Recent OTX pulses indicate a surge in diverse cyber threats targeting software supply chains, individual gamers, and institutional infrastructure. The most critical enterprise risk stems from TeamPCP, which has weaponized the legitimate telnyx Python SDK (750k+ downloads) to deliver a multi-stage credential harvester via steganography. Concurrently, LofyStealer (LofyGang) is actively targeting Minecraft players with a sophisticated Node.js/C++ infostealer capable of exfiltrating browser data and financial credentials. Finally, GhostSocks represents a growing MaaS threat focusing on the Education sector, turning compromised devices into residential proxy nodes to obfuscate malicious traffic, often in tandem with Lumma Stealer.
Collectively, these campaigns highlight a trend toward abusing trusted development tools (PyPI), leveraging social engineering for broad credential harvesting, and monetizing compromised infrastructure via proxy networks.
Threat Actor / Malware Profile
TeamPCP (Telnyx SDK Supply Chain)
- Distribution Method: Malicious package uploaded to PyPI (
telnyx) - Payload Behavior: A three-stage architecture. The trojanized package triggers a platform-specific loader, which retrieves a second-stage payload hidden inside a WAV audio file using steganography.
- C2 Communication: Encrypted C2 channels; observed IOCs include
scan.aquasecurtiy.org. - Persistence Mechanism: Established via the Python package installation and subsequent scheduled execution of the harvested payloads.
- Anti-Analysis: Uses steganography to hide payloads within benign-looking audio files, evading basic file signature detection.
LofyStealer (LofyGang)
- Distribution Method: Social engineering targeting Minecraft players (mod packs or cheats).
- Payload Behavior: Two-stage malware. A 53.5MB Node.js loader disguises itself within legitimate libraries, dropping a 1.4MB memory-only C++ payload.
- C2 Communication: Exfiltrates data to C2 servers (IP:
24.152.36.241). - Persistence Mechanism: Achieved via the Node.js loader component.
- Anti-Analysis: Syscall evasion techniques and in-memory execution of the C++ payload to avoid disk-based scanning.
GhostSocks
- Distribution Method: Malware-as-a-Service (MaaS) marketed on Russian underground forums.
- Payload Behavior: GoLang-based binary that converts the host into a SOCKS5 residential proxy node.
- C2 Communication: Uses TLS encryption to blend malicious traffic with normal web traffic.
- Persistence Mechanism: Standard persistence mechanisms typical of GoLang malware.
- Anti-Analysis: TLS encryption obfuscates C2 traffic; often paired with Lumma Stealer to monetize the infection further.
IOC Analysis
The provided Indicators of Compromise (IOCs) span multiple vectors, requiring a layered defense approach:
-
Network Indicators (Domains/IPs):
scan.aquasecurtiy.org,tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io(TeamPCP)24.152.36.241(LofyStealer)retreaw.click,w2.bruggebogeyed.site(GhostSocks)- Action: Immediate blocklist addition to firewall/proxy servers. SOC teams should hunt for historical connections to these endpoints.
-
File Hashes (SHA256/MD5):
- Multiple hashes provided for TeamPCP payloads, LofyStealer Node/C++ loaders, and GhostSocks binaries.
- Action: Upload to EDR detection rules. Use tools like
VirusTotalorHybrid Analysisfor behavioral deep-dives. Correlate these hashes with endpoint telemetry to identify patient zero.
Operationalizing IOCs: SOC teams should ingest these hashes into their SIEM/EDR correlation engines. Priority should be given to the TeamPCP domain due to the potential supply chain impact in enterprise environments using Python.
Detection Engineering
YAML
---
title: TeamPCP Supply Chain C2 Connection
description: Detects network connections to known TeamPCP C2 infrastructure associated with the malicious Telnyx SDK.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/662fc1e9f2f6e0d7e3b2e9e1
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'aquasecurtiy.org'
- 'raw.icp0.io'
condition: selection
falsepositives:
- Legitimate administrative access to these specific domains (unlikely)
level: critical
---
title: LofyStealer Node Loader Network Activity
description: Detects processes associated with Node.js making connections to known LofyStealer C2 infrastructure.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/662fc1f9f2f6e0d7e3b2e9e2
tags:
- attack.command_and_control
- attack.execution
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\node.exe'
DestinationIp:
- '24.152.36.241'
condition: selection
falsepositives:
- Legitimate Node.js applications connecting to this IP (rare)
level: high
---
title: GhostSocks Proxy Botnet C2 Traffic
description: Detects connections to GhostSocks C2 domains, often used for residential proxy botnets.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/662fc209f2f6e0d7e3b2e9e3
tags:
- attack.command_and_control
- attack.proxy
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'retreaw.click'
- 'bruggebogeyed.site'
condition: selection
falsepositives:
- Unknown
level: critical
kql
// Hunt for TeamPCP, LofyStealer, and GhostSocks Indicators
// DeviceNetworkEvents & DeviceProcessEvents
let IOCs = dynamic([
"scan.aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "aquasecurtiy.org",
"24.152.36.241",
"retreaw.click", "w2.bruggebogeyed.site"
]);
let FileHashes = dynamic([
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
"d21a5d08b4614005c8fcd9d0068f0190",
"fb203c0ac030a97281960d7c28d86ebf",
"ddd2994acd25bde5ac32a03f1cf30b41"
]);
// Network Hunt
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP has "24.152.36.241"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend Threat = case(
RemoteUrl has "aquasecurtiy", "TeamPCP",
RemoteIP == "24.152.36.241", "LofyStealer",
RemoteUrl has_any ("retreaw", "bruggebogeyed"), "GhostSocks",
"Unknown"
);
// Process Hunt
union DeviceProcessEvents
| where SHA256 has_any (FileHashes) or MD5 has_any (FileHashes)
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName, SHA256
;
powershell
# IOC Hunt Script for TeamPCP, LofyStealer, and GhostSocks
# Requires Administrative Privileges
$MaliciousHashes = @(
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
"d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
"d21a5d08b4614005c8fcd9d0068f0190",
"fb203c0ac030a97281960d7c28d86ebf",
"ddd2994acd25bde5ac32a03f1cf30b41"
)
$MaliciousDomains = @(
"scan.aquasecurtiy.org",
"tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io",
"aquasecurtiy.org",
"retreaw.click",
"w2.bruggebogeyed.site"
)
$MaliciousIP = "24.152.36.241"
Write-Host "[+] Scanning for suspicious processes..."
$Processes = Get-Process
foreach ($Proc in $Processes) {
$FilePath = $Proc.Path
if ($FilePath -and (Test-Path $FilePath)) {
$FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash.ToLower()
if ($MaliciousHashes -contains $FileHash) {
Write-Host "[!] MALICIOUS PROCESS DETECTED: $($Proc.ProcessName) (PID: $($Proc.Id)) - Path: $FilePath" -ForegroundColor Red
}
}
}
Write-Host "[+] Checking active network connections for malicious IPs/domains..."
$TCPConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $TCPConnections) {
$RemoteAddress = $Conn.RemoteAddress
$OwningProcess = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
if ($RemoteAddress -eq $MaliciousIP) {
Write-Host "[!] CONNECTION TO MALICIOUS IP: $RemoteAddress (PID: $($Conn.OwningProcess)) - Process: $($OwningProcess.ProcessName)" -ForegroundColor Red
}
}
Write-Host "[+] Checking DNS Cache for malicious domains..."
$DNSEntries = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Entry in $DNSEntries) {
if ($MaliciousDomains -contains $Entry.Name) {
Write-Host "[!] MALICIOUS DOMAIN FOUND IN DNS CACHE: $($Entry.Name) -> $($Entry.Data)" -ForegroundColor Yellow
}
}
Write-Host "[+] Hunt complete."
Response Priorities
- Immediate: Block all listed domains and IPs at the perimeter firewall and proxy servers. Scan endpoints for the specific file hashes provided in the IOC lists. Isolate any systems showing signs of the Node.js loader or Python package exploitation.
- 24h: If credential theft is suspected (LofyStealer or TeamPCP), initiate forced password resets for affected users and rotate API keys stored on compromised development environments. Audit Python package repositories for unauthorized usage of the
telnyxpackage. - 1 week: Review software supply chain security. Implement package signing verification and lock dependency versions. Harden network segmentation to prevent the spread of proxy botnets like GhostSocks within the Education sector infrastructure.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptteampcplofystealerghostsockssupply-chaininfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.