TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware

MITRE Techniques

• [T1195 ] Supply Chain Compromise – The attack was delivered by trojanizing a PyPI package (‘trojanized Python package on PyPI’).
• [T1105 ] Ingress Tool Transfer – The second-stage payload is retrieved from attacker infrastructure (‘downloads ringtone.wav from the C2 at 83[.]142[.]209[.]203:8080’).
• [T1027 ] Obfuscated Files or Information – Payloads and strings are obfuscated (base64 and XOR) to evade detection (‘a massive base64-encoded blob assigned to the variable _p’).
• [T1059.006 ] Command and Scripting Interpreter: Python – The malware spawns Python processes and executes code in-memory (‘spawns a detached Python process that decodes and exec() the _p payload’).
• [T1547.001 ] Boot or Logon Autostart Execution: Startup Folder – Windows persistence is achieved via a binary placed in the Startup folder (‘drops it as msbuild.exe in the Windows Startup folder’).
• [T1036 ] Masquerading – The dropped binary is named to appear legitimate and avoid suspicion (‘named to masquerade as Microsoft’s legitimate Build Engine’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data is bundled, encrypted, and uploaded to attacker C2 via HTTP POST (‘exfiltrated via a raw HTTP POST to the C2’s root endpoint’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications and payload retrieval use HTTP(S) web protocols and custom headers (‘downloads ringtone.wav … using a spoofed Mozilla/5.0 User-Agent header’).
• [T1218 ] Signed Binary Proxy Execution / Use of Trusted System Utilities – The malware leverages system binaries (openssl, curl) to perform encryption and upload without adding suspicious dependencies (‘relies on the system’s openssl binary’ and uses curl for exfiltration).
• [T1070 ] Indicator Removal on Host – The attack operates in a self-cleaning temporary directory to leave minimal forensic artifacts (‘self-destructing temporary directory’).