TeamPCP Supply Chain Poisoning & ClickFix Infostealer Surge: OTX Pulse Analysis

Recent OTX pulse data indicates a multi-faceted surge in credential theft activity driven by supply chain compromises and social engineering. The threat actor TeamPCP is actively poisoning developer tooling supply chains, specifically affecting the Checkmarx KICS Docker images and the Trivy vulnerability scanner. These trojanized tools are designed to harvest infrastructure-as-code credentials and exfiltrate them to attacker-controlled infrastructure.

Simultaneously, widespread ClickFix campaigns are targeting Finance, Technology, and Government sectors. These campaigns manipulate users into executing malicious commands via native system tools (living-off-the-land), leading to infections by Lumma Stealer, Vidar, and Redline Stealer. In the ransomware space, Trigona affiliates are evolving their tactics, adopting a custom Go-based exfiltration tool (uploader_client.exe) and abusing kernel drivers to evade defenses.

Threat Actor / Malware Profile

TeamPCP (Supply Chain Actor)

Objective: Theft of development credentials and infrastructure secrets.
Distribution: Compromise of official distribution channels (Docker Hub, GitHub Actions, NPM). Exploits mutable tags and commit identity spoofing.
Payload Behavior: Trojanized binaries (e.g., KICS, Trivy) scan for sensitive files and encrypt them for exfiltration.
C2 Communication: Exfiltrates data to specific IPs and typosquatted domains (e.g., aquasecurtiy.org).

ClickFix Clusters (Infostealer Distribution)

Objective: Initial access and credential harvesting.
Distribution: Social engineering via fake support pages (e.g., Intuit, Booking.com) prompting users to run "fix" commands.
Payload Behavior: Droppers for Lumma Stealer, Vidar, Redline, and NetSupport RAT. Uses native tools (PowerShell/Bash) to bypass security controls.
C2 Communication: Standard HTTP/HTTPS to diverse domain infrastructure.

Trigona / Rhantus (Ransomware)

Objective: Data extortion and encryption.
Evolution: Shift from off-the-shelf tools (Rclone) to custom uploader_client.exe.
Techniques: Kernel driver abuse (e.g., DumpGuard, PCHunter) to terminate AV/EDR processes.

GlassWorm

Target: Developers and Blockchain users.
Technique: Supply chain via package managers, fetches payloads from Solana blockchain, installs fake browser extensions for surveillance.

IOC Analysis

The provided pulses offer a high-confidence mix of network and file-based indicators crucial for detection:

Domains: Numerous domains associated with ClickFix campaigns (e.g., ustazazharidrus.com, account-help.info) and TeamPCP C2 (e.g., aquasecurtiy.org). These should be blocked at the DNS layer.
IP Addresses: 94.154.172.43 is a key C2 node for the KICS compromise.
File Hashes: SHA256/MD5 hashes are provided for the trojanized KICS binaries and Trigona exfiltration tools (uploader_client.exe). These are critical for EDR correlation and scanning artifact repositories.
Operationalization: SOC teams should load these IOCs into SIEM correlation rules for immediate alerting on network connections and file executions. YARA rules should be generated for the file hashes to detect them in memory or on disk.

Detection Engineering

YAML

title: Potential ClickFix Activity via Browser Launched PowerShell
id: 8a4e2b1c-6d8f-4a9e-b0f1-3c5e6d7a8b9c
description: Detects suspicious PowerShell execution initiated by web browsers, a common pattern in ClickFix campaigns where users are tricked into running commands.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
            - '\brave.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'copy'
            - 'paste'
            - 'iex'
            - 'invoke-expression'
    condition: selection
falsepositives:
    - Legitimate web-based administration tools
level: high
---
title: TeamPCP Supply Chain C2 Communication
id: 9b5f3c2d-7e9a-4b0c-1d2e-3f4a5b6c7d8e
description: Detects network connections to known TeamPCP infrastructure associated with the KICS and Trivy compromises.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://socket.dev/blog/checkmarx-supply-chain-compromise
    - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp:
            - '94.154.172.43'
    selection_domain:
        DestinationHostname|contains:
            - 'aquasecurtiy.org'
            - 'checkmarx.zone'
            - 'trycloudflare.com'
    condition: 1 of selection_*
falsepositives:
    - None expected
level: critical
---
title: Trigona Custom Exfil Tool Execution
id: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects execution of the custom Trigona exfiltration utility uploader_client.exe or associated kernel abuse tools.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://www.security.com/blog-post/trigona-exfiltration-custom
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith:
            - '\uploader_client.exe'
            - '\MalExtractor.exe'
            - '\GoGra.exe'
    selection_driver_abuse:
        Image|endswith:
            - '\PCHunter.exe'
            - '\DumpGuard.exe'
            - '\PowerRun.exe'
        Signed: 'false'
    condition: 1 of selection_*
falsepositives:
    - Rare legitimate administrative usage
level: critical


kql
// Hunt for TeamPCP and Trigona Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "aquasecurtiy.org", 
    "checkmarx.zone", 
    "trycloudflare.com", 
    "ustazazharidrus.com",
    "account-help.info",
    "quiptly.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP

// Hunt for Malicious File Hashes (TeamPCP KICS / Trigona Tools)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b",
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019",
    "7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26",
    "598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a"
) or MD5 in ("d47de3772f2d61a043e7047431ef4cf4", "e1023db24a29ab0229d99764e2c8deba", "1dfe0e65f3fb60ee4e46cf8125ad67ca")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName, InitiatingProcessCommandLine


powershell
# PowerShell Hunt Script for Trigona and TeamPCP Artifacts
# Requires Admin Privileges

$MaliciousHashes = @(
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b",
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "d47de3772f2d61a043e7047431ef4cf4"
)

$MaliciousIPs = @(
    "94.154.172.43"
)

$MaliciousDomains = @(
    "aquasecurtiy.org",
    "checkmarx.zone"
)

# 1. Check for active network connections to malicious IPs
Write-Host "Checking for active network connections..."
$netstat = netstat -ano | Select-String -Pattern $MaliciousIPs
if ($netstat) {
    Write-Host "[ALERT] Found active connections to known malicious IPs:"
    $netstat
} else {
    Write-Host "No active connections found to malicious IPs."
}

# 2. Scan specific directories for malicious hashes (User temp and common download folders)
Write-Host "Scanning common download and temp directories for malicious files..."
$paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[MALWARE FOUND] $($_.FullName) with Hash: $hash"
            }
        }
    }
}

# 3. Check DNS Cache for Malicious Domains
Write-Host "Checking DNS Cache for malicious domains..."
$dnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }
if ($dnsCache) {
    Write-Host "[ALERT] Found DNS cache entries for malicious domains:"
    $dnsCache
} else {
    Write-Host "No DNS cache entries found for malicious domains."
}

Response Priorities

Immediate (0-24h):
- Block all listed IOCs (Domains, IPs) at perimeter firewalls and proxies.
- Initiate a hunt for the specific file hashes provided in the KICS and Trigona pulses across all endpoints.
- Identify and isolate any systems running the vulnerable versions of KICS (v2.1.20, v2.1.21) or Trivy from the compromise window.
24-48h:
- Forced password rotation for developers and CI/CD service accounts if interaction with compromised tools (KICS/Trivy) is suspected.
- Review browser history and PowerShell logs on user endpoints for signs of ClickFix interaction (copy-pasting commands from browser).
1 Week:
- Implement code signing verification for all internal Docker images and VS Code extensions.
- Harden developer workstations against living-off-the-land attacks (e.g., restricting PowerShell usage for standard users).
- Audit supply chain security practices, specifically regarding mutable tags and dependency integrity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub