Back to Intelligence

TroyDen AI Lures & Argamal RAT: OTX Analysis of Credential Theft Campaigns

SA
Security Arsenal Team
June 8, 2026
5 min read

Excerpt: Active infostealer surge detected: TroyDen's AI-generated GitHub lures, Argamal COM hijacking, and GriefLure APT targeting. Critical attention required.

Threat Summary

Recent OTX pulses reveal a coordinated escalation in credential theft operations, blending broad-based malware distribution with targeted APT activity. A primary concern is the TroyDen campaign, which utilizes Large Language Models (LLMs) to generate sophisticated GitHub lure names (biological/medical taxonomy) to distribute LuaJIT-based loaders for Redline and LummaStealer. This "AI-Assisted Lure Factory" specifically targets developers and gamers.

Concurrently, the Argamal RAT campaign has resurfaced, embedding malware within adult-themed games. This strain employs COM hijacking via the Windows Color System Calibration Loader for persistence, demonstrating advanced evasion techniques.

A separate ecosystem involving SessionGate, RemusStealer, and AnimateClipper is abusing Traffic Distribution Systems (TDS) and SEO poisoning to impersonate tools like Ghidra and dnSpy. Finally, Operation GriefLure highlights high-stakes threats, using spear-phishing with legal documents to target Vietnamese telecom and Philippine healthcare sectors, while a distinct threat actor exploits a PAN-OS zero-day to deploy tunneling tools (EarthWorm).

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware: LuaJIT loader, Redline, LummaStealer.
  • Distribution: Over 300 GitHub packages with AI-generated names (e.g., obscure taxonomy).
  • Target: Developers, gamers (Roblox), crypto users.
  • Technique: Two-component payload, Prometheus obfuscator, execution via LuaJIT.

Argamal / Termixia

  • Malware: Argamal (implant), Termixia (RAT).
  • Distribution: Malware-laden hentai games.
  • Persistence: COM Hijacking (modifying InprocServer32 for the Color System module).
  • Behavior: Delayed execution (days post-infection), full system compromise.

CL-STA-1132 (PAN-OS Exploitation)

  • Malware: EarthWorm, ReverseSocks5.
  • Vulnerability: Buffer overflow in PAN-OS User-ID Authentication Portal (CVE-2023-33538, CVE-2026-*).
  • Capability: Unauthenticated RCE with root privileges, tunneling.

IOC Analysis

The provided indicators span multiple vectors requiring triage across EDR, Firewall, and DNS logs:

  • File Hashes (SHA1/SHA256): Multiple payloads for Argamal and GriefLure artifacts. These should be blocked in DLP and scanned in EDR quarantine.
  • Network Infrastructure: Domains like guiformat.com (fake tool) and asper1.freeddns.org (Argamal C2) are active. IP 194.150.220.218 hosts malicious RTF payloads.
  • CVEs: The PAN-OS campaign lists several CVEs (2023-33538, 2025-66478, etc.). Immediate patch management is required for perimeter firewalls.
  • Operationalization: SOC teams should ingest the 71 indicators from the TDS pulse into blocklists and hunt for the specific SHA1 hashes (02819d200d...) associated with Argamal in user directories.

Detection Engineering

YAML
title: Suspicious COM Hijacking via Color System Module (Argamal)
id: 91a15554-ec9e-49c0-0c5c-a301f276bd79
description: Detects registry modifications that hijack the Windows Color System Calibration Loader, a technique used by Argamal malware for persistence.
author: Security Arsenal
date: 2026/06/09
references:
    - https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    registry:
        - *
detection:
    selection:
        TargetObject|contains: 
            - 'Classes\CLSID'
        TargetObject|contains:
            - 'InprocServer32'
        Details|contains:
            - '.dll'
    filter_generic:
        Details|contains:
            - 'System32\mscms.dll'
            - 'SysWOW64\mscms.dll'
    condition: selection and not filter_generic
falsepositives:
    - Unknown
level: high
---
title: Suspicious LuaJIT Execution (TroyDen Campaign)
id: 29f1d346-a6e7-1774-7cda-d25b90f446b2
description: Detects the execution of LuaJIT processes, often used as loaders for infostealers like Redline and LummaStealer in the TroyDen campaign.
author: Security Arsenal
date: 2026/06/09
references:
    - https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\luajit.exe'
            - '\lua51.exe'
            - '\lua52.exe'
            - '\lua53.exe'
    selection_context:
        CommandLine|contains:
            - 'github'
            - 'download'
            - '-e'
    condition: all of selection_*
falsepositives:
    - Legitimate developer tools using Lua
level: medium
---
title: PAN-OS Firewall Exploitation Indicators (CL-STA-1132)
id: 197f11a7-b000-3aa7-da58-a3302cfa2a96
description: Detects potential exploitation of PAN-OS Captive Portal vulnerability via specific process anomalies or shellcode injection attempts.
author: Security Arsenal
date: 2026/06/09
references:
    - https://unit42.paloaltonetworks.com/captive-portal-zero-day/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: firewall
    service: pan-os
detection:
    selection_exploit:
        action|contains:
            - 'web'
        http_host|contains:
            - 'global-protect'
            - 'sslvpn'
        http_status:
            - 200
    selection_suspicious_uri:
        http_url|re:
            - '.*%.*%.*'  # Potential shellcode patterns in URL
    condition: selection_exploit and selection_suspicious_uri
falsepositives:
    - Unknown
level: critical


kql
// Hunt for Argamal and related Stealer IOCs
let IOCs = dynamic(["asper1.freeddns.org", "guiformat.com", "194.150.220.218", "217.156.122.75"]);
let ArgamalHashes = dynamic(["02819d200d1424882af81cb504b3e8614b32397a", "1405a3c5e0aeb08012484134e16cdec4ab29b4a4", "17f8f8f34dfa737f36182fed7ff9e9814a114058"]);
// Network Connections to C2 or TDS
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    // File Creation for known malware hashes
    DeviceFileEvents
    | where SHA1 in (ArgamalHashes)
    | project Timestamp, DeviceName, FileName, FolderPath, SHA1
)
| union (
    // Process creation related to the specific techniques
    DeviceProcessEvents
    | where ProcessVersionInfoCompanyName == "GitHub" or ProcessVersionInfoOriginalFileName in ("luajit.exe", "powershell.exe")
    | where CommandLine contains "download" or CommandLine contains "invoke-expression"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
)


powershell
# Argamal Persistence Registry Hunt
# Checks for COM hijacking of the Windows Color System module

$PathBase = "HKCU:\Software\Classes\CLSID"
$DefaultDll = "mscms.dll"
$SuspiciousKeys = @()

if (Test-Path $PathBase) {
    $CLSIDKeys = Get-ChildItem -Path $PathBase -Recurse -ErrorAction SilentlyContinue
    
    foreach ($Key in $CLSIDKeys) {
        $InprocServer32 = $Key.OpenSubKey("InprocServer32")
        if ($InprocServer32) {
            $Value = $InprocServer32.GetValue("")
            if ($Value -and -not ($Value -like "*System32\$DefaultDll" -or $Value -like "*SysWOW64\$DefaultDll")) {
                $SuspiciousKeys += [PSCustomObject]@{
                    Path = $Key.Name
                    Value = $Value
                }
            }
        }
    }
}

if ($SuspiciousKeys.Count -gt 0) {
    Write-Host "[ALERT] Potential Argamal COM Hijacking Detected!" -ForegroundColor Red
    $SuspiciousKeys | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No suspicious COM hijacking found for Color System module." -ForegroundColor Green
}

Response Priorities

  • Immediate:

    • Block all IOCs listed in the analysis (Domains asper1.freeddns.org, guiformat.com; IP 194.150.220.218).
    • Isolate endpoints showing evidence of luajit.exe execution or the specific Argamal file hashes.
    • Apply emergency patches for PAN-OS vulnerabilities (CVE-2023-33538, CVE-2025-55182).

  • 24 Hours:

    • Initiate credential rotation for accounts accessed from devices flagged with infostealer indicators (SessionGate, RemusStealer).
    • Review GitHub repository access logs for developers who may have interacted with TroyDen lure packages.

  • 1 Week:

    • Implement strict allow-listing for development tools (Ghidra, dnSpy) to prevent SEO poisoning incidents.
    • Conduct user awareness training focusing on "AI-generated" lures and the risks of downloading unofficial game mods.
    • Audit firewall logs for CL-STA-1132 indicators and review outbound proxy rules for tunneling anomalies.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstroydenargamalinfostealergrieflurepan-os

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action