Back to Intelligence

TroyDen & ClickFix Campaigns: AI-Generated Lures, Python RATs, and Multi-Vector Stealer Ecosystems

SA
Security Arsenal Team
June 8, 2026
6 min read

Recent OTX pulses reveal a convergence of high-volume malware distribution campaigns heavily relying on social engineering and technical impersonation. A coordinated effort by threat actors, notably "TroyDen," utilizes AI-generated biological taxonomy to lure developers and gamers into downloading LuaJIT-based infostealers (Redline, LummaStealer). Simultaneously, a "ClickFix" campaign is weaponizing job search anxiety by impersonating LinkedIn/Indeed via typosquatted domains, employing fake CAPTCHA pages to trick users into executing LOLBINs and portable Python runtimes (CastleLoader). A third ecosystem leverages Traffic Distribution Systems (TDS) and SEO poisoning of open-source tools (Ghidra, dnSpy) to distribute SessionGate and RemusStealer via CloudFront. Collectively, these campaigns aim at credential harvesting, cryptocurrency theft, and establishing persistent access for follow-on payloads.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware: LuaJIT-based loaders delivering Redline and LummaStealer.
  • Distribution: Over 300 GitHub repositories utilizing AI-generated package names based on obscure biological/medical terms.
  • Targets: Developers, Gamers, Roblox players, Crypto users.
  • TTPs: Two-component payload architecture; Prometheus obfuscator to hide malicious intent within legitimate-looking code structures.

ClickFix / Unknown Actor

  • Malware: CastleLoader leading to Python-based RATs.
  • Distribution: Google Ads directing to typosquatted domains (e.g., teamsvoicehub.com). Uses fake "Verify you are human" CAPTCHAs.
  • TTPs: Social engineering facilitating the execution of native Windows utilities (Finger protocol) and portable Python (CPython/IronPython) without admin rights, enabling fileless-like execution.

Traffic Distribution System (TDS) Ecosystem

  • Malware: SessionGate, RemusStealer, AnimateClipper.
  • Distribution: Impersonation of popular tools (Ghidra, dnSpy) with SEO poisoning. Malicious JavaScript on CloudFront hijacks download buttons.
  • TTPs: Click hijacking, anti-bot gating, handoffs to TDS gateways (e.g., 194.150.220.218) before payload delivery.

IOC Analysis

The provided indicators highlight a sophisticated infrastructure designed to bypass static filters.

  • Domains: A mix of typosquatted recruitment domains (teamsvoicehub.com, dapala.net) and spoofed utility sites (guiformat.com). SOC teams should block these at the DNS level and review logs for any resolved connections.
  • IPs: Hardened infrastructure (194.150.220.218, 217.156.122.75) likely acting as TDS gateways or payload drop sites. Correlate network traffic against these IPs for C2 activity.
  • File Hashes (SHA256):
    • 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4 (Python-based payload)
    • 87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886 (RTF/Loader)
  • Operationalization:
    • SIEM: Ingest hashes and domains into threat intelligence feeds for automated alerting on DeviceNetworkEvents and DeviceFileEvents.
    • EDR: Scan C:\\Users\\*\\Downloads and %TEMP% for the listed hashes.
    • Network: Monitor for high-entropy user-agents or connections to non-standard ports associated with the listed IPs (e.g., :48261).

Detection Engineering

Sigma Rules

YAML
title: Suspicious Portable Python Execution via LOLBIN Chain
description: Detects execution of portable Python (IronPython/CPython) spawned by cmd.exe or powershell following suspicious activity, indicative of ClickFix campaign.
author: Security Arsenal
date: 2026/06/08
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\python.exe'
      - '\\ipy.exe'
      - '\\pythonw.exe'
    ParentImage|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
  filter_legit:
    CommandLine|contains:
      - 'C:\\Python\'
      - 'C:\\Program Files\'
  condition: selection and not filter_legit
falsepositives:
  - Developer testing scripts
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - clickfix
  - castleloader
---
title: LuaJIT Execution from User Profile Directory
description: Detects execution of LuaJIT interpreters from User directories, typical of TroyDen Lure Factory malware delivery.
author: Security Arsenal
date: 2026/06/08
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains: '\\luajit.exe'
    Image|contains: '\\Users\'
  condition: selection
falsepositives:
  - Legitimate software using LuaJIT locally
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - troyden
  - lummastealer
---
title: Traffic Distribution System (TDS) Gateway Connection
description: Detects network connections to known TDS infrastructure IPs or specific ports used in malware distribution campaigns.
author: Security Arsenal
date: 2026/06/08
status: stable
logsource:
  category: network_connection
  product: windows
detection:
  selection_ip:
    DestinationIp:
      - '194.150.220.218'
      - '217.156.122.75'
  selection_port:
    DestinationPort: 48261
  condition: 1 of selection*
falsepositives:
  - Rare (Known bad infrastructure)
level: critical
tags:
  - attack.command_and_control
  - attack.c2
  - sessiongate
  - remusstealer

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Python Execution and Domain Connections
let IOCs = dynamic([\"teamsvoicehub.com\", \"dapala.net\", \"staruxaproruha.com\", \"ai-like.net\", \"mtg-life.net\", \"novayastaruxa.com\", \"kevinnotanother.com\"]);
let MaliciousHashes = dynamic([\"08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4\", \"87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886\"]);
// Network Connections to Typosquatted Domains
DeviceNetworkEvents
| where RemoteUrl in IOCs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where SHA256 in MaliciousHashes
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256
)
| union (
    // Hunt for Python execution from User Profile paths (ClickFix)
    DeviceProcessEvents
    | where FileName in~ (\"python.exe\", \"ipy.exe\", \"pythonw.exe\")
    | where FolderPath contains \"Users\"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
);

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for TroyDen, ClickFix, and TDS Malware Campaigns
#>

$MaliciousHashes = @(
    \"08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4\",
    \"87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886\"
)

$IOC_Domains = @(
    \"teamsvoicehub.com\", \"dapala.net\", \"staruxaproruha.com\", \"ai-like.net\", 
    \"mtg-life.net\", \"novayastaruxa.com\", \"kevinnotanother.com\", \"guiformat.com\"
)

Write-Host \"[+] Hunting for Malicious File Hashes...\"
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.Length -gt 0kb } | 
ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($hash -in $MaliciousHashes) {
        Write-Host \"[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash\" -ForegroundColor Red
    }
}

Write-Host \"[+] Checking Hosts File for Domain Sinkholing...\"
$HostsPath = \"$env:SystemRoot\\System32\\drivers\\etc\\hosts\"
if (Test-Path $HostsPath) {
    $content = Get-Content $HostsPath
    foreach ($domain in $IOC_Domains) {
        if ($content -match $domain) {
            Write-Host \"[!] IOC FOUND IN HOSTS FILE: $domain\" -ForegroundColor Yellow
        }
    }
}

Write-Host \"[+] Checking for Suspicious Portable Python Directories...\"
$UserProfile = [System.Environment]::GetFolderPath(\"UserProfile\")
$PythonDirs = Get-ChildItem -Path \"$UserProfile\\*\" -Directory -ErrorAction SilentlyContinue | Where-Object { $_.Name -match \"python|ironpython\" }
if ($PythonDirs) {
    Write-Host \"[!] Suspicious Python directories found in User Profile:\" -ForegroundColor Yellow
    $PythonDirs | ForEach-Object { Write-Host \"    - $($_.FullName)\" }
}

Response Priorities

  • Immediate:

    • Block all listed domains (teamsvoicehub.com, etc.) and IPs (194.150.220.218, 217.156.122.75) on perimeter firewalls and proxies.
    • Scan endpoints for the specific SHA256 hashes provided in the IOCs.
    • Quarantine any systems exhibiting "Fake CAPTCHA" behavior or unauthorized Python execution chains.

  • 24 Hours:

    • Conduct credential verification and reset for users who may have interacted with the "Job Search" or "GitHub" lures, particularly developers and HR personnel, due to the presence of infostealers (Redline/Lumma).
    • Review logs for access to guiformat.com or downloads mimicking Ghidra/dnSpy.

  • 1 Week:

    • Implement application allowlisting for Python interpreters in user directories to prevent ClickFix-style "portable" execution.
    • Update security awareness training to include "AI-generated lures" and "Fake CAPTCHA" verification pages.
    • Harden software supply chain policies regarding the use of unverified GitHub repositories and third-party download sites.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttroydencastleloaderredline-stealerlummastealersessiongate

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action