Rapid Evolution of TeamPCP Tradecraft: From LiteLLM to Telnyx SDK Compromise

Published Date: March 31, 2026
Category: ShadowOpsIntel
Share:

As of March 30, 2026, threat actor TeamPCP has evolved its supply chain tactics by compromising the Telnyx Python SDK. This campaign marks a significant technical shift from their previous LiteLLM attack, introducing WAV-based steganography and Windows-specific persistence. Organizations using Telnyx versions 4.87.1 or 4.87.2 should consider their systems fully compromised and downgrade to version 4.87.0 immediately.

Severity: High

Threat Details

1. Initial Compromise & Delivery

  • On March 27, 2026, attackers published malicious versions (4.87.1 and 4.87.2) of the Telnyx SDK to PyPI without corresponding source control updates, indicating unauthorized package publishing.
  • The malicious code was injected into telnyx/_client.py and executed automatically when the package was imported (import telnyx), requiring no user interaction.
  • Impact scope: Any system installing these versions is considered fully compromised.

2. Advanced Evasion Techniques

The attack significantly improves stealth compared to prior campaigns:

  • Split-file injection: Malicious code distributed across multiple sections of the file to avoid detection during casual inspection
  • Runtime obfuscation: Strings decoded via Base64 wrapper (_d() function) instead of being stored in plaintext
  • No static payload: Credential stealer not embedded directly in source code

3. WAV-Based Steganography Payload Delivery

A major innovation in this campaign is the use of audio steganography:

  • Malware payload is hidden inside WAV audio files hosted on a C2 server
  • Files appear legitimate and pass MIME-type validation
  • Payload extraction process:
    • Read WAV audio frames
    • Base64 decode
    • Split data into:
      • First 8 bytes → XOR key
      • Remaining bytes → encrypted payload
    • XOR decryption reconstructs executable code

This approach eliminates malicious code from the package itself, shifting it to runtime delivery and evading code scanning tools.

4. Cross-Platform Execution & Persistence

Unlike the earlier Linux-only LiteLLM attack, this variant targets Linux, macOS, and Windows:

Windows Path (Persistence Focus)

  • Downloads hangup.wav (http[:]//83[.]142.209.203:8080) to extract a PE executable.
  • Installs as msbuild.exe in the Windows Startup folder.
  • Uses an anti-replay lock file (msbuild.exe.lock) to prevent redundant execution if modified within 12 hours.

Linux/macOS Path

  • Executes payload in background using subprocess.Popen
  • Downloads ringtone.wav from same C2
  • Extracts and runs credential harvester
  • Exfiltrates data via encrypted archive (tpcp.tar.gz)

5. Attribution to TeamPCP

Attribution is confirmed through identical tooling reuse, including:

  • RSA-4096 public key
  • tpcp.tar.gz campaign identifier
  • Custom exfiltration headers (X-Filename: tpcp.tar.gz)
  • Encryption and execution patterns

This indicates a consistent and evolving threat actor toolkit rather than a copycat campaign.

Recommendations

  1. Immediately downgrade any installations of Telnyx versions 4.87.1 or 4.87.2 to the last known clean release, 4.87.0.
  2. Any system that imported the affected versions must be treated as fully compromised. Conduct a full forensic audit to check for credential theft and lateral movement.
  3. Since the primary goal of the payload is credential harvesting, rotate all API keys, SSH keys, and cloud service credentials (AWS/Azure/GCP) stored on or accessible from the affected machines.
  4. Scan for unexpected msbuild.exe binaries located in:
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
  5. Look for the hidden anti-replay file msbuild.exe.lock. Attackers use attrib +h to hide this file from standard view.
  6. Configure NIDS or WAF to flag outbound HTTP requests containing the X‑Filename: tpcp.tar.gz header.
  7. Closely monitor CI/CD environments for unexpected network activity, particularly the downloading of external binary or audio payloads.
  8. Check if packages utilize PyPI “Trusted Publishers” (OIDC). In this case, the lack of OIDC configuration contributed to the credential-based compromise.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/aa5c475fa5b7251247616a355c501b7745ea90061802b2d54d8938492b758e62/iocs

Source:

  • https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert