Back to Intelligence

TeamPCP Supply Chain Attack & GachiLoader AI Lures: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 2, 2026
6 min read

Recent OTX pulses indicate a convergence of high-efficacy delivery mechanisms targeting disparate sectors. Threat actors are increasingly abusing trusted infrastructure and trending technologies to lower defender friction.

  • TeamPCP (CanisterWorm): A sophisticated supply chain attack targeting security infrastructure. The actor compromised open-source tools (Trivy, KICS, LiteLLM) and the Telnyx Python SDK to deliver a wiper payload via CVE-2025-55182.
  • GachiLoader (Rhadamanthys): Adoption of "AI Agent" skills as a social engineering lure. Malicious actors are weaponizing the hype around AI tools (specifically OpenClaw) to trick users into executing Windows binaries, leading to Rhadamanthys infostealer deployment via fileless injection.
  • Rebex Telegram RAT: A targeted campaign against Vietnam utilizing trojanized CVs in CHM format. The payload uses a complex execution chain involving Python loaders, C++ DLLs, and XOR encryption to establish a C2 channel over Telegram.

Collectively, these campaigns demonstrate a shift toward abusing trust (supply chains, AI trends) and using complex multi-stage loaders to evade static detection.

Threat Actor / Malware Profile

1. TeamPCP / CanisterWorm

  • Type: Supply Chain Attacker / Wiper
  • Distribution: Compromised open-source security packages (Trivy, KICS, LiteLLM) and Python SDKs.
  • Behavior: Exploits CVE-2025-55182. Upon execution of the compromised software, the payload initiates a wiper mechanism designed to destroy data.
  • C2: Uses Cloudflare tunnels (trycloudflare.com) and raw ICP endpoints (icp0.io) to mask command and control infrastructure.

2. GachiLoader

  • Type: Loader / Dropper
  • Distribution: Fake GitHub repositories hosting "AI Agent Skills" (OpenClaw). Pure social engineering; the skill files themselves are often inert, tricking users into downloading the malicious binary.
  • Behavior: Acts as a dropper for Rhadamanthys infostealer. Utilizes Node.js SEA (Single Executable Application) and Electron droppers.
  • Techniques: Fileless injection, blockchain C2 communication.

3. Rebex Telegram RAT

  • Type: Remote Access Trojan
  • Targeting: Vietnam (specifically via job application scams).
  • Distribution: Trojanized CV documents in Compiled HTML Help (CHM) format.
  • Behavior: Multi-stage payload starting with CHM, executing Python interpreters and C++ DLLs.
  • Persistence: Shell hijacking (modifying registry keys to force execution of malicious code upon system shell start) and Scheduled Tasks.
  • Evasion: Layered XOR encryption for payload obfuscation.

IOC Analysis

The provided indicators encompass a mix of file artifacts, vulnerabilities, and network infrastructure.

  • File Hashes (SHA256/MD5/SHA1): High-fidelity indicators for the malicious binaries, loaders, and droppers. SOC teams should immediately block execution of these hashes via EDR policies and scan historical endpoints for presence.
  • CVE (CVE-2025-55182): A critical vulnerability used in the TeamPCP campaign. Security teams must patch this specific CVE immediately in the context of Trivy, KICS, and LiteLLM deployments.
  • Hostnames: Several Cloudflare tunnel and decentralized web hostnames (trycloudflare.com, icp0.io) are used for C2. These should be added to DNS blocklists and firewall deny-lists.

Detection Engineering

YAML
title: Suspicious Process Spawn via Compromised Security Tools (TeamPCP)
id: 3e1a5c0a-8f4b-4b2a-9c1d-5e6f7a8b9c0d
description: Detects suspicious child processes spawned by known compromised security tools Trivy or KICS, indicative of supply chain exploitation.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\trivy.exe'
            - '\kics.exe'
    selection_suspicious:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative scripting initiated by the tools
level: high

---
title: CHM File Spawning Python Interpreter (Telegram RAT)
id: 7b8d9e1a-2c3f-4a5b-8e9d-1a2b3c4d5e6f
description: Detects compiled HTML help files (hh.exe) executing python.exe, a common pattern in recent Rebex-based Telegram RAT campaigns.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://dmpdump.github.io/posts/TelegramRat/
tags:
    - attack.initial_access
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\hh.exe'
    selection_child:
        Image|endswith: '\python.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate documentation accessed by developers
level: critical

---
title: GachiLoader Node.js Spawning Windows Binaries
id: 9a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
description: Detects Node.js or Electron processes spawning suspicious Windows binaries, potentially indicative of GachiLoader activity utilizing AI skill lures.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
    - https://www.threatdown.com/blog/gachiloader-adopts-ai-skill-lure/
tags:
    - attack.defense_evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\node.exe'
            - '\electron.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate Node.js development toolchains
level: medium


kql
// Hunt for TeamPCP C2 Infrastructure and CVE exploitation
DeviceNetworkEvents
| where RemoteUrl has "trycloudflare.com" or RemoteUrl has "icp0.io"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where InitiatingProcessFileName has "trivy" or InitiatingProcessFileName has "kics"
    | where FileName has "powershell" or FileName has "cmd"
)


powershell
# PowerShell Hunt Script for Telegram RAT Persistence and TeamPCP Artifacts

# Check for Shell Hijacking Persistence (User Shell Folders)
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
if (Test-Path $RegistryPath) {
    Get-Item $RegistryPath | ForEach-Object {
        $values = Get-ItemProperty $_.PSPath
        foreach ($prop in $values.PSObject.Properties) {
            if ($prop.Value -match ".(exe|bat|cmd|dll)$" -and $prop.Value -notmatch "%SystemRoot%" -and $prop.Value -notmatch "C:\Windows") {
                Write-Host "[ALERT] Suspicious Shell Hijack detected in: $($prop.Name) -> $($prop.Value)" -ForegroundColor Red
            }
        }
    }
}

# Scan for specific IOCs (File Hashes example)
$TargetHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a",
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829"
)

Write-Host "Scanning C:\ for known malicious IOCs (This may take time)..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TargetHashes -contains $hash) {
        Write-Host "[MALWARE] Found malicious file: $($_.FullName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate (0-24h):

  1. Patch CVE-2025-55182: Immediately update all instances of Trivy, KICS, and LiteLLM to the latest patched versions.
  2. Block IOCs: Push the associated SHA256 hashes and hostnames (trycloudflare.com, icp0.io) to EDR blocklists and Secure Web Gateways.
  3. Hunt for CHM files: Scan endpoints for recently modified .chm files and cross-reference with hh.exe spawning Python processes.

24-48h:

  1. Supply Chain Audit: Verify the integrity of open-source packages currently in use. Check for unexpected network connections from security scanning tools.
  2. Identity Verification: Due to the presence of Rhadamanthys (infostealer) and Telegram RAT, assume credentials may be compromised. Reset credentials for accounts with access to sensitive data, especially for users who interacted with "AI Skill" repositories.

1 Week:

  1. Architecture Hardening: Restrict the execution of security tools to dedicated jump boxes with strict egress filtering.
  2. Policy Update: Update user awareness training to highlight "AI Agent" and "OpenClaw" lures, and ban the execution of unsigned binaries masquerading as AI plugins.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareteampcpgachiloadertelegram-ratsupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action