Malware News TeamPCP Said No One Analyzed Their Malware. Challenge Accepted.

[Khushal]

Content source

https://www.ox.security/blog/teampcps-telnyx-windows-malware-technical-analysis/

TeamPCP’s Telnyx Windows Malware: Technical Analysis​

TeamPCP's Telnyx Windows Malware: Technical Analysis | OX Security

OX Security analyzes TeamPCP’s Telnyx malware—multi-stage payloads, steganography, C2 comms, and credential theft impacting Windows systems.

www.ox.security

Overview​

This is a deep analysis of TeamPCP’s second-stage payload targeting Windows machines that was dropped by the malicious Telnyx Python package version 4.87.2.

The malware is downloaded in the form of a WAV file from the remote C2 server when importing the malicious version of Telnyx, decoded using XOR, and then saved as an executable, which is later executed on the machine.

Big thanks to Justin Elze (@HackingLZ) and Giuseppe N3mes1s (@n3mes1s) for helping us get the payload and sharing with us their own findings and analysis.

 

[Bot]

Thanks for sharing this analysis.

This is a useful example of a software supply-chain attack, where the initial package looks legitimate enough to be installed, but pulls a second-stage payload afterward.

What stands out technically

• The malicious package reportedly used a trusted-looking package name and versioning context to reduce suspicion.
• The second-stage payload being disguised as a .wav file is a simple but effective evasion technique, since it can blend in with benign-looking traffic or files.
• Using XOR decoding is not sophisticated by itself, but it is often enough to hide the payload from very basic inspection.
• Saving the decoded content as an executable and then launching it shows the package was not just tampered with for nuisance behavior, but designed to deliver a real Windows malware stage.

Why this matters

For defenders, the main lesson is that package reputation alone is not enough. If a dependency:

• Downloads additional content at import time
• Executes external binaries
• Uses obfuscation for downloaded content
• Contacts unexpected infrastructure

that should be treated as highly suspicious and investigated immediately.

Practical takeaways

• Pin dependencies and review changes before updating.
• Use lockfiles and, where possible, internal mirrors or allowlists for approved packages.
• Monitor developer and CI environments for unusual child processes, outbound connections, and files written into temp or user-writable paths.
• Inspect packages that perform network activity during installation or import.
• Submit suspicious artifacts and hashes to multi-engine services such as VirusTotal for broader visibility, while understanding that detections may lag early in a campaign.

Bottom line

Even without claiming anything beyond the published analysis, this case reinforces a familiar point: developer environments are now a high-value target, and package ecosystems remain an efficient delivery path for malware. The safest response is careful dependency control, behavior monitoring, and verification of any package that reaches out for a second stage.

Source

• TeamPCP's Telnyx Windows Malware: Technical Analysis | OX Security

 

[Divergent]

Executive Summary

Confirmed Facts
Telemetry demonstrates that the compromised Python package Telnyx (version 4.87.2) acts as a delivery vector to download a XOR-encoded Stage-2 payload disguised as an audio file (hangup.wav). The payload decodes into a 180 kB Win64 executable that establishes user-level persistence and beacons to hardcoded C2 infrastructure.

Assessment
This is a highly targeted supply-chain attack aimed at developer environments, utilizing steganography to evade static file analysis while facilitating downstream remote access and credential theft.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1195.001
Supply Chain Compromise: Software Dependencies

T1027.001
Obfuscated Files or Information: Steganography (WAV/PNG encoding)

T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1059
Command and Scripting Interpreter
(msbuild.exe abuse)

CVE Profile
[N/A - Supply Chain Abuse]
CISA KEV Status: Inactive

Telemetry

Payload Artifacts
hangup.wav
(Decodes to 180 kB Win64 executable)

Persistence Paths
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
~/.config/sysmon
~/.config/audiomon

Network C2
83[.]142[.]209[.]203
modesl[.]litellm[.]cloud
checkmarx[.]zone

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Mandate a freeze on Python package updates and force explicit dependency pinning across all enterprise CI/CD pipelines (e.g., litellm==1.82.6).

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM hunting queries targeting outbound network connections to 83.142.209[.]203, modesl.litellm.cloud, and checkmarx.zone.

Command
Alert on anomalous child processes spawned by Python, specifically unauthorized execution of msbuild.exe.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected developer workstations from the corporate network and production enclaves immediately.

Command
Revoke and rotate all cloud access keys, API tokens, and SSH keys present on the compromised endpoints.

RECOVER (RC) – Restoration & Trust

Command
Reimage compromised workstations; do not attempt in-place eradication due to the depth of the Remote Access Tool (RAT) capabilities.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Software Composition Analysis (SCA) to automatically block imports of known malicious packages (Telnyx v4.87.2) at the proxy/gateway level.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately to sever the remote C2 connection.

Command
Do not log into banking, email, or cryptocurrency wallets until the system is verified clean.

Priority 2: Identity

Command
Reset all passwords and multi-factor authentication (MFA) tokens using a known clean device (e.g., a mobile phone on a cellular network).

Priority 3: Persistence

Command
Check %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ and permanently delete any unrecognized executables.

Command
Delete suspicious hidden configuration directories matching ~/.config/sysmon and ~/.config/audiomon.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Developer Workstation profile).

Framework
NIST CSF 2.0 / SP 800-61r3.

Supply Chain Hardening
Restrict local developer privileges to prevent unmonitored scripts from writing to %APPDATA% startup directories.

Source

TeamPCP's Telnyx Windows Malware: Technical Analysis