Pulse Detail — Threat Intelligence

PULSE NAME

Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK

WHITE TeamPCP AlienVault 2026-03-31 Modified: 2026-04-08

IOCs

MEDIUM VOLUME

TeamPCP uploaded malicious versions of the telnyx Python SDK to PyPI, compromising a package with 750,000 monthly downloads. The attack uses a three-stage architecture: a trojanized package triggers a platform-specific loader, which downloads a second-stage payload hidden in a WAV file using steganography, deploying a credential harvester. The harvester steals various credentials, encrypts them, and exfiltrates to the attacker's C2. The attack works across major operating systems and spreads through Kubernetes clusters. This is part of a broader TeamPCP supply chain campaign that has targeted multiple packages over nine days. The sophisticated attack includes WAV and PNG steganography, hybrid encryption, Kubernetes lateral movement, and a full-featured RAT on Windows with advanced evasion techniques.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1069 T1036.005 T1573.001 T1021.004 T1574.001 T1082 T1140 T1572 T1553.003 T1016 T1087 T1055.002 T1552.003 T1552.001 T1041 T1078 T1027.003 T1059.006 T1070.004 T1027.002 T1021.001

MALWARE FAMILIES

msbuild.exe sysmon.py

Indicators of Compromise (47)

All IPv4 FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	45.148.10.212	—	2026-03-31
FileHash-MD5	05bacbe163ef0393c2416cbd05e45e74	—	2026-03-31
FileHash-MD5	2e3a4412a7a487b32c5715167c755d08	—	2026-03-31
FileHash-MD5	331ab9c032cf95c89d877ee05b46f8d8	—	2026-03-31
FileHash-MD5	4467de8f6d521d6fc6a930fa8ede7017	—	2026-03-31
FileHash-MD5	5870a0bf82bbdf2687d8dce89dfa668f	—	2026-03-31
FileHash-MD5	7d231e938774127ba7487061ebc51e74	—	2026-03-31
FileHash-MD5	97e073abd819d9cdc07705aeaa481f59	—	2026-03-31
FileHash-MD5	b1c6036b046bcf8c80601742ebcc61b0	—	2026-03-31
FileHash-MD5	d2210feb0438c0ce89b5579ef75ae4d4	—	2026-03-31
FileHash-MD5	d528effabbd9cd66aaa11bc8777bb110	—	2026-03-31
FileHash-SHA1	3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a	—	2026-03-31
FileHash-SHA1	42f7861818214222efeadb2fc826dda1cdc90050	—	2026-03-31
FileHash-SHA1	4ce6ad55d8912aacc4ae4c572237131d0b7ba4b5	—	2026-03-31
FileHash-SHA1	512efdfc832b012677341d251670c7192c463b21	—	2026-03-31
FileHash-SHA1	78cd382040eda14e2f8a17ee7387cffdabe96ab5	—	2026-03-31
FileHash-SHA1	85e16077deeaffae3c50d45d99e9dae2c58de53e	—	2026-03-31
FileHash-SHA1	e866b3fa9f87a084b610272580428761e28ad65a	—	2026-03-31
FileHash-SHA1	eee517fe8da4eddf7ead1d01a32606e6beec1adc	—	2026-03-31
FileHash-SHA256	196b5e0e06424a02e360e28e08d7dcfab7ec8946af9477ca352c6cf6b7d4e9bd	—	2026-03-31
FileHash-SHA256	23b1ec58649170650110ecad96e5a9490d98146e105226a16d898fbe108139e5	—	2026-03-31
FileHash-SHA256	485952ba5347aa83f00537a4be0bebb274021f773a0203b65142f1b86dfda34d	—	2026-03-31
FileHash-SHA256	4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a	—	2026-03-31
FileHash-SHA256	5ce544a8db5d0b0953c966384858e4e8a017e7acba2f5f6d0ac8f529d59939d8	—	2026-03-31
FileHash-SHA256	6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a	—	2026-03-31
FileHash-SHA256	7290353a3bc2b18e9ea574d3294b09e28edaa6b038285bb101cf09760f187dcd	—	2026-03-31
FileHash-SHA256	7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9	—	2026-03-31
FileHash-SHA256	8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2	—	2026-03-31
FileHash-SHA256	84edce66f09c55bbb44754411bde4b092288d172734df62fac20d6f794b3a2ec	—	2026-03-31
FileHash-SHA256	8eaf4c4d0b82620bcda29b97896e2da0a754205c035721479f7ceafb817e4466	—	2026-03-31
FileHash-SHA256	a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa	—	2026-03-31
FileHash-SHA256	a9235c0eb74a8e92e5a0150e055ee9dcdc6252a07785b6677a9ca831157833a5	—	2026-03-31
FileHash-SHA256	ab4c4aebb52027bf3d2f6b2dcef593a1a2cff415774ea4711f7d6e0aa1451d4e	—	2026-03-31
FileHash-SHA256	bc40e5e2c438032bac4dec2ad61eedd4e7c162a8b42004774f6e4330d8137ba8	—	2026-03-31
FileHash-SHA256	cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3	—	2026-03-31
FileHash-SHA256	cd6af6c9ba149673ff89a1f1ccc8ec40a265a3b54ad455fbef28dc2967a98e45	—	2026-03-31
FileHash-SHA256	d29deee2e8bec85d2fcaec427f17d677f7de4f8387e00566b0b45ff81157bd31	—	2026-03-31
FileHash-SHA256	d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb	—	2026-03-31
FileHash-SHA256	d6fc0ff06978742a2ef789304bcdbe69a731693ad066a457db0878279830d6a9	—	2026-03-31
FileHash-SHA256	e4e3b176c1255666024d90392e09466a23bf6e8740bf589c6d1ccf2dfff451a4	—	2026-03-31
FileHash-SHA256	e6912e3ec58120bf63edf2e4be6ff2f092c40cfbc655a12f4a463b2ef98d368e	—	2026-03-31
FileHash-SHA256	f66c1ea3b25ec95d0c6a07be92c761551e543a7b256f9c78a2ff781c77df7093	—	2026-03-31
IPv4	83.142.209.11	—	2026-03-31
IPv4	83.142.209.203	—	2026-03-31
domain	aquasecurtiy.org	—	2026-03-31
hostname	scan.aquasecurtiy.org	—	2026-03-31
hostname	tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io	—	2026-03-31

References (1)

↗ https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk