Recent OTX pulses indicate a surge in sophisticated credential theft campaigns utilizing diverse delivery vectors, ranging from AI-generated GitHub repositories (TroyDen) to adult-themed gaming malware (Argamal) and Traffic Distribution Systems (TDS) impersonating open-source tools (SessionGate/RemusStealer).

A secondary, high-severity threat surface involves the active exploitation of a PAN-OS zero-day (CVE-2026-1281 and related CVEs) by the CL-STA-1132 actor cluster to tunnel traffic (EarthWorm/ReverseSocks5), likely facilitating internal network reconnaissance and credential harvesting.

Collective Objective: The primary goal across these disparate campaigns is the theft of developer credentials, cryptocurrency wallets, and corporate access tokens. The use of Living-Off-The-Land (LotL) binaries and COM hijacking suggests a trend toward evasion of traditional signature-based detection.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

Malware Families: LuaJIT, Redline, LummaStealer.
Distribution: Over 300 GitHub repositories utilizing AI-generated lure names based on biological taxonomy and medical terminology to target developers and gamers.
Behavior: Two-component payload design. LuaJIT serves as the loader/executer, bypassing some security controls, eventually deploying commercial infostealers like Redline and Lumma.

Argamal / Termixia

Malware Families: Argamal (RAT/Loader), Termixia.
Distribution: Malicious adult games (hentai) distributed via file-hosting sites like Pixeldrain.
Persistence: COM Hijacking. Specifically targets the InprocServer32 entry for the Windows Color System Calibration Loader DLL to establish persistence.
Behavior: Delayed execution (several days) before downloading the full RAT payload to evade sandbox detection.

SessionGate / RemusStealer TDS

Malware Families: SessionGate, RemusStealer, AnimateClipper.
Distribution: SEO poisoning/TDS. Impersonates legitimate tools like Ghidra and dnSpy. Uses CloudFront-hosted JavaScript to hijack download buttons.
Behavior: "AnimateClipper" functionality suggests cryptocurrency clipboard replacement. Traffic is gated through a TDS enforcing anti-bot checks.

CL-STA-1132 (PAN-OS Exploitation)

Tools: EarthWorm, ReverseSocks5.
Technique: Exploits a buffer overflow in the GlobalProtect User-ID Authentication Portal (PAN-OS) for unauthenticated RCE.
Objective: Establishing reverse SOCKS5 tunnels to pivot into internal networks, likely for credential dumping and lateral movement.

IOC Analysis

The provided pulses yield a mix of infrastructure and file-based indicators crucial for defense:

Domains & Hostnames: guiformat.com, forestoaker.com, asper1.freeddns.org, arch2.maxdatahost1.cyou, www.whatsappcenter.com.
- Action: Block at the DNS resolver and proxy level. Note that guiformat.com is a typosquat/impersonation.
IPv4 Addresses: 194.150.220.218, 217.156.122.75.
- Action: Block on perimeter firewalls. Correlate with outbound C2 alerts.
File Hashes: A significant number of SHA1 (Argamal related) and SHA256 (GriefLure related) hashes provided.
- Action: Upload to EDR allowlist/blacklist configurations. Use hash sets to query SIEM for historical execution.
CVEs: Multiple PAN-OS CVEs (2026-1281, 2025-14847, etc.).
- Action: Immediate patch validation for Palo Alto firewalls.

Detection Engineering

YAML

---
title: Potential COM Hijacking Persistence - Windows Color System
id: 4c1c2b1a-1a2b-4c5d-9e8f-1a2b3c4d5e6f
description: Detects registry modifications associated with Argamal malware persistence via Windows Color System Calibration Loader.
author: Security Arsenal
date: 2026/06/08
modified: 2026/06/08
tags:
    - attack.persistence
    - attack.t1574.001
logsource:
    product: windows
    registry:
        - add
        - modify
detection:
    selection:
        TargetObject|contains: '\\CLSID\\'
        TargetObject|contains: 'InprocServer32'
        TargetObject|contains: 'Color System' # Heuristic for the specific target
        Details|re: '.*\\.[^l][^n][^k]$' # Non-LNK/DLL extensions or suspicious paths
    condition: selection
falsepositives:
    - Legitimate software installation
level: high

---
title: Suspicious Child Process of Git or GitHub Desktop
id: 3d2e1f0a-9e8d-7c6b-5a4b-3c2d1e0f9a8b
description: Detects potential TroyDen activity where legitimate Git tools spawn obfuscated scripts or infostealers (LuaJIT, PowerShell).
author: Security Arsenal
date: 2026/06/08
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\git.exe'
            - '\GitHubDesktop.exe'
            - '\cmd.exe' # Often spawned by git bash
    selection_child:
        Image|endswith:
            - '\luajit.exe'
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - '-enc' # Encoded commands
            - 'downloadstring'
            - 'iex'
    condition: all of selection_*
falsepositives:
    - Legitimate developer scripts
level: medium

---
title: Traffic Distribution System (TDS) Browser Pattern
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential redirection patterns associated with SessionGate TDS (CloudFront JS -> Handoff).
author: Security Arsenal
date: 2026/06/08
logsource:
    category: proxy
    product: suricata
    product: zeek
detection:
    selection_referer:
        referer|contains:
            - 'cloudfront.net'
            - 'github.com'
            - 'sourceforge.net' # Impersonated targets
    selection_destination:
        destination_port: 80
        destination_port: 443
    selection_keywords:
        uri|contains:
            - '.php'
            - 'click'
            - 'redirect'
    condition: all of selection_*
falsepositives:
    - Legitimate ad traffic
level: low


kql
// Hunt for Argamal and related Argamal/Termixia file hashes (SHA1)
DeviceProcessEvents
| where SHA1 in (
    "02819d200d1424882af81cb504b3e8614b32397a",
    "1405a3c5e0aeb08012484134e16cdec4ab29b4a4",
    "17f8f8f34dfa737f36182fed7ff9e9814a114058",
    "2423a5bf0fa7cb9ec09211630a5488629499691b",
    "29f1d346a6e71774c7dad25b90f446b2974393df",
    "42add9475e67a1ccc6a6af94b5475d3defc01b85"
)
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName, SHA1
;

// Network Connections to known TDS / Malware Infrastructure
DeviceNetworkEvents
| where RemoteUrl in (
    "guiformat.com",
    "forestoaker.com",
    "asper1.freeddns.org",
    "arch2.maxdatahost1.cyou",
    "www.whatsappcenter.com"
) or RemoteIP in (
    "194.150.220.218",
    "217.156.122.75"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, ActionType
;

// Hunt for GriefLure APT indicators (SHA256)
DeviceFileEvents
| where SHA256 in (
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
    "61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f"
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256


powershell
# Security Arsenal - Argamal/Termixia Persistence Hunt
# Checks for abnormal InprocServer32 entries in CLSID keys associated with Windows Color System

function Check-ArgamalPersistence {
    $basePath = "Registry::HKCU\Software\Classes\CLSID"
    $suspiciousKeys = @()
    
    if (-not (Test-Path $basePath)) {
        Write-Host "[+] User CLSID path not found. No activity detected."
        return
    }

    # Enumerate all CLSIDs
    $clsids = Get-ChildItem -Path $basePath -ErrorAction SilentlyContinue

    foreach ($clsid in $clsids) {
        $inprocPath = Join-Path -Path $clsid.PSPath -ChildPath "InprocServer32"
        
        if (Test-Path $inprocPath) {
            $defaultVal = (Get-ItemProperty -Path $inprocPath -ErrorAction SilentlyContinue)."(default)"
            
            # Logic: Check if it looks like a DLL but is located in a suspicious user directory (AppData)
            if ($defaultVal -and $defaultVal -match ".dll$") {
                if ($defaultVal -match ":\\Users\\.*\\AppData") {
                    $suspiciousKeys += @{
                        CLSID = $clsid.PSChildName
                        Path  = $defaultVal
                    }
                }
            }
        }
    }

    if ($suspiciousKeys.Count -gt 0) {
        Write-Host "[!] WARNING: Suspicious COM Hijacking entries detected!" -ForegroundColor Red
        $suspiciousKeys | Format-Table -AutoSize
    } else {
        Write-Host "[+] No suspicious COM Hijacking entries found."
    }
}

Check-ArgamalPersistence


---

# Response Priorities

Immediate

Block Indicators: Immediately block all domains (guiformat.com, forestoaker.com, asper1.freeddns.org) and IPs (194.150.220.218, 217.156.122.75) at the perimeter and DNS level.
PAN-OS Emergency Patch: Identify all PA-Series and VM-Series firewalls and validate patches for CVE-2026-1281, CVE-2025-14847, CVE-2025-66478. Inspect logs for exploitation of the User-ID Authentication Portal.

24 Hours

Credential Audit: Initiate forced password resets and MFA challenges for developer accounts and privileged users who may have accessed GitHub repositories or downloaded tools like dnSpy/Ghidra recently.
Endpoint Hunt: Execute the provided PowerShell script across the enterprise to hunt for Argamal COM hijacking persistence mechanisms.

1 Week

Software Supply Chain Policy: Review and enforce policies regarding the download of software from unofficial sources. Implement allow-listing for approved repositories.
GitHub Hygiene: Scan internal GitHub usage for repositories matching the "AI-generated biological taxonomy" naming convention associated with TroyDen.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

TroyDen AI-Lures & Argamal RAT: Multi-Vector Credential Theft & TDS Ecosystem Analysis