Back to Intelligence

TroyDen Lure Factory & ClickFix RAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 8, 2026
6 min read

Live OTX pulses indicate a convergence of sophisticated delivery methods active as of June 2026. A tracked campaign known as TroyDen is leveraging an "AI-Assisted Lure Factory," utilizing large language models to generate GitHub repository names based on obscure biological taxonomy and medical terminology. These repos serve as delivery vehicles for LuaJIT-based payloads, including Redline and LummaStealer.

Simultaneously, a separate campaign dubbed ClickFix has emerged, impersonating job recruitment platforms (LinkedIn, Indeed) via typosquatted domains. This operation uses fake CAPTCHA pages and Google Ads to trick victims into executing commands that deploy portable Python runtimes, ultimately delivering the CastleLoader RAT. Furthermore, a broader Traffic Distribution System (TDS) has been observed impersonating open-source tools (e.g., Ghidra, dnSpy) to distribute SessionGate, RemusStealer, and AnimateClipper. Collectively, these campaigns represent a shift toward AI-driven social engineering and multi-stage TDS frameworks designed to bypass traditional email filters and sandbox analysis.

Threat Actor / Malware Profile

TroyDen (AI Lure Factory)

  • Malware Families: LuaJIT-based Infostealers (Redline, LummaStealer).
  • Distribution: Over 300 delivery packages hosted on GitHub. Uses AI-generated lure names to target developers, gamers, and crypto users.
  • Payload Behavior: Two-component design. Uses Prometheus obfuscator to hide LuaJIT code.
  • Objective: Credential theft, cryptocurrency wallet hijacking, and session cookie extraction.

ClickFix Campaign

  • Malware Families: CastleLoader (Python-based RAT).
  • Distribution: Typosquatted domains of LinkedIn/Indeed. Initial vector involves Google Ads redirecting to fake CAPTCHA pages.
  • Execution Chain: Social engineering -> Fake CAPTCHA -> PowerShell/Cmd -> Finger Protocol/Legacy Windows Utilities -> Portable Python (IronPython/CPython) execution.
  • Objective: Remote Access Trojan (RAT) installation for persistence and lateral movement.

TDS Ecosystem

  • Malware Families: SessionGate, RemusStealer, AnimateClipper.
  • Distribution: Search engine poisoning (SEO) impersonating legitimate tools (Ghidra, SpiderFoot). Uses CloudFront-hosted JavaScript to hijack download buttons.
  • Infrastructure: Strict gating TDS checking first-visit state and anti-bot measures.
  • Objective: Clipboard hijacking (crypto clipping) and infostealing.

IOC Analysis

The provided pulses reveal a mix of infrastructure and payload indicators:

  • Domains: High volume of suspicious domains including teamsvoicehub.com, guiformat.com, and dapala.net. These are primarily used for initial landing pages (fake CAPTCHA/Recruitment) or TDS gatekeeping.
  • IP Addresses: Specific IPs like 194.150.220.218 and 217.156.122.75 serve as the backend infrastructure for the TDS and payload hosting.
  • File Hashes (SHA256): Payload hashes provided for CastleLoader and the TDS droppers (e.g., 08a47436...).
  • Operationalization: SOC teams should immediately ingest these domains and IPs into DNS Firewall and Web Proxy blocklists. File hashes should be added to EDR exclusion allowlists (if false positives are a concern) or, more likely, blocklist/quarantine lists. Network detection should focus on unexpected outbound connections from developer workstations to non-corporate GitHub endpoints or short-lived domains.

Detection Engineering

Sigma Rules

YAML
title: Potential TroyDen LuaJIT Execution via GitHub Lure
id: 8f9a2b1c-3d4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects execution of luajit.exe spawned by git processes or browsers, indicative of TroyDen AI-lure malware delivery.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62fa3b1c9d0e1f
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\lua51.dll'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Program Files (x86)\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer usage of LuaJIT
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: Suspicious Python Execution via Browser (ClickFix)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects python.exe or ipy64.exe spawned directly by a browser or command shell, a common pattern in the ClickFix campaign delivering CastleLoader.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62fa3b1c9d0e2
logsource:
    category: process_creation
    product: windows
detection:
    selection_python:
        Image|endswith:
            - '\python.exe'
            - '\ipy64.exe'
            - '\pythonw.exe'
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection_python and selection_parent
falsepositives:
    - Legitimate web-based development tools
level: critical
tags:
    - attack.execution
    - attack.t1059.006
---
title: Traffic Distribution System Network Indicators
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects network connections to known TDS and malware distribution infrastructure identified in OTX pulses.
status: experimental
date: 2026/06/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62fa3b1c9d0e3
logsource:
    category: network_connection
    product: windows
detection:
    selection_iocs:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'teamsvoicehub.com'
            - 'guiformat.com'
            - 'dapala.net'
            - 'staruxaproruha.com'
            - 'forestoaker.com'
    condition: selection_iocs
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.c2

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Python RAT execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("python.exe", "ipy64.exe", "pythonw.exe")
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend HuntContext = "ClickFix_Python_RAT"

// Hunt for network connections to TroyDen/TDS infrastructure
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("teamsvoicehub.com", "guiformat.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "forestoaker.com")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, LocalPort, RemotePort
| extend HuntContext = "TroyDen_TDS_Connections"

// Hunt for specific malware file hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| extend HuntContext = "Malware_Hash_Match"

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for TroyDen and ClickFix Campaigns
.DESCRIPTION
    Scans for specific file hashes and checks DNS cache for malicious domains.
#>

$MaliciousHashes = @(    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886")

$MaliciousDomains = @(    "teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net", "novayastaruxa.com", "guiformat.com", "forestoaker.com", "kevinnotanother.com")

function Check-FileHashes {
    Write-Host "[+] Scanning for malicious file hashes..."
    $paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")
    foreach ($path in $paths) {
        if (Test-Path $path) {
            Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -ErrorAction SilentlyContinue | Where-Object { $MaliciousHashes -contains $_.Hash } | Select-Object Path, Hash, Algorithm | Format-Table
        }
    }
}

function Check-DNSCache {
    Write-Host "[+] Checking DNS Cache for malicious domains..."
    $dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
    foreach ($domain in $MaliciousDomains) {
        $entries = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
        if ($entries) {
            Write-Host "[ALERT] Found malicious domain in DNS cache: $domain" -ForegroundColor Red
            $entries | Format-List
        }
    }
}

Check-FileHashes
Check-DNSCache

Response Priorities

  • Immediate: Block all listed domains and IP addresses at the perimeter firewall, proxy, and DNS resolver. Quarantine endpoints matching the provided file hashes.
  • 24h: Initiate credential resets for developer and gaming communities if LummaStealer or Redline infection is confirmed, due to their session-stealing capabilities.
  • 1 Week: Review and harden software supply chain policies. Restrict the ability of end-users to download unsigned executables from GitHub or similar repositories. Implement browser restrictions to prevent execution of Python from the web context.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttroydenclickfixcastleloaderlummastealertraffic-distribution-system

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action