Back to Intelligence

TroyDen Lure Factory & Argamal RAT: OTX Pulse Analysis — Infostealer & Credential Theft Detection Pack

SA
Security Arsenal Team
June 8, 2026
6 min read

The latest OTX pulses highlight a convergence of credential theft, infostealing, and targeted espionage operations. The most notable activity involves TroyDen's Lure Factory, a campaign utilizing over 300 GitHub repositories to deliver LuaJIT-based infostealers (Redline, LummaStealer) via AI-generated biological taxonomy lures. This is complemented by the Argamal RAT campaign, which hides malware within adult games using COM hijacking for persistence. Additionally, the Operation GriefLure APT campaign demonstrates highly targeted spear-phishing against telecom and healthcare sectors in Vietnam and the Philippines, leveraging legal document decoys. A critical PAN-OS Zero-Day (CVE-2026-1340) exploitation has also been observed, providing state-sponsored actors with unauthenticated root access.

Collectively, these campaigns show an aggressive shift towards "living-off-the-land" techniques (GitHub, COM hijacking, legitimate document decoys) to bypass traditional detection. The objective across these events is the theft of credentials, cryptocurrency wallets, and long-term system compromise through RATs and tunneling tools (EarthWorm, ReverseSocks5).

Threat Actor / Malware Profile

TroyDen Lure Factory

  • Distribution: GitHub repositories (over 300) hosting malicious delivery packages. Uses AI-generated file names and lure descriptions.
  • Payload: LuaJIT-based droppers executing Redline and LummaStealer. Uses a two-component design with Prometheus obfuscator.
  • Behavior: Targeted credential theft from browsers, crypto wallets, and gaming accounts (Roblox, Steam).

Argamal / Termixia

  • Distribution: Trojanized adult-themed games (hentai) hosted on file-sharing sites like pixeldrain.
  • Persistence: COM hijacking via the Windows Color System Calibration Loader DLL (InprocServer32).
  • Payload: Downloads and executes a Remote Access Trojan (RAT) after a multi-day dormancy period to evade sandbox analysis.

Operation GriefLure

  • Actor: Likely state-sponsored or advanced persistent threat group.
  • Vector: Spear-phishing with weaponized legal documents and fabricated whistleblower complaints.
  • Payload: Custom implants (sfsvc.exe, 360.dll) facilitating espionage.

CL-STA-1132 (PAN-OS Exploit)

  • Vector: Exploitation of a buffer overflow (CVE-2026-1340/CVE-2026-1731) in the PAN-OS User-ID Authentication Portal.
  • Payload: Deployment of tunneling tools like EarthWorm and ReverseSocks5 for lateral movement.

IOC Analysis

The provided IOCs include:

  • Hostnames & Domains: C2 infrastructure (e.g., asper1.freeddns.org, forestoaker.com) and impersonated domains (e.g., guiformat.com). SOC teams should immediately block these at the perimeter and DNS level.
  • File Hashes (SHA1, SHA256, MD5): Specific signatures for Argamal, TroyDen payloads, and Operation GriefLure documents. These should be ingested into EDR and AV signature databases for immediate quarantine.
  • CVEs: Multiple PAN-OS CVEs (2026-1340, 2026-1731) indicating active exploitation of firewalls. Vulnerability scanners must be updated to detect these unpatched versions.
  • IPv4 Addresses: Specific IPs (e.g., 194.150.220.218, 217.156.122.75) hosting malware or TDS infrastructure. Blocklists should be updated.

Operationalizing these IOCs requires integrating them into SIEM correlation rules (e.g., watching for network connections to bad IPs) and Endpoint Detection and Response (EDR) solutions for file hash matching.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Argamal RAT COM Hijacking Persistence
id: b4d3e7a1-8b9c-4d5f-9e1a-2b3c4d5e6f7a
description: Detects modifications to the Windows Color System Calibration Loader registry key, a known persistence mechanism used by Argamal RAT.
author: Security Arsenal
date: 2026/06/08
modified: 2026/06/08
status: experimental
tags:
  - attack.persistence
  - attack.t1546.003
logsource:
  product: windows
  registry:
    EventID: 13
    ObjectName: HKCU\Software\Classes\CLSID\{...}\InprocServer32
detection:
  selection:
    TargetObject|contains: 'Mscms.dll'
    Details|contains: '.dll'
  filter:
    Details|endswith: 'Mscms.dll'
  condition: selection and not filter
falsepositives:
  - Legitimate software installation modifying color profiles
level: high
---
title: Suspicious GitHub Repository Process Execution (TroyDen)
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects execution of scripts or binaries from user profiles originating from GitHub, indicative of potential lure-based malware delivery.
author: Security Arsenal
date: 2026/06/08
modified: 2026/06/08
status: experimental
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|contains: 'GitHub'
    Image|endswith:
      - '.exe'
      - '.bat'
      - '.cmd'
      - '.vbs'
    CommandLine|contains:
      - 'prometheus'
      - 'luajit'
  condition: selection
falsepositives:
  - Developer tooling execution from GitHub repositories
level: medium
---
title: PAN-OS Exploit Indicators - Nginx Shellcode Injection
id: e7f8g9h0-i1j2-4k3l-m5n6-o7p8q9r0s1t2
description: Detects potential exploitation of PAN-OS firewall via abnormal nginx process behavior indicative of shellcode injection.
author: Security Arsenal
date: 2026/06/08
modified: 2026/06/08
status: experimental
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  product: firewall
  service: pan-os
detection:
  selection:
    LogType|contains: 'SYSTEM'
    Subtype|contains: 'USER_ID'
    ActionFlags|contains: 'policy-deny'
    Module|contains: 'nginx'
    Message|contains:
      - 'overflow'
      - 'buffer'
  condition: selection
falsepositives:
  - Normal firewall deny logs without exploit context
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Argamal RAT Registry Persistence
DeviceRegistryEvents
| where RegistryKey contains "CLSID"
| where RegistryKey contains "InprocServer32"
| where RegistryValueData contains @".dll"
| where RegistryKey !contains @"\Mscms.dll"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName

// Hunt for TroyDen/GitHub Lure Executions
DeviceProcessEvents
| where InitiatingProcessFileName contains "GitHub" or ProcessCommandLine contains "github.com"
| where ProcessCommandLine contains "luajit" or ProcessCommandLine contains "prometheus"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName

// Hunt for Suspicious TDS/Clipper Connections (SessionGate/RemusStealer)
DeviceNetworkEvents
| where RemoteUrl in ("forestoaker.com", "guiformat.com", "baxe.pics")
| or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell IOC Hunt Script

PowerShell
# Argamal Persistence Check: Windows Color System Calibration Hijacking
$TargetKey = "HKCU:\Software\Classes\CLSID"
$Suspects = Get-ChildItem -Path $TargetKey -Recurse -ErrorAction SilentlyContinue | Where-Object {
    $_.PSChildName -eq "InprocServer32"
}

foreach ($Suspect in $Suspects) {
    $DllPath = (Get-ItemProperty -Path $Suspect.PSPath -ErrorAction SilentlyContinue)."(default)"
    if ($DllPath -and -not $DllPath.EndsWith("Mscms.dll")) {
        Write-Host "[ALERT] Potential COM Hijack detected at: $($Suspect.PSPath)"
        Write-Host "        Value: $DllPath"
    }
}

# TroyDen/GitHub Lure Check: Suspicious Download/Execution patterns
$GithubProcesses = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName'] and (contains(.,'GitHub') or contains(.,'git.exe'))]] and *[EventData[Data[@Name='CommandLine'] and (contains(.,'luajit') or contains(.,'prometheus'))]]" -ErrorAction SilentlyContinue
if ($GithubProcesses) {
    Write-Host "[ALERT] Potential TroyDen execution via GitHub detected."
    $GithubProcesses | Select-Object TimeCreated, Message | Format-Table -AutoSize
}

Response Priorities

Immediate:

  1. Block all hostnames and IPs listed in the IOC analysis at the firewall and proxy level.
  2. Ingest the provided file hashes into EDR and antivirus for immediate scanning and quarantine.
  3. Patch PAN-OS firewalls immediately against CVE-2026-1340 and CVE-2026-1731 if vulnerable.

24 Hours:

  1. Initiate a credential audit for users who may have executed files from GitHub or downloaded the Argamal-infected games. Force password resets and MFA re-enrollment.
  2. Hunt for the specific COM hijacking registry key changes using the provided PowerShell script across the enterprise.

1 Week:

  1. Review and restrict access to personal cloud repositories (GitHub) from corporate endpoints to prevent lure execution.
  2. Enhance email and web filtering to block TDS traffic and known impersonation domains (e.g., guiformat.com).
  3. Conduct architecture review for firewall management interfaces to ensure they are not exposed to the public internet unnecessarily.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslummastealerargamalcredential-theftapt-campaignpan-os-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action