TroyDen AI Lures, ClickFix Python RATs, and SessionGate TDS: OTX Pulse Analysis

Recent OTX pulses indicate a coordinated convergence of sophisticated malware delivery campaigns targeting developers, gamers, and job seekers. The threat landscape is dominated by the TroyDen group, which utilizes an AI-generated "lure factory" to distribute LuaJIT-based infostealers (Redline, LummaStealer) via GitHub repositories named with obscure biological taxonomy.

Simultaneously, the ClickFix campaign has evolved to impersonate LinkedIn and Indeed, employing typosquatted domains and fake CAPTCHA pages to trigger a fileless attack chain. This chain abuses the legacy Windows Finger protocol and LOLBINs to deploy portable Python runtimes (CPython/IronPython) for CastleLoader and Python-based RATs.

A third ecosystem involves a Traffic Distribution System (TDS) impersonating open-source tools (Ghidra, dnSpy). This operation uses CloudFront-hosted JavaScript for click hijacking to deliver SessionGate, RemusStealer, and cryptocurrency clippers. The collective objective is credential harvesting, session hijacking, and establishing persistent access for initial access brokering.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

Malware: LuaJIT, Redline, LummaStealer.
Distribution: GitHub repositories containing over 300 delivery packages. Uses AI-generated names (e.g., biological taxonomy) to appear legitimate.
Behavior: Two-component payload using Prometheus obfuscator. Targets Roblox players, crypto users, and developers to steal browser credentials and wallet data.

ClickFix Campaign

Malware: CastleLoader, Python RAT.
Distribution: Typosquatted job search domains (e.g., teamsvoicehub.com), Google Ads malvertising.
Behavior: Uses fake CAPTCHA pages to trick users into running PowerShell/cmd commands. Leverages the legacy finger.exe protocol and LOLBINs to download/execute portable Python without installation, achieving fileless execution.

Malware Distribution Ecosystem (TDS)

Malware: SessionGate, RemusStealer, AnimateClipper.
Distribution: Search Engine Poisoning (SEO) impersonating Ghidra, dnSpy, SpiderFoot. Uses CloudFront JavaScript to hijack clicks to a Traffic Distribution System (TDS).
Behavior: TDS enforces strict gating (anti-bot, first-visit checks) before handing off to malware payloads. Focuses on session theft and cryptocurrency clipping.

IOC Analysis

The pulses provide a mix of network and file-based indicators critical for defense:

Domains: High-risk typosquatted domains (e.g., teamsvoicehub.com, guiformat.com, ai-like.net) used for initial phishing and payload hosting.
IPv4: IPs associated with TDS infrastructure (e.g., 194.150.220.218, 217.156.122.75).
File Hashes (SHA256): Specific hashes for malicious payloads, including Python RAT loaders and RTF files used in the ecosystem.
Operationalization: SOC teams should immediately block listed domains and IPs at the perimeter. File hashes should be added to EDR exclusion allow-lists for investigation and block-lists for prevention. The TDS IPs suggest reliance on specific hosting providers; geo-blocking or IP range blocking may be effective.

Detection Engineering

Sigma Rules

YAML

---
title: Potential LuaJIT Infostealer Execution - TroyDen Lures
id: 6b8a9f1e-2c4d-4b5e-9f1a-2c4d4b5e9f1a
description: Detects execution of LuaJIT processes often used by TroyDen infostealers, potentially spawned from suspicious GitHub download directories.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6b8a9f1e2c4d4b5e9f1a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\lua53.exe'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Program Files (x86)\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer usage of LuaJIT
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: Suspicious Finger Protocol and Portable Python Usage - ClickFix
id: 7c9b0g2f-3d5e-5c6f-0g2b-3d5e5c6f0g2b
description: Detects the use of the legacy finger.exe utility or portable python executables spawned from a command line or browser, indicative of ClickFix campaign activity.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7c9b0g2f3d5e5c6f0g2b
logsource:
    category: process_creation
    product: windows
detection:
    selection_finger:
        Image|endswith: '\finger.exe'
    selection_python:
        Image|contains:
            - '\python.exe'
            - '\ipy.exe'
        CommandLine|contains: '-c'
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
    condition: 1 of selection*
falsepositives:
    - Rare administrative use of finger
level: high
tags:
    - attack.defense_evasion
    - attack.t1218
---
title: Traffic Distribution System (TDS) Domain Connection
id: 8d0c1h3g-4e6f-6d7g-1h3c-4e6f6d7g1h3c
description: Detects network connections to known Traffic Distribution System domains and IP addresses associated with malware distribution ecosystems.
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8d0c1h3g4e6f6d7g1h3c
logsource:
    category: network_connection
    product: windows
detection:
    selection_domains:
        Initiated|equals: 'true'
        DestinationHostname|contains:
            - 'teamsvoicehub.com'
            - 'dapala.net'
            - 'staruxaproruha.com'
            - 'guiformat.com'
            - 'forestoaker.com'
    selection_ips:
        DestinationIp|in:
            - '194.150.220.218'
            - '217.156.122.75'
    condition: 1 of selection*
falsepositives:
    - None
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix and TroyDen related process activity
let SuspiciousProcesses = dynamic(["luajit.exe", "python.exe", "ipy.exe", "finger.exe"]);
let SuspiciousDomains = dynamic(["teamsvoicehub.com", "dapala.net", "guiformat.com", "forestoaker.com"]);
// Union of Process and Network events
DeviceProcessEvents
| where FileName in (SuspiciousProcesses) or ProcessCommandLine has_any ("-c", "import http")
| extend IoCType = "Process"
| union (DeviceNetworkEvents
| where RemoteUrl has_any (SuspiciousDomains) or RemoteIP in ("194.150.220.218", "217.156.122.75")
| extend IoCType = "Network")
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, RemoteUrl, RemoteIP, InitiatingProcessAccountName, IoCType
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunter for TroyDen, ClickFix, and Malware Ecosystem campaigns.
.DESCRIPTION
    Checks for network connections to malicious domains, suspicious running processes, 
    and file system artifacts associated with the pulses.
#>

$MaliciousDomains = @("teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net", "novayastaruxa.com", "kevinnotanother.com", "guiformat.com", "forestoaker.com")
$MaliciousIPs = @("194.150.220.218", "217.156.122.75")
$SuspiciousProcesses = @("luajit", "python", "ipy", "finger")

Write-Host "[*] Starting Hunt for OTX Pulse Indicators..." -ForegroundColor Cyan

# 1. Check for malicious processes
Write-Host "[*] Checking for suspicious processes..." -ForegroundColor Yellow
$foundProcesses = Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName.ToLower() }
if ($foundProcesses) {
    Write-Host "[!] ALERT: Found suspicious processes running:" -ForegroundColor Red
    $foundProcesses | Select-Object ProcessName, Id, Path | Format-Table
} else {
    Write-Host "[+] No suspicious processes found." -ForegroundColor Green
}

# 2. Check DNS Cache for malicious domains
Write-Host "[*] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow
$dnsEntries = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }
if ($dnsEntries) {
    Write-Host "[!] ALERT: Found DNS cache entries for malicious domains:" -ForegroundColor Red
    $dnsEntries | Select-Object Entry, Data | Format-Table
} else {
    Write-Host "[+] No malicious DNS entries found." -ForegroundColor Green
}

# 3. Check Established Network Connections
Write-Host "[*] Checking active network connections..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection -State Established | Select-Object LocalPort, RemoteAddress, OwningProcess
foreach ($conn in $connections) {
    if ($MaliciousIPs -contains $conn.RemoteAddress) {
        $proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] ALERT: Connection to malicious IP $($conn.RemoteAddress) from $($proc.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
    }
}

# 4. Check Hosts File
Write-Host "[*] Checking HOSTS file for domain redirections..." -ForegroundColor Yellow
$hostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($line in $hostsContent) {
        if ($line -notmatch "^#" -and $line -match "\S") {
            foreach ($domain in $MaliciousDomains) {
                if ($line -like "*$domain*") {
                    Write-Host "[!] ALERT: Suspicious entry in HOSTS file: $line" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "[*] Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate

Block IOCs: Implement immediate blocks on all listed domains (e.g., teamsvoicehub.com, guiformat.com) and IP addresses (194.150.220.218, 217.156.122.75) on firewalls and secure web gateways.
Artifact Hunting: Use the provided PowerShell script to hunt for running luajit.exe, python.exe, or finger.exe processes not associated with legitimate admin tasks.

24h

Credential Audit: Given the prevalence of infostealers (LummaStealer, Redline, SessionGate), initiate forced password resets for developer accounts and credentials stored in browsers if infection is suspected.
Scope Investigation: Identify users who recently visited GitHub repositories with obscure biological names or interacted with suspicious LinkedIn/Indeed recruitment links.

1 Week

Architecture Hardening: Restrict the usage of portable Python executables and block the legacy Finger protocol (finger.exe) via Application Control or GPO.
Developer Awareness: Brief development teams on the risks of downloading tools from unofficial sources or GitHub repositories lacking verified community adoption, specifically regarding the "Ghidra" and "dnSpy" impersonation campaign.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub