Threat Summary
Recent OTX pulses reveal a converging threat landscape where state-sponsored actors and criminal affiliates are aggressively abusing software supply chains and legitimate utilities to achieve initial access and data exfiltration.
The OceanLotus (APT32) group has shifted focus to the developer ecosystem, leveraging typosquatting Python packages (PyPI) to deliver the ZiChatBot malware via a Zulip-based C2 channel. Simultaneously, a massive software compromise affecting DAEMON Tools installers is distributing QUIC RAT to thousands of victims globally, utilizing valid certificates to bypass trust controls. In the criminal sector, Trigona ransomware affiliates have upgraded their exfiltration capabilities, deploying a custom tool (uploader_client.exe) designed to evade network monitoring through connection rotation and granular file filtering.
Threat Actor / Malware Profile
1. Trigona Ransomware Affiliates
- Malware Families: Trigona,
uploader_client.exe, HRSword, PCHunter, Mimikatz. - Distribution: Likely via initial access brokers or compromised credentials (manual tooling like
PowerRunandAnyDesksuggests manual hands-on-keyboard activity). - Payload Behavior:
uploader_client.exeis a custom exfiltration utility featuring parallel streams (5 connections) and connection rotation every 2,048 MB to blend in with traffic. It filters out low-value files. - C2/Persistence: Uses standard admin tools (AnyDesk) for persistence; utilizes security tools (DumpGuard) to evade anti-virus.
2. OceanLotus (APT32)
- Malware Families: ZiChatBot.
- Distribution: Supply chain attack via PyPI. Malicious packages:
uuid32-utils,colorinal,termncolor. - Payload Behavior: Dropper style deployment of ZiChatBot. Cross-platform capability (Windows/Linux).
- C2 Communication: Uses Zulip (an open-source team chat application) for Command and Control, a known tactic for OceanLotus to blend in with legitimate corporate traffic.
3. QUIC RAT (DAEMON Tools Compromise)
- Malware Families: QUIC RAT.
- Distribution: Trojanned installers of legitimate software (DAEMON Tools v12.5.0.2421 to 12.5.0.2434) distributed via the official website.
- Payload Behavior: The installers contain modified binaries (
DTHelper.exe,DiscSoftBusServiceLite.exe,DTShellHlp.exe) signed with legitimate certificates. - C2 Communication: Utilizes the QUIC protocol (UDP-based) to establish reverse shells, making traffic analysis difficult in traditional firewall environments.
IOC Analysis
The provided indicators are primarily File Hashes (MD5, SHA1, SHA256).
- Operationalization: SOC teams must immediately ingest these hashes into EDR detection rules and SIEM correlation engines. Since many hashes correspond to signed binaries (DAEMON Tools) or legitimate process names (
uploader_client.exe), reputation-based blocking alone is insufficient. File integrity monitoring (FIM) is critical for the DAEMON Tools compromise. - Decoding Tooling:
- VT Graph: To visualize relationships between the hashes and other campaigns.
- CAPE/Sandbox: For detonating the specific PyPI packages and Trigona uploaders to observe C2 handshake.
- YARA: Essential for identifying memory artifacts of ZiChatBot and QUIC RAT.
Detection Engineering
Sigma Rules
YAML
title: Trigona Custom Exfiltration Tool Execution
id: 8a4f1c32-2026-5000-8000-000000000001
description: Detects execution of Trigona ransomware affiliate custom exfiltration tool uploader_client.exe or related tooling.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66521c02285f5f7e4e555555
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\uploader_client.exe'
- '\malextractor.exe'
- '\HRSword.exe'
- '\PCHunter.exe'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: OceanLotus PyPI Malicious Package Installation
id: 8b4f1c32-2026-5000-8000-000000000002
description: Detects installation of suspected malicious PyPI packages used by OceanLotus to distribute ZiChatBot.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66521c02285f5f7e4e666666
tags:
- attack.initial_access
- attack.t1195
logsource:
category: process_creation
product: windows
detection:
selection_cli:
CommandLine|contains:
- 'pip install uuid32-utils'
- 'pip install colorinal'
- 'pip install termncolor'
selection_img:
Image|endswith:
- '\python.exe'
- '\pip.exe'
condition: all of selection_*
falsepositives:
- Legitimate developer installing these specific (fake) packages manually (unlikely)
level: high
---
title: DAEMON Tools Compromise - QUIC RAT
id: 8c4f1c32-2026-5000-8000-000000000003
description: Detects execution of trojaned binaries in compromised DAEMON Tools installer versions.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66521c02285f5f7e4e777777
tags:
- attack.persistence
- attack.t1543
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\DTShellHlp.exe'
- '\DTHelper.exe'
- '\DiscSoftBusServiceLite.exe'
filter_legit:
Hashes|contains:
- 'SHA256=816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019' # Example malicious hash from pulse
- 'SHA256=a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df'
condition: selection and filter_legit
falsepositives:
- Legitimate DAEMON Tools update (verify hash against vendor site)
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Trigona tools and OceanLotus PyPI indicators
let TrigonaFiles = dynamic(["uploader_client.exe", "malextractor.exe", "HRSword.exe"]);
let OceanLotusPackages = dynamic(["uuid32-utils", "colorinal", "termncolor"]);
let DaemonToolsFiles = dynamic(["DTShellHlp.exe", "DTHelper.exe", "DiscSoftBusServiceLite.exe"]);
DeviceProcessEvents
| where FileName in~ TrigonaFiles or
ProcessCommandLine has_any (OceanLotusPackages) or
FileName in~ DaemonToolsFiles
| extend Timestamp = TimeGenerated, HostName = DeviceName, Account = InitiatingProcessAccountName
| project Timestamp, HostName, Account, FileName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessParentFileName
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Scanner for Trigona, OceanLotus, and DAEMON Tools Compromise.
.DESCRIPTION
Scans for specific file hashes and filenames associated with the OTX Pulse data.
#>
$MaliciousHashes = @(
"e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173", # Trigona uploader
"a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df", # QUIC RAT Daemon Tools
"08a75a092e9793b6d3eb473c246d3c5e4750cd525342276d8bf1ab7d1fe45112" # OceanLotus/ZiChatBot
)
$TargetPaths = @("C:\Program Files (x86)", "C:\Program Files", "$env:USERPROFILE\AppData\Local", "$env:TEMP")
Write-Host "[+] Starting Dark Web IOC Hunt..." -ForegroundColor Cyan
foreach ($Path in $TargetPaths) {
if (Test-Path $Path) {
Write-Host "[*] Scanning $Path..." -ForegroundColor Gray
# Hunt for Trigona/Daemon Tools specific filenames
$SuspectFiles = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "uploader_client|DTShellHlp|DTHelper" }
foreach ($File in $SuspectFiles) {
Write-Host "[!] Suspicious Filename Found: $($File.FullName)" -ForegroundColor Yellow
$Hash = Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($Hash.Hash -in $MaliciousHashes) {
Write-Host "[!!!] CONFIRMED MALICIOUS HASH: $($File.FullName)" -ForegroundColor Red
}
}
}
}
# Check for Python packages (OceanLotus) - checks site-packages directories
$PythonPaths = @("C:\Python*", "$env:LOCALAPPDATA\Programs\Python*")
foreach ($PPath in $PythonPaths) {
$Resolved = Resolve-Path $PPath -ErrorAction SilentlyContinue
if ($Resolved) {
$LibPath = Join-Path $Resolved "Lib\site-packages"
if (Test-Path $LibPath) {
Write-Host "[*] Checking Python Site-Packages for OceanLotus IOCs..." -ForegroundColor Gray
Get-ChildItem -Path $LibPath -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "uuid32-utils|colorinal|termncolor" } |
ForEach-Object { Write-Host "[!] Malicious Package Found: $($_.FullName)" -ForegroundColor Red }
}
}
}
Write-Host "[+] Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate (0-4 hours):
- Block execution of all IOCs (File Hashes) at the endpoint level.
- Block network access to known PyPI malicious packages and QUIC protocol usage to non-critical endpoints if possible, though QUIC is hard to block without breaking web traffic.
- Remove DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 immediately; replace with clean versions or alternative software.
-
24 Hours:
- Hunt for evidence of
uploader_client.exeexecution logs in EDR to identify potential Trigona victims. - Audit developer workstations for the presence of OceanLotus PyPI packages (
uuid32-utils, etc.). - Initiate credential reset for any accounts that were active on systems where DAEMON Tools or Trigona tools were found.
- Hunt for evidence of
-
1 Week:
- Implement software package verification (e.g., signing requirements) for build pipelines to prevent PyPI style attacks.
- Review software supply chain sources; block specific installers or require hash verification before allowing DAEMON Tools installation.
- Update SIEM content to include specific Zulip network traffic anomalies for C2 detection.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwaretrigona-ransomwareapt32-oceanlotusquic-ratsupply-chain-attackzichatbot
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.