Back to Intelligence

TeamPCP Supply Chain Onslaught & ClickFix Infostealers: Lumma, Vidar, Trigona Exfil Tooling — Detection Pack

SA
Security Arsenal Team
April 25, 2026
6 min read

The current threat landscape reflects a dangerous convergence of sophisticated supply chain compromises and broad social engineering campaigns, all converging on credential theft and data exfiltration.

OTX data indicates that TeamPCP is highly active, successfully poisoning the distribution channels of critical developer tools including Checkmarx KICS, Trivy, and Docker Hub images. The objective is clear: harvest credentials and infrastructure-as-code secrets by injecting malware (e.g., mcpAddon.js, Canister Worm) directly into trusted build environments.

Simultaneously, ClickFix campaigns are targeting Windows and macOS users across Finance and Gov sectors. These campaigns utilize living-off-the-land (LotL) techniques to trick users into running malicious commands via native system tools, ultimately deploying infostealers like Lumma Stealer, Vidar, and RedLine. Finally, Trigona ransomware affiliates (tracked as Rhantus) have adopted a custom Go-based exfiltration tool (uploader_client.exe) to streamline data theft, signaling a shift away from standard tools like Rclone.

Threat Actor / Malware Profile

TeamPCP (Supply Chain Aggressor)

  • Malware: mcpAddon.js, Canister Worm, Trivy trojanizer.
  • Distribution: Poisoned public Docker Hub images, compromised GitHub Actions, mutable tags in npm/VS Code extensions.
  • Objective: Credential theft from CI/CD pipelines and IaC scan reports.
  • C2/Persistence: Establishes persistence within build agents; exfiltrates scan reports containing secrets to attacker-controlled infrastructure (e.g., checkmarx.zone).

GlassWorm

  • Target: Developers and Blockchain users.
  • Distribution: Compromised code repositories and package managers.
  • Behavior: Multi-stage execution; uses Solana blockchain for C2 communication to evade network detection; installs fake browser extensions for surveillance.
  • Capabilities: Steals cryptocurrency wallets, dev credentials, and installs a RAT.

ClickFix Operators

  • Malware: Lumma Stealer, Vidar, Odyssey Stealer, NetSupport RAT.
  • Distribution: Social engineering campaigns impersonating Intuit QuickBooks, Booking.com, etc.
  • TTPs: "ClickFix" technique—manipulates victims into copying/pasting commands into PowerShell/Terminal to resolve fake browser errors (LotL).

Trigona (Rhantus Affiliate)

  • Malware: Custom uploader_client.exe.
  • Behavior: Uses kernel driver abuse (via tools like PCHunter or DumpGuard) to disable security software.
  • Exfiltration: Custom tool supports parallel streams and connection rotation to evade network DLP.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators:

  • Domains (ClickFix & TeamPCP): Includes spoofed or suspicious domains like ustazazharidrus.com (ClickFix) and checkmarx.zone (TeamPCP). These should be blocked at the DNS layer and Sinkholed.
  • IP Addresses: 94.154.172.43 associated with the KICS compromise. Immediate blocklisting is required on perimeter firewalls.
  • File Hashes: Multiple SHA256 and MD5 hashes provided for the trojanized KICS binaries and Trigona exfiltration tools. These should be added to EDR allowlist/denylist policies immediately.
  • Hostnames: Suspicious hostnames related to the Trivy compromise (scan.aquasecurtiy.org - note the typo in the legitimate domain) attempting to tunnel via Cloudflare tunnels (trycloudflare.com).

SOC teams should operationalize these by uploading the CSV to their SIEM correlation engine to alert on any DNS requests or file executions matching these hashes.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix Social Engineering Activity
description: Detects suspicious PowerShell execution patterns often associated with ClickFix campaigns where users are tricked into running obfuscated commands via copy-paste.
id: 5a1b2c3d-4e5f-6789-0abc-1def2a3b4c5d
status: experimental
author: Security Arsenal Research
date: 2026/04/25
tags:
  - attack.execution
  - attack.initial_access
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'FromBase64String'
      - 'iex'
      - 'CopyTo-Clipboard'
      - 'Set-Clipboard'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Windows Defender\'
  condition: selection and not filter_legit
falsepositives:
  - Administrative scripts
level: high
---
title: TeamPCP Supply Chain Compromise - Suspicious KICS or Trivy Network Connection
description: Detects network connections from known compromised binaries (KICS/Trivy) to non-standard infrastructure or domains associated with TeamPCP.
id: b2c3d4e5-6f78-90ab-cdef-1a2b3c4d5e6f
status: experimental
author: Security Arsenal Research
date: 2026/04/25
tags:
  - attack.exfiltration
  - attack.credential_access
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\kics.exe'
      - '\trivy.exe'
  selection_suspicious_dest:
    DestinationHostname|contains:
      - 'checkmarx.zone'
      - 'aquasecurtiy.org' # Note the typo used in attack
      - 'trycloudflare.com'
      - 'raw.icp0.io'
  condition: selection_img and selection_suspicious_dest
falsepositives:
  - Legitimate misconfigured internal scanning
level: critical
---
title: Trigona Ransomware - Custom Uploader Client Execution
description: Detects the execution of the custom uploader_client.exe associated with Trigona affiliates or suspicious file upload patterns.
id: c3d4e5f6-7a8b-9cde-f012-34567890abc1
status: experimental
author: Security Arsenal Research
date: 2026/04/25
tags:
  - attack.exfiltration
  - attack.t1567
logsource:
  category: process_creation
  product: windows
detection:
  selection_hash:
    - Hashes|contains: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
    - Hashes|contains: '816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019'
  selection_name:
    OriginalFileName: 'uploader_client.exe'
  selection_parent:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
    Image|contains: 'uploader'
  condition: 1 of selection_*
falsepositives:
  - Rare
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Domains and TeamPCP IOCs
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any (
    "ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", 
    "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
    "checkmarx.zone", "aquasecurtiy.org", "scan.aquasecurtiy.org"
)
| extend DeviceName = DeviceName, InitiatingProcessAccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for TeamPCP Artifacts and Trigona Exfil Tools.
.DESCRIPTION
    Scans the file system for specific IOCs related to KICS, Trivy, and Trigona campaigns.
#>

$MaliciousHashes = @(
    "d47de3772f2d61a043e7047431ef4cf4", # KICS MD5
    "e1023db24a29ab0229d99764e2c8deba", # KICS MD5
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b", # KICS SHA256
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173", # Trigona Uploader
    "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"  # Trigona Uploader
)

$SearchPaths = @("C:\Program Files", "C:\ProgramData", "C:\Users", "C:\\docker\\services")

Write-Host "[+] Hunting for TeamPCP/Trigona IOCs..."

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            $MD5 = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            
            if ($MaliciousHashes -contains $Hash -or $MaliciousHashes -contains $MD5) {
                Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for suspicious browser extensions (GlassWorm)..."
# Basic check for unexpected extensions in common Chrome/Edge paths
$ProfilePath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
if (Test-Path $ProfilePath) {
    Get-ChildItem "$ProfilePath\*\Extensions" -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) } | 
    Select-Object FullName, LastWriteTime
}


# Response Priorities

*   **Immediate:**
    *   Block all listed domains and IP addresses (`94.154.172.43`) at the network perimeter and proxy.
    *   Quarantine any systems identified running the file hashes associated with KICS (`222e6bfed0f...`) or Trigona (`uploader_client.exe`).
    *   Scan all Docker images and CI/CD build agents for the compromised KICS/Trivy versions.

*   **24 Hours:**
    *   Initiate credential rotation for any secrets potentially present in infrastructure-as-code repositories that were scanned by compromised versions of KICS or Trivy.
    *   Investigate browser extensions on developer workstations for GlassWorm artifacts.

*   **1 Week:**
    *   Implement strict allowlisting for CI/CD tools and Docker base images to prevent supply chain poisoning.
    *   Conduct security awareness training focused on "ClickFix" social engineering (fake browser errors requiring terminal commands).
    *   Audit GitHub Actions workflows for mutable tag usage and unauthorized commit identity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsteam-pcpclickfixlumma-stealerglasswormtrigona-ransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action