loader and memory-only C++ payload designed to strip browser data.
  • GhostSocks represents a growing trend in Malware-as-a-Service (MaaS), turning compromised educational endpoints into residential proxy nodes via GoLang-based SOCKS5 malware, often in partnership with Lumma Stealer.

Collectively, these campaigns emphasize the need for supply chain integrity monitoring and advanced behavioral detection against memory-resident payloads.

Threat Actor / Malware Profile

TeamPCP

  • Malware Families: msbuild.exe (abused), sysmon.py (trojanized), Credential Harvester.
  • Distribution: PyPI Supply Chain (malicious version of telnyx package).
  • Payload Behavior: Three-stage execution. Initial trojanized package triggers a platform-specific loader, which retrieves a second-stage payload hidden inside a WAV file using steganography.
  • Objective: Credential theft, data exfiltration, persistence within developer environments.

LofyGang

  • Malware Families: LofyStealer, GrabBot, Slinky, Chromelevator.
  • Distribution: Social engineering targeting Minecraft players; disguising payload within legitimate libraries.
  • Payload Behavior: 53.5MB Node.js loader drops a 1.4MB native C++ payload that executes directly in memory to evade disk scanning.
  • Objective: Extraction of cookies, passwords, tokens, credit cards, and IBANs from 8+ major browsers.

GhostSocks

  • Malware Families: GhostSocks (GoLang), Lumma Stealer (partner).
  • Distribution: Malware-as-a-Service (MaaS) via Russian underground forums; targeting Education sector.
  • Payload Behavior: Uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic with legitimate web traffic. Turns devices into residential proxy nodes.
  • Objective: Anonymization for other malicious operations, secondary infection via Lumma Stealer.

IOC Analysis

The provided indicators highlight a mix of infrastructure and payload artifacts:

  • Typosquatting/Domains: aquasecurtiy.org (likely mimicking Aqua Security) and retreaw.click are key C2 domains. w2.bruggebogeyed.site serves as a host for GhostSocks.
  • IP Addresses: 24.152.36.241 associated with LofyGang infrastructure.
  • File Hashes: A significant list of SHA256, MD5, and SHA1 hashes corresponding to the Node.js loaders, C++ memory payloads, and GoLang binaries.

Operational Guidance: SOC teams should immediately blocklisted the listed domains and IPs. File hashes should be uploaded to EDR detection engines. Due to the steganography used by TeamPCP, traditional static analysis may fail; behavioral heuristic analysis is required.

Detection Engineering

Sigma Rules

YAML
title: Potential TeamPCP PyPI Supply Chain Attack
description: Detects suspicious child processes spawned by Python executable that may indicate the execution of the msbuild.exe stager or similar payload delivery mechanisms found in the TeamPCP telnyx package campaign.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\python.exe'
        Image|endswith:
            - '\msbuild.exe'
            - '\cmd.exe'
    condition: selection
falsepositives:
    - Legitimate developer builds using Python scripts
level: high
---
title: LofyStealer Node.js Loader Activity
description: Detects Node.js processes accessing browser credential stores or spawning suspicious child processes, indicative of LofyStealer or GrabBot activity.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Cookies'
            - '\Mozilla\Firefox\Profiles'
    condition: selection
falsepositives:
    - Legitimate browser automation tools
level: high
---
title: GhostSocks Proxy Process Execution
description: Detects unsigned GoLang binaries establishing network connections or listening on ports, characteristic of GhostSocks proxy malware.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|contains:
            - '\AppData\Roaming\'
            - '\AppData\Local\Temp\'
        Initiated: 'true'
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\edge.exe'
    condition: selection and not filter
falsepositives:
    - Other unsigned utilities
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP and GhostSocks Network IOCs
let IOCs = dynamic(["scan.aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "aquasecurtiy.org", "retreaw.click", "w2.bruggebogeyed.site", "24.152.36.241"]);
DeviceNetworkEvents
| where RemoteUrl in~ IOCs or RemoteIP in~ IOCs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| sort by Timestamp desc

PowerShell

PowerShell
# IOC Hunt Script for TeamPCP and LofyStealer Artifacts
# Requires Admin Privileges

$MaliciousHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Get fixed drives
$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    Write-Host "[+] Scanning drive:" $Drive.Root -ForegroundColor Yellow
    try {
        $Files = Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue -File | Where-Object { $_.Length -gt 1kb -and $_.Length -lt 100mb }
        
        foreach ($File in $Files) {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $MaliciousHashes) {
                Write-Host "[!!!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
            }
        }
    } catch {
        Write-Host "[-] Error accessing drive:" $Drive.Root -ForegroundColor DarkGray
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block network access to aquasecurtiy.org, retreaw.click, and 24.152.36.241.
    • Initiate a hunt for file hashes associated with TeamPCP and LofyStealer across endpoints.
    • Quarantine systems identified as communicating with GhostSocks C2 infrastructure.

  • 24 Hours:

    • If credential theft is suspected (specifically LofyStealer or TeamPCP harvester activity), force a password reset for affected users and revoke session tokens.
    • Review developer workstations for the presence of the compromised telnyx Python package.

  • 1 Week:

    • Audit Python (PyPI) and Node.js package management policies; implement software composition analysis (SCA) tools to detect typosquatting and malicious dependencies.
    • Segment network traffic in the Education sector to mitigate the impact of proxy-based malware like GhostSocks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptteampcplofystealerghostsockssupply-chaininfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action