{ "type": "SHA256", "indicator": "a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa", "validation": [], "base_indicator": { "id": 4288017799, "indicator": "a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69cbf2da3eb58fb6304be93b", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK", "description": "TeamPCP uploaded malicious versions of the telnyx Python SDK to PyPI, compromising a package with 750,000 monthly downloads. The attack uses a three-stage architecture: a trojanized package triggers a platform-specific loader, which downloads a second-stage payload hidden in a WAV file using steganography, deploying a credential harvester. The harvester steals various credentials, encrypts them, and exfiltrates to the attacker's C2. The attack works across major operating systems and spreads through Kubernetes clusters. This is part of a broader TeamPCP supply chain campaign that has targeted multiple packages over nine days. The sophisticated attack includes WAV and PNG steganography, hybrid encryption, Kubernetes lateral movement, and a full-featured RAT on Windows with advanced evasion techniques.", "modified": "2026-04-08T11:00:42.881000", "created": "2026-03-31T16:14:18.752000", "tags": [ "credential theft", "rat", "exfiltration", "msbuild.exe", "sysmon.py", "persistence", "steganography", "pypi", "kubernetes", "supply chain" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "msbuild.exe", "display_name": "msbuild.exe", "target": null }, { "id": "sysmon.py", "display_name": "sysmon.py", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "display_name": "T1553.003 - SIP and Trust Provider Hijacking" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 10, "FileHash-SHA1": 8, "FileHash-SHA256": 23, "domain": 1, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 376735, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-04-01T08:36:45.019000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "IPv4": 4, "CIDR": 1 }, "indicator_count": 733, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-03-31T13:04:52.869000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk", "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Sysmon.py", "Msbuild.exe" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69cbf2da3eb58fb6304be93b", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK", "description": "TeamPCP uploaded malicious versions of the telnyx Python SDK to PyPI, compromising a package with 750,000 monthly downloads. The attack uses a three-stage architecture: a trojanized package triggers a platform-specific loader, which downloads a second-stage payload hidden in a WAV file using steganography, deploying a credential harvester. The harvester steals various credentials, encrypts them, and exfiltrates to the attacker's C2. The attack works across major operating systems and spreads through Kubernetes clusters. This is part of a broader TeamPCP supply chain campaign that has targeted multiple packages over nine days. The sophisticated attack includes WAV and PNG steganography, hybrid encryption, Kubernetes lateral movement, and a full-featured RAT on Windows with advanced evasion techniques.", "modified": "2026-04-08T11:00:42.881000", "created": "2026-03-31T16:14:18.752000", "tags": [ "credential theft", "rat", "exfiltration", "msbuild.exe", "sysmon.py", "persistence", "steganography", "pypi", "kubernetes", "supply chain" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "msbuild.exe", "display_name": "msbuild.exe", "target": null }, { "id": "sysmon.py", "display_name": "sysmon.py", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "display_name": "T1553.003 - SIP and Trust Provider Hijacking" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 10, "FileHash-SHA1": 8, "FileHash-SHA256": 23, "domain": 1, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 376735, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-04-01T08:36:45.019000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "IPv4": 4, "CIDR": 1 }, "indicator_count": 733, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-03-31T13:04:52.869000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776233083.4293509 }