Back to Intelligence

TroyDen AI Lures & ClickFix RAT: OTX Analysis of Multi-Vector Malware Distribution

SA
Security Arsenal Team
June 7, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated delivery mechanisms targeting technical professionals and job seekers. The "TroyDen" threat actor is utilizing AI-generated lure names based on biological taxonomy to distribute LuaJIT-based infostealers (LummaStealer, Redline) via GitHub repositories, specifically targeting developers, gamers, and crypto users.

Concurrently, the "ClickFix" campaign has evolved to impersonate job platforms (LinkedIn, Indeed) using typosquatted domains and fake CAPTCHA pages hosted on Google Ads. This campaign leverages the legacy Finger protocol and native Windows utilities to deliver CastleLoader, a Python-based RAT, via portable Python runtimes (CPython/IronPython). A third operation involves a Traffic Distribution System (TDS) impersonating open-source tools (Ghidra, dnSpy), using CloudFront-hosted JavaScript to hijack clicks and deliver SessionGate and RemusStealer. The collective objective across these campaigns is credential theft, session hijacking, and establishing persistent access via socially engineered supply chain compromises.

Threat Actor / Malware Profile

TroyDen (AI-Assisted Lure Factory)

  • Distribution Method: GitHub repositories hosting over 300 delivery packages. Uses AI-generated names (e.g., obscure biological terms) to appear legitimate.
  • Payload Behavior: Two-component design. Primary payload is a LuaJIT-based loader designed to deploy secondary infostealers.
  • Malware Families: LuaJIT, Redline, LummaStealer.
  • Anti-Analysis: Utilizes the Prometheus obfuscator to hinder static analysis of the LuaJIT bytecode.

ClickFix Campaign (Job Platform Impersonation)

  • Distribution Method: Typosquatted domains of job boards (LinkedIn, Indeed). Traffic driven via Google Ads to fake CAPTCHA pages.
  • Execution Chain: Victims are tricked into executing commands involving the finger protocol and LOLBINs, which silently download and execute portable Python binaries.
  • Malware Families: CastleLoader (Python-based RAT).
  • Fileless Execution: Uses CPython or IronPython runtimes that may not write malware to disk, executing payloads in memory.

TDS Ecosystem (SessionGate/RemusStealer)

  • Distribution Method: SEO poisoning/Impersonation of tools like Ghidra, dnSpy, SpiderFoot. Uses a Traffic Distribution System to filter traffic.
  • Infrastructure: CloudFront-hosted JavaScript for initial redirection; strict gating including anti-bot checks.
  • Malware Families: SessionGate, RemusStealer, AnimateClipper.
  • Targeting: Global, with specific focus on Brazil, France, Germany, Poland, UK, and Russia.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a heavy reliance on specific infrastructure for payload delivery and Command & Control (C2).

  • Domains: Typosquatted domains (e.g., teamsvoicehub.com) and TDS gateways (e.g., guiformat.com). SOC teams should block these at the DNS layer and search for historical DNS requests in EDR logs.
  • IP Addresses: Hosting infrastructure (e.g., 194.150.220.218, 217.156.122.75). These should be blocked on perimeter firewalls.
  • File Hashes (SHA256):
    • 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4 (CastleLoader/Python component)
    • 87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886 (SessionGate/RemusStealer) SOC teams should use EDR capabilities to hunt for these specific hashes on endpoints.
  • URLs: Specific payload paths (e.g., http://194.150.220.218/.../fo0suc2ki2.rtf). Web proxies should be configured to block these specific paths.

Detection Engineering

YAML
---
title: Potential ClickFix CastleLoader Execution via Finger Protocol
id: a6b3c4d5-2026-6080-1eaf-000000000001
description: Detects the use of finger.exe or cmd.exe spawning python.exe, indicative of the ClickFix campaign delivering portable Python runtimes for CastleLoader.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6663e6f8b5a0d0f7c0e8f5c6
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\finger.exe'
            - '\cmd.exe'
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\ipy.exe'
            - '\ipy64.exe'
    condition: selection
falsepositives:
    - Legitimate developer usage of python via cmd
level: high
---
title: TroyDen LuaJIT Infostealer Execution
id: a6b3c4d5-2026-6080-1eaf-000000000002
description: Detects the execution of luajit.exe or luajit-64.exe, a common loader for TroyDen's LummaStealer and Redline campaigns often distributed via fake GitHub repos.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6663e6f8b5a0d0f7c0e8f5c5
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|contains:
            - 'luajit.exe'
            - 'luajit-64.exe'
    selection_cli:
        CommandLine|contains:
            - '-e'
            - '-O'
    condition: 1 of selection*
falsepositives:
    - Legitimate software using LuaJIT (e.g., specific games, dev tools)
level: medium
---
title: TDS Traffic Distribution System Suspicious File Download
id: a6b3c4d5-2026-6080-1eaf-000000000003
description: Detects patterns consistent with the TDS campaign impersonating tools like Ghidra/dnSpy. Looks for PowerShell or Curl downloading archives from non-standard domains.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6663e6f8b5a0d0f7c0e8f5c4
tags:
    - attack.command_and_control
    - attack.t1102
logsource:
    category: process_creation
    product: windows
detection:
    selection_tool:
        Image|endswith:
            - '\powershell.exe'
            - '\curl.exe'
    selection_keywords:
        CommandLine|contains:
            - 'ghidra'
            - 'dnSpy'
            - 'spiderfoot'
            - '.zip'
            - '.rar'
    filter_legit:
        ParentImage|contains:
            - '\Visual Studio\'
            - '\JetBrains\'
    condition: selection_tool and selection_keywords and not filter_legit
falsepositives:
    - Developers actually downloading these tools
level: medium


kql
// Hunt for ClickFix and TDS related domains and IPs
let IOCs = dynamic([
    "teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net",
    "novayastaruxa.com", "kevinnotanother.com", "guiformat.com", "forestoaker.com",
    "194.150.220.218", "217.156.122.75", "baxe.pics"
]);
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc


powershell
# IOC Hunt Script for SessionGate and CastleLoader
# Check for presence of file hashes and suspicious scheduled tasks

$TargetHashes = @(
    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "[+] Scanning for malware file hashes..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FilePath = $_.FullName
            $FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MALWARE FOUND: $FilePath (Hash: $FileHash)" -ForegroundColor Red
            }
        }
    }
}

# Check for suspicious Python runtimes often used in ClickFix
Write-Host "[+] Checking for portable Python runtimes in temp dirs..." -ForegroundColor Cyan
Get-ChildItem -Path "$env:TEMP" -Filter "python*.exe" -ErrorAction SilentlyContinue | ForEach-Object {
    Write-Host "[!] Suspicious Python Runtime Found: $($_.FullName)" -ForegroundColor Yellow
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the firewall and proxy level.
    • Scan endpoints for the specific SHA256 hashes provided (CastleLoader, SessionGate).
    • Investigate any recent executions of luajit.exe or portable python binaries spawned by cmd.exe or finger.exe.

  • 24 Hours:

    • Initiate credential reset and identity verification for developers or HR staff who may have interacted with the "TroyDen" GitHub repos or "ClickFix" job phishing pages.
    • Review browser history and download logs on engineering workstations for visits to the impersonated software sites (Ghidra, dnSpy).

  • 1 Week:

    • Harden the enterprise against GitHub supply chain attacks by implementing allow-listing for internal repositories and requiring code review for third-party dependencies.
    • Update awareness training to highlight AI-generated lures and job scams involving fake CAPTCHAs.
    • Implement network segmentation to restrict access to legacy protocols like Finger.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttroydencastleloaderlummastealerclickfixpython-rat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action