Back to Intelligence

TroyDen, Argamal & GriefLure: Multi-Vector Infostealer & RCE Campaign Analysis

SA
Security Arsenal Team
June 7, 2026
6 min read

The OTX pulse data from 2026-06-07 reveals a highly active threat landscape characterized by sophisticated initial access vectors and a sharp focus on credential theft and persistent remote access. Key observations include:

  1. TroyDen Lure Factory: A mass-scale operation leveraging AI-generated biological/medical terminology to masquerade malicious GitHub repositories as legitimate developer tools. This campaign distributes LuaJIT-based payloads for Redline and LummaStealer.
  2. Argamal Campaign: A targeted attack against gamers using adult-themed game installers to drop the Argamal RAT, utilizing COM hijacking for stealthy persistence.
  3. Traffic Distribution System (TDS): An SEO poisoning campaign impersonating tools like Ghidra to funnel victims to malware via guiformat.com and similar domains.
  4. Operation GriefLure: An APT-style campaign targeting Viettel (Vietnam) and St. Luke's (Philippines) using weaponized legal documents to deploy custom implants (sfsvc.exe, 360.dll).
  5. PAN-OS Zero-Day: Active exploitation of CVE-2026-1281/CVE-2026-1340 to deploy EarthWorm and ReverseSocks5 tunneling tools on perimeter firewalls.

Collectively, these campaigns demonstrate a convergence of social engineering (AI lures, legal docs), software supply chain attacks (fake GitHub), and infrastructure exploitation (PAN-OS) to achieve system compromise and data exfiltration.

Threat Actor / Malware Profile

CampaignMalwareDistributionPersistenceBehavior
TroyDenLuaJIT, Redline, LummaStealerGitHub Repositories (AI-named)N/A (Likely via Startup/Schedule)Two-component payload; Promethues obfuscator; steals browser crypto/cookies.
ArgamalArgamal, TermixiaMalware-infected Hentai GamesCOM Hijacking (InprocServer32)DLL hijacking replaces Windows Color System Calibration; downloads RAT after delay.
TDS ClusterSessionGate, RemusStealer, AnimateClipperSEO Poisoning (Ghidra, dnSpy)N/ACloudFront JS redirects to TDS; credential and crypto wallet theft.
GriefLuresfsvc.exe, 360.dllSpear Phishing (Legal Docs)N/ATargeted espionage against Military/Healthcare; living-off-the-land techniques.
CL-STA-1132EarthWorm, ReverseSocks5PAN-OS Exploit (Zero-Day)Service/Process InjectionRoot RCE on firewalls; establishes SOCKS5 tunneling for lateral movement.

IOC Analysis

The provided IOCs span multiple categories requiring different handling strategies:

  • Domains & Hostnames (guiformat.com, asper1.freeddns.org, www.whatsappcenter.com): These indicate C2 infrastructure or phishing landing pages. SOC teams should immediately block these at the DNS perimeter and inspect proxy logs for any historical connections.
  • File Hashes (SHA1/SHA256): A large volume of hashes (e.g., 197f11a7..., 87361ba2...) are associated with the droppers and payloads. These should be uploaded to EDR solutions as "Block" or "Alert" signatures.
  • CVEs (CVE-2026-1281, CVE-2026-1340): Critical for Vulnerability Management. These indicate active exploitation paths requiring immediate patching of PAN-OS devices.
  • Operationalization: Use SIEM correlation to match DeviceProcessEvents against the SHA256 list and DeviceNetworkEvents against the domain list. Atomic Red Team tests can validate COM hijacking detection logic.

Detection Engineering

YAML
---
title: Potential Argamal COM Hijacking Persistence
id: 6c88c0d0-7c9a-4d5e-8b8b-0c9f0d0d0d0d
description: Detects registry modifications associated with Argamal malware persistence via Windows Color System Calibration Loader COM hijacking.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://otx.alienvault.com/pulse/66619c31d8458515740e6f79
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\InprocServer32'
        TargetObject|contains: 'Mscms.dll' # Windows Color System
        Details|contains:
            - 'AppData'
            - 'Temp'
            - 'Downloads'
    condition: selection
falsepositives:
    - Legitimate software installation (rare)
level: high
---
title: TroyDen / GriefLure Suspicious Process Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of specific processes associated with TroyDen (LuaJIT) and GriefLure (sfsvc.exe) campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://otx.alienvault.com/pulse/66619c2ed8458515740e6f73
    - https://otx.alienvault.com/pulse/6663a729d8458515740e6f8f
tags:
    - attack.execution
    - attack.t1204
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\sfsvc.exe'
            - '\360.dll' # Loading as process or unusual execution
    filter:
        ParentImage|contains: '\Program Files'
    condition: selection and not filter
falsepositives:
    - Legitimate developer use of LuaJIT (if in Program Files)
level: medium
---
title: Malware Distribution TDS Network Connection
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects network connections to domains associated with the TDS malware distribution ecosystem observed in OTX pulses.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://otx.alienvault.com/pulse/66619c2ed8458515740e6f75
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'guiformat.com'
            - 'forestoaker.com'
            - 'maxdatahost1.cyou'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for known malicious file hashes from GriefLure and TDS campaigns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
    "61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f",
    "7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc


powershell
# IOC Hunt Script: Argamal COM Hijacking Registry Check
# Checks for suspicious modifications to the Windows Color System Calibration Loader
$clsidPath = "Registry::HKEY_CURRENT_USER\Software\Classes\CLSID"
$targetDll = "Mscms.dll"

if (Test-Path $clsidPath) {
    $clsids = Get-ChildItem $clsidPath -ErrorAction SilentlyContinue
    foreach ($clsid in $clsids) {
        $inprocPath = Join-Path $clsid.PSPath "InprocServer32"
        if (Test-Path $inprocPath) {
            $defaultValue = (Get-ItemProperty $inprocPath -ErrorAction SilentlyContinue)."(default)"
            if ($defaultValue -and $defaultValue -match $targetDll) {
                # Check if the default value points to a non-standard path
                if ($defaultValue -notmatch "C:\\Windows\\System32") {
                    Write-Host "[ALERT] Potential Argamal COM Hijacking detected at: $($clsid.Name)" -ForegroundColor Red
                    Write-Host "   Suspicious Value: $defaultValue"
                }
            }
        }
    }
}
Write-Host "Scan Complete."


# Response Priorities

**Immediate (0-24h):**
*   **Block IOCs:** Update firewall, DNS, and EDR blocklists with provided domains (`guiformat.com`, `forestoaker.com`, `asper1.freeddns.org`) and file hashes.
*   **PAN-OS Triage:** Immediately inspect PA-Series firewall logs for signs of exploitation related to CVE-2026-1281/CVE-2026-1340. Apply vendor patches or mitigations if available.
*   **Hunt for `sfsvc.exe`:** Scan endpoints for the presence of `sfsvc.exe` (GriefLure indicator) outside of standard paths.

**24-48h:**
*   **Credential Audit:** Given the prevalence of Redline and LummaStealer, initiate forced password resets and MFA re-enrollment for developer accounts and users who may have downloaded "game" or "tool" packages recently.
*   **GitHub Governance:** Query internal proxy logs for connections to `raw.githubusercontent.com` or `github.com` involving repositories with biological/medical naming conventions (TroyDen indicators).

**1 Week:**
*   **Architecture Hardening:** Review and restrict execution of LuaJIT and unsigned binaries in developer environments.
*   **COM Hardening:** Implement ASR rules or GPO policies to restrict COM object creation/hijacking capabilities for standard users.
*   **Vulnerability Management:** Complete patch cycle for PAN-OS devices and review other perimeter appliances for similar exposure.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstroydenargamalgrieflureinfostealerredline

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action