Recent OTX pulses indicate a convergence of supply chain compromises, commodity infostealers, and residential proxy botnets. The TeamPC threat actor has weaponized the popular Telnyx Python SDK (750k+ downloads) in a software supply chain attack, deploying credential harvesters via steganography. Simultaneously, LofyGang's LofyStealer actively targets Minecraft players via social engineering using a Node.js loader, while the GhostSocks MaaS operation expands its footprint by turning infected endpoints into residential proxy nodes, often partnering with Lumma Stealer. The collective objective is credential theft, establishing persistent C2 infrastructure, and monetizing network access via proxy services.
Threat Actor / Malware Profile
TeamPCP (Telnyx SDK Compromise)
- Distribution: Malicious package uploaded to PyPI (
telnyxSDK). Upon installation, a platform-specific loader triggers. - Payload Behavior: Uses a three-stage architecture. The second stage is hidden within a WAV file using steganography. The final stage is a credential harvester.
- C2 & Persistence: Communicates with C2 domains like
scan.aquasecurtiy.org(a typosquat of AquaSecurity) andraw.icp0.io. Persistence is achieved via Python execution and scheduled tasks leveragingmsbuild.exe. - Anti-Analysis: Uses steganography to hide payloads and evades detection by blending in with legitimate SDK traffic.
LofyGang (LofyStealer)
- Distribution: Social engineering targeting Minecraft players. Disguised as legitimate game mods or cheats.
- Payload Behavior: A 53.5MB Node.js loader drops a 1.4MB native C++ payload that executes directly in memory (fileless).
- C2 & Persistence: Steals cookies, passwords, tokens, and banking details from 8+ browsers. Uses
chromelevatorandgrabbotmodules. - Anti-Analysis: Uses syscalls evasion and a large Node.js loader to mask malicious traffic and confuse static analysis tools.
GhostSocks
- Distribution: Marketed on Russian underground forums as MaaS (Malware-as-a-Service).
- Payload Behavior: Written in GoLang, it compromises devices to act as residential proxy nodes (SOCKS5).
- C2 & Persistence: Uses TLS encryption to blend malicious traffic with normal web activity. Partners with Lumma Stealer to drop additional payloads.
- Anti-Analysis: High entropy Go binaries and TLS traffic make network detection difficult without deep packet inspection.
IOC Analysis
The provided IOCs include typosquatted domains (aquasecurtiy.org), suspicious hostnames, and file hashes for the loaders and payloads. SOC teams should immediately block the domains and IP addresses at the perimeter. The file hashes (MD5, SHA1, SHA256) should be loaded into EDR solutions to hunt for execution artifacts on endpoints. Notably, the TeamPCP campaign uses raw.icp0.io, an IC (Internet Computer) endpoint, which may be bypassing standard reputation filters.
Operational Guidance:
- Domains/IPs: Block
24.152.36.241,retreaw.click,bruggebogeyed.site,aquasecurtiy.org. - File Hashes: Scan endpoints for the listed SHA256/MD5 hashes indicative of the Node.js loader or Go binaries.
- Network: Monitor for outbound TLS connections to the non-standard ports associated with SOCKS5 proxying.
Detection Engineering
Sigma Rules
YAML
---
title: Potential TeamPCP Supply Chain Attack - Python Spawning MsBuild
id: a9b2c3d4-e5f6-4789-a012-345678901abc
description: Detects Python processes (pip/python.exe) spawning msbuild.exe, a technique used in the TeamPCP Telnyx SDK supply chain attack.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64321d192f8e3e8a7e5b4e5c
tags:
- attack.execution
- attack.t1203
- attack.supply_chain
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\python.exe'
- '\pip.exe'
Image|endswith:
- '\msbuild.exe'
CommandLine|contains:
- 'telnyx'
condition: selection
falsepositives:
- Legitimate developer builds using Python scripts
level: high
---
title: Suspicious Node.js Browser Data Access - LofyStealer
id: b1c2d3e4-f5a6-4789-b012-345678901bcd
description: Detects Node.js processes accessing browser cookie or history databases, indicative of infostealers like LofyStealer.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64321d192f8e3e8a7e5b4e5d
tags:
- attack.credential_access
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
Image|endswith: '\node.exe'
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Cookies'
- '\Google\Chrome\User Data\Default\History'
- '\Mozilla\Firefox\Profiles'
condition: selection
falsepositives:
- Legitimate web development testing
level: high
---
title: DNS Query for Typosquatted Security Domain - TeamPCP C2
id: c2d3e4f5-a6b7-4789-c012-345678901cde
description: Detects DNS queries for 'aquasecurtiy.org', a known C2 domain used in TeamPCP campaigns targeting developer environments.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64321d192f8e3e8a7e5b4e5c
tags:
- attack.command_and_control
- attack.1071
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|contains: 'aquasecurtiy.org'
condition: selection
falsepositives:
- None (Typosquat)
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP and LofyStealer Network/Process Activity
// 1. Network Connections to known malicious domains/IPs
DeviceNetworkEvents
| where RemoteUrl in ("aquasecurtiy.org", "retreaw.click", "bruggebogeyed.site", "raw.icp0.io") or RemoteIP == "24.152.36.241"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend IOCTag = "Known_Malicious_Domain_IP"
// 2. Process Creation Anomalies (Python spawning MsBuild, Node accessing sensitive files)
DeviceProcessEvents
| where (InitiatingProcessFileName =~ "python.exe" and FileName =~ "msbuild.exe") or
(InitiatingProcessFileName =~ "node.exe" and FileName has "powershell.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| extend IOCTag = "Suspicious_Process_Chain"
// 3. File Hash Hunt
DeviceFileEvents
| where SHA256 in ("6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2", "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb", "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| extend IOCTag = "Malicious_File_Hash"
PowerShell Hunt Script
PowerShell
# IOC Hunt Script for TeamPCP, LofyStealer, and GhostSocks
# Requires Admin privileges
# 1. Define Malicious Hashes (SHA256)
$MaliciousHashes = @(
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
"d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
"45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)
Write-Host "[+] Scanning for malicious file hashes..."
# Get-ChildItem on C: (Optimized for common load points)
$Paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $MaliciousHashes -contains $_.Hash } | ForEach-Object {
Write-Host "[!] ALERT: Malicious file found: $($_.Path)" -ForegroundColor Red
}
}
}
# 2. Check for Suspicious DNS Cache Entries (TeamPCP C2)
Write-Host "[+] Checking DNS Cache for malicious domains..."
$BadDomains = @("aquasecurtiy.org", "retreaw.click", "bruggebogeyed.site")
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DnsCache) {
foreach ($Domain in $BadDomains) {
$Matches = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
if ($Matches) {
Write-Host "[!] ALERT: Suspicious DNS entry found for: $Domain" -ForegroundColor Red
}
}
}
# 3. Check for Python/Pip spawning MsBuild (Requires Log Analysis usually, but checking for recent processes)
Write-Host "[+] Checking for suspicious process relationships..."
$MsBuild = Get-WmiObject Win32_Process -Filter "Name='msbuild.exe'"
if ($MsBuild) {
foreach ($Proc in $MsBuild) {
$Parent = Get-WmiObject Win32_Process -Filter "ProcessId = $($Proc.ParentProcessId)"
if ($Parent.Name -eq "python.exe") {
Write-Host "[!] ALERT: MsBuild spawned by Python: PID $($Proc.ProcessId)" -ForegroundColor Red
}
}
}
Write-Host "[+] Hunt complete."
Response Priorities
-
Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) at the firewall and proxy.
- Isolate any endpoints with confirmed hits on the malicious file hashes.
- Hunt for evidence of
msbuild.exeexecution spawned bypython.exe.
-
24 Hours:
- Credential Hygiene: If LofyStealer or TeamPCP activity is suspected, force a password reset for affected users and revoke session tokens.
- Developer Environment Audit: Audit Python environments (PyPI packages) for developers who may have installed the compromised
telnyxSDK.
-
1 Week:
- Supply Chain Hardening: Implement software composition analysis (SCA) and require pinned dependencies for internal development.
- Network Segmentation: Restrict the ability of workstations to act as proxy nodes (egress filtering).
- Application Control: Block execution of unsigned Node.js loaders and unauthorized Go binaries in user directories.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptteampcplofystealerghostsockssupply-chaincredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.