Back to Intelligence

TeamPCP Supply Chain, LofyStealer & GhostSocks: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 30, 2026
6 min read

Recent OTX pulses highlight a converging threat landscape involving supply chain compromise, targeted credential theft, and infrastructure abuse. The primary threat is TeamPCP, which has weaponized the popular telnyx Python SDK on PyPI, affecting 750,000 monthly downloads. Concurrently, LofyGang is pushing "LofyStealer" (aka GrabBot) via social engineering against Minecraft players using a complex Node.js/C++ loader chain. Finally, GhostSocks represents a Malware-as-a-Service (MaaS) evolution, turning infected endpoints into residential proxy nodes, often partnered with Lumma Stealer. Collectively, these campaigns emphasize a shift toward steganography, in-memory execution, and the abuse of legitimate developer tools to evade detection.

Threat Actor / Malware Profile

1. TeamPCP (Supply Chain / Credential Theft)

  • Distribution: Malicious Python packages uploaded to PyPI (telnyx SDK).
  • Payload Behavior: Three-stage architecture. Stage 1 triggers a platform-specific loader. Stage 2 downloads a payload hidden inside a WAV file using steganography. Stage 3 deploys a credential harvester.
  • Tools/LOLBins: Uses msbuild.exe and sysmon.py likely for evasion or execution.
  • Objective: Theft of various encrypted credentials and exfiltration.

2. LofyGang / LofyStealer (Infostealer)

  • Distribution: Social engineering targeting Minecraft players (disguised as mods/tools).
  • Payload Behavior: A 53.5MB Node.js-based loader drops a 1.4MB native C++ payload that executes directly in memory.
  • Target: Steals cookies, passwords, tokens, credit cards, and IBANs from eight major browsers.
  • Techniques: Syscall evasion, in-memory execution ("fileless"), disguising within legitimate libraries.

3. GhostSocks (Proxy Botnet)

  • Distribution: Marketed on Russian underground forums as MaaS.
  • Payload Behavior: Written in GoLang. Compromises devices to act as residential proxy nodes.
  • C2 Communication: Uses SOCKS5 proxy protocol with TLS encryption to blend in with normal traffic.
  • Partnerships: Integrates with Lumma Stealer to double-monetize infections (proxy access + data theft).

IOC Analysis

The provided indicators span multiple vectors requiring different response actions:

  • File Hashes (SHA256/MD5/SHA1): High-fidelity indicators for the LofyStealer payloads, TeamPCP components, and GhostSocks binaries. These should be used in EDR quarantines and disk scans.
  • Domains & Hostnames: aquasecurtiy.org, retreaw.click, and w2.bruggebogeyed.site indicate C2 infrastructure. Note the typo-squatting nature of aquasecurtiy.org (missing 'i'). These should be blocked on DNS proxies and firewalls.
  • IP Addresses: 24.152.36.241 is a specific C2 node for LofyStealer requiring immediate blocking.
  • Network Signatures: Hunt for large anomalous WAV downloads (Steganography) and unauthorized SOCKS5 traffic.

Detection Engineering

Sigma Rules

YAML
title: TeamPCP PyPI Supply Chain Compromise
id: 48c9f2a1-8d3e-4b2a-9c1d-7e8f9a0b1c2d
description: Detects potential TeamPCP activity involving python.exe spawning msbuild.exe or downloading steganography-laden WAV files as observed in the Telnyx SDK attack.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6cf223aea68b0e8031ff68251e30b6017a0513fe
tags:
    - attack.execution
    - attack.t1059.001
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection_python_msbuild:
        ParentImage|endswith: '\python.exe'
        Image|endswith: '\msbuild.exe'
    selection_stego:
        ParentImage|endswith: '\python.exe'
        CommandLine|contains: '.wav'
    condition: 1 of selection_
falsepositives:
    - Legitimate developer build environments
level: high
---
title: LofyStealer Node.js Loader Activity
id: 59d0e3b2-9e4f-5c3b-0d2e-8f0a1b2c3d4e
description: Detects suspicious behavior associated with LofyStealer where a Node.js process accesses browser data directories or spawns suspicious child processes.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/293006cec43c663ccff331795d662c3b73b4d7af
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        TargetFilename|contains:
            - '\Google\Chrome\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Opera Software\Opera Stable'
    condition: selection
falsepositives:
    - Legitimate browser automation tools
level: medium
---
title: GhostSocks C2 Infrastructure Connection
id: 60e1f4c3-0f5g-6d4c-1e3f-9g1b2c3d4e5f
description: Detects network connections to known GhostSocks C2 domains and IP addresses observed in OTX pulses.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/59312a8d6663c9a404d0b5aa96b70be3946592e5
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'retreaw.click'
            - 'bruggebogeyed.site'
        DestinationIp:
            - '24.152.36.241' # LofyStealer IP often overlaps with similar infra
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP, LofyStealer, and GhostSocks Indicators
// 1. Network Connections to C2 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("retreaw.click", "bruggebogeyed.site", "aquasecurtiy.org") 
   or RemoteIP == "24.152.36.241"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
;
// 2. File Creation for known Malicious Hashes (LofyStealer & GhostSocks)
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
) or MD5 in (
    "97e073abd819d9cdc07705aeaa481f59",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "ddd2994acd25bde5ac32a03f1cf30b41"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName
;
// 3. Process Creation: Python spawning MSBuild (TeamPCP)
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName == "python.exe" and FileName == "MSBuild.exe"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for TeamPCP, LofyStealer, and GhostSocks indicators.
.DESCRIPTION
    Checks for active network connections to malicious domains/IPs and scans
    specific directories for known malicious file hashes.
#>

$MaliciousDomains = @("retreaw.click", "bruggebogeyed.site", "aquasecurtiy.org")
$MaliciousIPs = @("24.152.36.241")

Write-Host "[*] Checking active network connections for C2 traffic..."

# Get TCP connections (requires Admin privileges)
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($Conn in $Connections) {
    $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
    if ($Process) {
        $RemoteAddress = $Conn.RemoteAddress
        $RemoteHostName = $null
        
        # Attempt reverse lookup for domains
        try {
            $RemoteHostName = [System.Net.Dns]::GetHostEntry($RemoteAddress).HostName
        } catch {}

        # Check against IOCs
        if ($MaliciousIPs -contains $RemoteAddress) {
            Write-Host "[!] ALERT: Connection to Malicious IP $RemoteAddress detected by process $($Process.ProcessName) (PID: $($Process.Id))" -ForegroundColor Red
        }
        if ($RemoteHostName) {
            foreach ($Domain in $MaliciousDomains) {
                if ($RemoteHostName -like "*$Domain*") {
                    Write-Host "[!] ALERT: Connection to Malicious Domain $Domain detected by process $($Process.ProcessName) (PID: $($Process.Id))" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "[*] Scanning for common stager/malware paths..."
$SuspiciousPaths = @(
    "$env:APPDATA\npm", 
    "$env:TEMP",
    "$env:USERPROFILE\Downloads"
)

$MaliciousHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1"
)

foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            if (-not $_.PSIsContainer) {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($MaliciousHashes -contains $Hash) {
                    Write-Host "[!] ALERT: Malicious file found at $($_.FullName)" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "[*] Hunt complete."

Response Priorities

  • Immediate (0-4h):

    • Block all listed domains (aquasecurtiy.org, retreaw.click, bruggebogeyed.site) and IPs (24.152.36.241) at the perimeter firewall and DNS layer.
    • Initiate endpoint scans for the provided SHA256 and MD5 hashes.
    • Isolate any endpoints with positive hits.

  • 24h:

    • Audit PyPI package usage in enterprise environments. If telnyx is installed, verify the integrity of the package or force update to a clean version (if available). Check for msbuild.exe execution chains originating from Python.
    • Due to LofyStealer's browser credential theft capabilities, force password resets for high-privilege accounts on endpoints that may be affected (gaming/developer workstations).

  • 1 Week:

    • Implement software supply chain controls (require signed packages, lock dependency versions).
    • Review egress proxy rules to detect unauthorized SOCKS5 traffic.
    • Harden developer workstations to prevent msbuild.exe abuse (e.g., via AppLocker).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptteampcplofystealerghostsockssupply-chaininfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action