Recent OTX pulses indicate a convergence of advanced automation and supply chain abuse across three distinct but high-risk campaigns. We observe a suspected Chinese-aligned operator leveraging Large Language Models (LLMs) like Claude Code and DeepSeek to generate exploits and manage webshells (TencShell, Gshell) targeting government and critical infrastructure. Concurrently, a supply chain attack on the npm registry (Lucide Proxy) is weaponizing student browsers for DDoS and ad fraud, while a separate SQL injection campaign is deploying cryptominers (XMRig) and IIS backdoors (BadIIS) for persistence. These campaigns highlight a shift towards AI-accelerated development and the abuse of legitimate developer tools for criminal infrastructure.
Threat Actor / Malware Profile
1. "Claude Code" Operators (TencShell / Gshell)
- Malware Families: TencShell, HSEWH-Ur, Vshell, Gshell
- Distribution: Spear-phishing and supply chain targeting; C2 nodes pivoting from Hong Kong-based infrastructure.
- Behavior: Utilizes AI coding agents (Claude Code) to automate exploit generation and attack operations. Infrastructure includes open directories exposing victim source code and cloned login pages.
- Persistence: Webshells (Vshell, Gshell) on compromised servers.
2. Lucide Proxy (NPM Campaign)
- Malware Families: N/A (Script-based)
- Distribution: Malicious npm packages masquerading as student tutoring tools (e.g., Riverbend Tutoring).
- Behavior: Functions as a functional web proxy while silently turning visitor browsers into DDoS bots (HTTP/WebSocket floods) and generating ad revenue.
- Persistence: Installed via package managers; likely persists via startup scripts or browser extensions on student machines.
3. SQLi Persistence Group
- Malware Families: BadIIS, XMRig, CnCrypt Protect
- Distribution: SQL Injection against vulnerable web applications.
- Behavior: Deploys Base64-encoded PowerShell for reconnaissance (
tasklist). Escalates to cryptocurrency mining (XMRig) and installs malicious IIS modules (BadIIS) for long-term access. - Persistence: BadIIS modules integrated into IIS; CnCrypt Protect used to hinder removal/analysis.
IOC Analysis
- IP Addresses (TencShell): The Pulse reveals a cluster of Hong Kong-based IPs (e.g.,
134.122.200.153-155). These should be blocked immediately at the perimeter and firewalls. - Domains (Lucide Proxy): Education-themed domains (e.g.,
21baseballacademy.com) and C2 domains (lucideon.top). SOC teams should sinkhole these domains and inspect DNS logs for historical resolution. - File Hashes: A mix of MD5 and SHA256 hashes are provided for the npm packages and PowerShell scripts. These can be loaded into EDR threat feeds and scanned via PowerShell scripts.
- OAST Domains: The presence of
oastify.comindicates the use of Interactsh or similar tools for out-of-band data exfiltration in the SQLi campaign.
Detection Engineering
---
title: PowerShell Base64 Encoded Command Execution (SQLi Persistence)
id: 8f3e4a1d-2b6c-4f8e-9a1d-3c5e6f7a8b9c
description: Detects Base64 encoded PowerShell commands often used after SQL injection to deploy XMRig or BadIIS.
status: stable
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'FromBase64String'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
tags:
- attack.execution
- attack.t1059.001
- badiis
- xmrig
---
title: TencShell/Gshell Webshell File Creation
title: Potential Webshell Activity via AI Tools
id: 7d2e5b0c-1a5f-3e7d-8b0c-2d4e5f6a7b8c
description: Detects the creation of suspicious files often associated with TencShell or Gshell campaigns, or execution patterns consistent with AI coding agents.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
category: file_created
detection:
selection_webshell:
TargetFilename|contains:
- 'wwwroot'
- 'inetpub'
TargetFilename|endswith:
- '.aspx'
- '.php'
- '.jsp'
selection_keywords:
TargetFilename|contains:
- 'shell'
- 'vshell'
- 'gshell'
- 'tenc'
condition: 1 of selection_*
falsepositives:
- Legitimate web development
level: high
tags:
- attack.persistence
- attack.t1505.003
- tencshell
---
title: Lucide Proxy NPM Malicious Package Execution
id: 6e1d4c9b-0a4e-2d6c-7a9b-1c3d4e5f6a7b
description: Detects execution of Node.js processes involving file paths or parameters associated with the Lucide Proxy DDoS campaign.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
category: process_creation
detection:
selection_node:
Image|endswith: '\node.exe'
selection_suspicious:
CommandLine|contains:
- 'lucide'
- 'riverbend'
- 'northstar'
- 'wisp'
condition: all of selection_*
falsepositives:
- Legitimate node applications using similar naming
level: medium
tags:
- attack.initial_access
- attack.t1195.002
- lucide-proxy
kql
// Hunt for IOCs from TencShell, Lucide Proxy, and SQLi campaigns
let IoC_IPs = pack_array("112.213.124.159", "134.122.200.153", "134.122.200.154", "134.122.200.155", "192.229.115.229", "45.64.52.242", "192.238.134.166", "112.213.124.132");
let IoC_Domains = pack_array("21baseballacademy.com", "lucideon.top", "c.vipersfutbol.com");
let IoC_Hash_MD5 = pack_array("0a913561831bdf2c26dcf18b852b5cc1", "c6851a038da578a80eeb201e0588c84c", "c4c8e8c336c3429d97195076bf3bb6eb");
let IoC_Hash_SHA = pack_array("10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75", "4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd", "eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84");
// Network Connections
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| union (
// Process Hash Matches
DeviceProcessEvents
| where SHA256 in (IoC_Hash_SHA) or MD5 in (IoC_Hash_MD5)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256, MD5
)
| union (
// PowerShell Reconnaissance (SQLi Pulse)
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == "powershell.exe" or ProcessVersionInfoOriginalFileName == "pwsh.dll"
| where ProcessCommandLine contains "tasklist" and ProcessCommandLine contains "base64"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
)
powershell
# IOC Hunt Script for XMRig, BadIIS, and Webshells
$MD5Hashes = @("0a913561831bdf2c26dcf18b852b5cc1", "c6851a038da578a80eeb201e0588c84c", "c4c8e8c336c3429d97195076bf3bb6eb")
$SHA256Hashes = @("10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75", "4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd", "eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84")
Write-Host "[*] Scanning for file artifacts associated with OTX Pulses..." -ForegroundColor Cyan
# 1. Check for BadIIS / IIS Modules in standard paths
$IISPaths = @("C:\Windows\System32\inetsrv", "C:\inetpub")
foreach ($path in $IISPaths) {
if (Test-Path $path) {
Write-Host "[*] Scanning $path for suspicious modules..." -ForegroundColor Yellow
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -eq ".dll" -and $_.LastWriteTime -gt (Get-Date).AddDays(-30) } |
ForEach-Object {
Write-Host "[!] Suspicious recent DLL found: $($_.FullName)" -ForegroundColor Red
}
}
}
# 2. Scan processes for XMRig or suspicious node behavior
$Processes = Get-Process -ErrorAction SilentlyContinue
$XMRIG = $Processes | Where-Object { $_.ProcessName -like "*xmrig*" -or $_.MainWindowTitle -like "*XMR*" }
if ($XMRIG) {
Write-Host "[!] ALERT: XMRig process detected!" -ForegroundColor Red
$XMRIG | Format-Table Id, ProcessName, Path
}
# 3. File Hash Scan (Recursive scan of C:\ would be too slow, focusing on Temp and User Profiles)
$SearchPaths = @("$env:TEMP", "$env:USERPROFILE\Downloads")
foreach ($folder in $SearchPaths) {
if (Test-Path $folder) {
Write-Host "[*] Scanning $folder for known IOCs..." -ForegroundColor Yellow
Get-ChildItem -Path $folder -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue
if ($hash.Hash -in $MD5Hashes) {
Write-Host "[!] MD5 Match found: $($_.FullName)" -ForegroundColor Red
}
$hash256 = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($hash256.Hash -in $SHA256Hashes) {
Write-Host "[!] SHA256 Match found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "[*] Scan complete." -ForegroundColor Green
# Response Priorities
* **Immediate:** Block all IP addresses and domains listed in the IOC Analysis at the firewall and proxy level. Hunt for the specific file hashes (MD5/SHA256) on endpoints using the PowerShell script provided.
* **24h:** Investigate any servers exhibiting SQL injection activity or unexpected Base64 PowerShell execution. Review IIS logs for BadIIS module indicators. If student environments exist, audit npm package usage for `lucide-proxy` or related tutoring packages.
* **1 week:** Implement strict input validation to prevent SQL injection (Pulse 3). Review and lockdown AI coding assistant tooling (e.g., Claude Code) usage in development environments (Pulse 1). Enforce integrity checks for npm packages and supply chain dependencies (Pulse 2).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.