Back to Intelligence

TeamPCP Supply Chain Attack, LofyStealer & GhostSocks Proxy: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 2, 2026
6 min read

Recent OTX Pulse data highlights a convergence of sophisticated supply chain compromises, credential theft operations, and proxy-based malware-as-a-service (MaaS). The primary threats include TeamPCP's weaponization of the legitimate telnyx Python SDK to distribute malware via PyPI, LofyGang's LofyStealer targeting the gaming ecosystem with in-memory payloads, and the emergence of GhostSocks, a GoLang-based MaaS turning compromised devices into residential proxy nodes. Collectively, these campaigns demonstrate a shift towards abusing trusted developer tools (Python/Node.js) for initial access and utilizing steganography and memory-only execution to evade traditional signature-based detection.

Threat Actor / Malware Profile

TeamPCP (Telnyx SDK Supply Chain)

  • Distribution Method: Software Supply Chain compromise. Malicious versions of the telnyx Python package uploaded to PyPI (750k+ monthly downloads).
  • Payload Behavior: Three-stage architecture. Stage 1 is the trojanized package. Stage 2 is a platform-specific loader. Stage 3 involves a payload hidden inside a WAV audio file using steganography.
  • C2 Communication: Encrypted channels utilized for exfiltration of harvested credentials.
  • Persistence Mechanism: Likely established via the Python environment startup scripts or scheduled tasks triggered by the package installation.
  • Anti-Analysis Techniques: Use of steganography to hide the second-stage payload within a benign-looking WAV file; abuse of msbuild.exe for execution.

LofyGang (LofyStealer)

  • Distribution Method: Social engineering targeting Minecraft players.
  • Payload Behavior: Two-stage malware. A 53.5MB Node.js loader disguised within legitimate libraries drops a 1.4MB native C++ payload (GrabBot/Slinky) that executes directly in memory (fileless).
  • C2 Communication: Standard HTTP/HTTPS to exfiltrate stolen data.
  • Persistence Mechanism: Registry run keys or startup folder modifications via the Node.js loader.
  • Anti-Analysis Techniques: Memory-only execution of the C++ payload to avoid disk scanning; syscalls evasion techniques; large payload size to confuse simple heuristics.

GhostSocks (MaaS Provider)

  • Distribution Method: Malware-as-a-Service marketed on Russian underground forums; partnerships with info stealers like Lumma Stealer for distribution.
  • Payload Behavior: GoLang binary that compromises devices to function as residential proxy nodes (SOCKS5).
  • C2 Communication: Uses TLS encryption to blend malicious traffic with normal network activity.
  • Persistence Mechanism: Windows service or scheduled task creation.
  • Anti-Analysis Techniques: TLS encryption for C2 traffic; utilizing residential IP space of victims to evade IP-based reputation detection.

IOC Analysis

The provided IOCs include a mix of network infrastructure and file artifacts critical for detection:

  • File Hashes (SHA256, MD5, SHA1): These represent the malicious loaders, Node.js bundles, and GoLang binaries. SOC teams should load these into EDR solutions to immediately identify malicious files on disk or in memory.
  • Domains & Hostnames (e.g., scan.aquasecurtiy.org, retreaw.click): These serve as C2 servers and payload staging sites. These should be blocked at the perimeter and DNS level.
  • IPv4 Addresses (e.g., 24.152.36.241): Direct C2 IPs. Operationalize by blocking inbound/outbound connections to these specific IPs on firewalls.

Operational Guidance: While file hashes are effective for retrospective hunts, the domains and IPs should be prioritized for real-time blocking given the active nature of these campaigns. Security teams should also monitor for large-scale PyPI package downloads from non-build servers to detect supply chain propagation.

Detection Engineering

YAML
---
title: Potential TeamPCP PyPI Supply Chain Attack Activity
id: 8e2f1a0d-5b4c-4a9e-9f1d-2c3d4e5f6a7b
description: Detects suspicious activity indicative of the TeamPCP campaign involving msbuild.exe spawned by Python processes or unusual WAV file processing following a package installation.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
tags:
    - attack.execution
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_python_msbuild:
        ParentImage|endswith: '\python.exe'
        Image|endswith: '\msbuild.exe'
    selection_stego:
        Image|endswith: '\python.exe'
        CommandLine|contains: '.wav'
    condition: 1 of selection_
falsepositives:
    - Legitimate developer builds using Python scripts
level: high

---
title: LofyStealer Node.js Loader Activity
date: 2026/05/03
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects potential LofyStealer activity where a Node.js process spawns suspicious child processes or accesses browser credential directories.
author: Security Arsenal
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
    - attack.credential_access
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection_node_parent:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    selection_browser_access:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - '\Google\Chrome\User Data'
            - '\Mozilla\Firefox\Profiles'
    condition: 1 of selection_
falsepositives:
    - Legitimate Node.js development scripts
level: medium

---
title: GhostSocks Proxy and GoLang MaaS Activity
date: 2026/05/03
id: 9a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
status: experimental
description: Detects potential GhostSocks or similar GoLang MaaS proxy malware by identifying unsigned binaries establishing SOCKS5-like connections or high port usage.
author: Security Arsenal
references:
    - https://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware
tags:
    - attack.command_and_control
    - attack.t1090.003
logsource:
    category: network_connection
    product: windows
detection:
    selection_go_proxy:
        Image|contains: '.exe'
        Initiated: 'true'
        DestinationPort|between:
            - 1080
            - 1085
    selection_suspicious_tls:
        DestinationPort: 443
        Image|contains: '.exe'
        Signed: 'false'
        # Heuristic: High entropy connection common in GoLang malware
    condition: 1 of selection_
falsepositives:
    - Legitimate proxy software usage
level: high


kql
// Hunt for TeamPCP, LofyStealer, and GhostSocks IOCs
// File Hash Hunt
let MaliciousHashes = pack_array(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "97e073abd819d9cdc07705aeaa481f59",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "ddd2994acd25bde5ac32a03f1cf30b41",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
);
DeviceProcessEvents
| where SHA256 in (MaliciousHashes) or MD5 in (MaliciousHashes) or SHA1 in (MaliciousHashes)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256
| union (
    DeviceNetworkEvents
    | where RemoteUrl has_any ("scan.aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "aquasecurtiy.org", "retreaw.click", "w2.bruggebogeyed.site")
       or RemoteIP == "24.152.36.241"
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)


powershell
# IOC Hunt Script for TeamPCP, LofyStealer, and GhostSocks
# Requires Administrative Privileges

$MaliciousSHA256 = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
)

$MaliciousDomains = @(
    "scan.aquasecurtiy.org",
    "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io",
    "aquasecurtiy.org",
    "retreaw.click",
    "w2.bruggebogeyed.site"
)

$MaliciousIP = "24.152.36.241"

Write-Host "[*] Checking for malicious file hashes..."
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 -and $_.Extension -in ".exe",".dll",".py",".js" } |
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousSHA256 -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
        }
    }

Write-Host "[*] Checking DNS cache for malicious domains..."
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $MaliciousDomains) {
    if ($DnsCache.Name -like "*$domain*") {
        Write-Host "[!] MALICIOUS DOMAIN ENTRY FOUND: $domain" -ForegroundColor Red
    }
}

Write-Host "[*] Checking for active network connections to malicious IP..."
$netstat = netstat -ano | Select-String "$MaliciousIP"
if ($netstat) {
    Write-Host "[!] ACTIVE CONNECTION FOUND: $netstat" -ForegroundColor Red
} else {
    Write-Host "[-] No active connections found to $MaliciousIP."
}

Write-Host "[*] Checking for unusual msbuild.exe processes (TeamPCP indicator)..."
$msbuild = Get-Process -Name "msbuild" -ErrorAction SilentlyContinue
if ($msbuild) {
    foreach ($proc in $msbuild) {
        $parent = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $($proc.Parent.Id)" -ErrorAction SilentlyContinue
        if ($parent.Name -eq "python.exe") {
            Write-Host "[!] SUSPICIOUS MSBUILD PROCESS: PID $($proc.Id) spawned by python.exe" -ForegroundColor Red
        }
    }
}


# Response Priorities

*   **Immediate:** Block all listed domains (e.g., `retreaw.click`, `aquasecurtiy.org`) and the IP `24.152.36.241` on perimeter firewalls and proxies. Initiate a scan for the provided file hashes across all endpoints to identify active infections.
*   **24h:** Conduct an audit of Python package repositories (PyPI mirrors) and build environments to ensure no compromised versions of the `telnyx` SDK remain. If credential theft is suspected (LofyStealer), force password resets for privileged accounts and monitor for suspicious identity activity.
*   **1 week:** Review software supply chain security policies. Implement strict pinning of Python package versions and checksum verification. Restrict the execution of unsigned binaries (especially GoLang executables) and monitor for unauthorized proxy software installation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsupply-chaininfostealermalware-as-a-serviceteam-pcplofystealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action