{
	"id": "afe3148d-28c7-4b98-b6a4-b8982a099537",
	"created_at": "2026-04-10T03:20:36.048997Z",
	"updated_at": "2026-04-10T13:12:04.377127Z",
	"deleted_at": null,
	"sha1_hash": "998799486c2bc89b4e7a75b36dc55132d43b45f7",
	"title": "TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 477914,
	"plain_text": "TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond\r\nLiteLLM\r\nBy John Rainier Navato ( words)\r\nPublished: 2026-03-30 · Archived: 2026-04-10 02:12:55 UTC\r\nMalware\r\nMoving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy\r\nWAV‑based payloads to steal credentials across Linux, macOS, and Windows.\r\nBy: John Rainier Navato Mar 30, 2026 Read time: 6 min (1528 words)\r\n \r\nSave to Folio\r\nKey takeaways\r\nAttackers published tainted Telnyx versions 4.87.1 and 4.87.2 to PyPI, activating on import via injected\r\ncode in _client.py.\r\nThe payload uses split file injection, runtime Base64 decoding, and WAV-based steganography to hide\r\ncredential stealing malware.\r\nUnlike the earlier LiteLLM incident, the Telnyx variant adds Windows support with Startup folder\r\npersistence alongside Linux and macOS execution.\r\nAny system that installed the affected versions should be treated as fully compromised; users are strongly\r\nadvised to downgrade to the last known clean release, Telnyx 4.87.0, as soon as possible.\r\nThree days after compromising the LiteLLM AI proxy package, TeamPCP struck again. On March 27, 2026, two\r\nmalicious versions of the Telnyx Python SDK, a cloud communications library with over 700,000 downloads in\r\nFebruary, were published to PyPI. The payload represents a clear shift in the campaign's tradecraft, combining\r\nWAV-embedded credential-stealing code via steganography, split-file code injection to evade visual inspection,\r\nand the campaign's first Windows-specific persistence mechanism. PyPI quarantined versions 4.87.1 and 4.87.2 at\r\n10:13 UTC (following roughly 6.5 hours of exposure), according to the project's GitHub security advisory.\r\nIn this blog entry, we examine the Telnyx compromise and present our technical analysis, detailing how the\r\nmalicious packages were weaponized, what changed from the earlier LiteLLM incident, and what defenders\r\nshould watch for. We will update the entry as new information emerges from our monitoring and analysis.\r\nFor background on the broader TeamPCP campaign and the LiteLLM compromise, read our prior analysis: Your\r\nAI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise.\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 1 of 7\n\nOverview\r\nAt 03:51 UTC on March 27, Telnyx versions 4.87.1 and 4.87.2 appeared on PyPI without any corresponding\r\ncommits in the upstream GitHub repository. Our analysis confirms that malicious code was injected into\r\ntelnyx/_client.py, with all execution paths triggered at module scope, meaning a simple import telnyx is sufficient\r\nto activate the payload.\r\nAttribution to TeamPCP is definitive. Our analysis found multiple elements that are byte-for-byte identical to the\r\nLiteLLM payload: the RSA-4096 public key, the tpcp.tar.gz campaign ID, the X-Filename: tpcp.tar.gz exfiltration\r\nheader, the OpenSSL encryption chain (rand + AES-256-CBC + RSA-OAEP + tar), the temporary file naming\r\nconvention, and the subprocess stdin pipe execution pattern. This confirms reuse of the same toolchain.\r\nAs of writing, we have not been able to determine how TeamPCP obtained the Telnyx project's PyPI publishing\r\ncredentials. The project's GitHub advisory states that no workflow-level credential exposure was identified, and\r\nthe PyPI trusted publisher (OIDC) was not configured.\r\nSplit-file injection: Increased evasion\r\nThe LiteLLM payload injected a contiguous block of malicious code between two legitimate code sections,\r\nmaking it visible to anyone scrolling through the file. The Telnyx variant improves on this by distributing its\r\nmalicious components across three widely separated locations in _client.py:\r\nA Base64 decode wrapper function (_d()), buried among legitimate imports.\r\nThe Linux orchestrator and credential harvester as a 4,428-character Base64 string, placed between __all__\r\nand the class definition.\r\nThe Windows execution path with WAV steganography logic, appended after all legitimate classes at the\r\nend of the file.\r\nAll sensitive strings in the Windows path are obfuscated using the _d() wrapper, which Base64-decodes strings at\r\nruntime. This differs from LiteLLM where strings remained in plaintext within the Base64-encoded payload.\r\nDecoded values include the Startup folder path, the msbuild.exe filename, and the command-and-control (C\u0026C)\r\nURL.\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 2 of 7\n\nThe shift to audio steganography\r\nThe most significant change from the LiteLLM attack is that the Telnyx variant no longer embeds the credential\r\nharvester in the source code. Instead, it downloads the harvester at runtime, hidden inside structurally valid WAV\r\naudio files hosted on the C\u0026C server.\r\nOur analysis of the extraction process shows that the WAV file's raw audio frames are read using Python's wave\r\nmodule, Base64-decoded, then split: the first 8 bytes serve as an XOR key, while the remaining bytes constitute\r\nthe XOR-encrypted payload. Each byte is XORed against the rotating 8-byte key to recover the cleartext.\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 3 of 7\n\nFigure 4 . The decoded Base64 payload for Linux downloading the WAV file, which it then\r\ndecodes, and runs the resulting payload\r\nAs a result, static analysis of the package source code reveals no harvester logic — the actual credential-stealing\r\nscript exists only on the C\u0026C server inside audio files. These WAV files pass MIME-type validation as legitimate\r\nmedia, bypass file extension filters, and evade string-based static analysis. This is a significant evasion\r\nimprovement over the LiteLLM variant, where the full harvester was embedded as a static Base64 blob.\r\nWAV steganography first appeared in the TeamPCP campaign on March 22 in the kamikaze.sh Kubernetes wiper\r\nvariant, as documented by Aikido. The Telnyx compromise shows the technique maturing from experimental use\r\ninto production deployment against PyPI, compressing the cycle from prototype to production in just five days.\r\nDual-platform targeting\r\nWhile LiteLLM payload targeted only Linux systems, the the Telnyx variant expands support to include Windows.\r\nThe Windows execution path downloads hangup.wav from 83[.]142[.]209[.]203:8080, extracts a PE executable\r\nvia the XOR steganography technique, and installs it as msbuild.exe in %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\ to establish boot persistence. The filename mimics Microsoft's legitimate MSBuild tool.\r\nThe executable is launched with the CREATE_NO_WINDOW flag (0x08000000) to suppress any visible window.\r\nAn anti-replay mechanism checks for msbuild.exe.lock; if the lock file was modified within the last 43,200\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 4 of 7\n\nseconds (12 hours), execution is skipped. This lock file is hidden via attrib +h, preventing redundant downloads\r\nand executions when the package is imported multiple times, reducing network noise and detection risk.\r\nFigure 5. The anti-replay lock file mechanism checks msbuild.exe.lock modification time, skips if it\r\nless than 43,200 seconds (12 hours), and hides lock via attrib +h\r\nIn the Linux/macOS path, the base64 payload variable is launched as a detached background process using\r\nsubprocess.Popen with start_new_session=True and suppressed output. The payload then downloads ringtone.wav\r\nfrom the same C\u0026C server, extracts the credential harvester via the same WAV steganography technique, and\r\nfeeds it through the standard TPCP exfiltration pipeline (AES-256-CBC + RSA-4096 OAEP -\u003e tpcp.tar.gz -\u003e\r\nHTTP POST).\r\nInfrastructure shift\r\nThe Telnyx variant abandons the domain-based HTTPS infrastructure used in LiteLLM and switches to a raw IP\r\naddress over plaintext HTTP, possibly indicating that the LiteLLM domains were reported and subsequently taken\r\ndown, forcing the attacker to revert to direct IP addressing. The move to plaintext HTTP also exposes the WAV\r\nfile downloads and the exfiltrated tpcp.tar.gz archive to network monitoring, creating a potential detection\r\nopportunity that was not available with the HTTPS-based LiteLLM infrastructure.\r\n  LiteLLM Telnyx\r\nExfiltration `hxxps[://]models[.]litellm[.]cloud/` `hxxp[://]83[.]142[.]209[.]203:8080/`\r\nC\u0026C server /\r\npayload\r\n`hxxps[://]checkmarx[.]zone/raw`\r\n`hxxp[://]83[.]142[.]209[.]203:8080/` (WAV\r\nfiles)\r\nProtocol HTTPS (encrypted) HTTP (plaintext)\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 5 of 7\n\nAddressing Domain names Direct IP\r\nTable 1. Infrastructure comparison between the LiteLLM and Telnyx variants\r\nConclusion and recommendations\r\nThe Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply‑chain activity,\r\nwith adjustments to tooling, delivery methods, and platform coverage. In just eight days, the actor has pivoted\r\nacross security scanners, AI infrastructure, and now telecommunications tooling evolving their delivery from\r\ninline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from\r\nLinux-only to dual-platform targeting with Windows persistence.\r\nThe shift from HTTPS domains to plaintext HTTP on a raw IP address may signal mounting infrastructure\r\npressure, but it simultaneously introduces a detection opportunity. In affected environments, indicators may\r\ninclude WAV file downloads from non‑media IP addresses over port 8080, unexpected msbuild.exe binaries in\r\nuser Startup folders, outbound HTTP requests containing the X‑Filename: tpcp.tar.gz header, and file‑hiding\r\nactivity such as attrib +h applied to .lock files.\r\nAs a precautionary measure, organizations should downgrade any installations of Telnyx 4.87.1 or 4.87.2 to the\r\nlast known clean release (4.87.0) and treat systems that imported the affected versions as exposed. Organizations\r\nshould also pin all PyPI dependencies by hash and closely monitor CI/CD environments for unexpected audio file\r\ndownloads,\r\nProactive security with TrendAI Vision One™ \r\nTrendAI Vision One™ is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure\r\nmanagement, security operations, and robust layered protection. \r\nTrendAI Vision One™ Threat Intelligence Hub \r\nTrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors,\r\nexclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in\r\nthe TrendAI Vision One™ platform. \r\nEmerging Threats:  TeamPCP Hits Telnyx: WAV Steganography and Windows Targeting\r\nTeamPCP Hits Telnyx: WAV Steganography and Windows Targeting\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 6 of 7\n\nTrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.  \r\nHunting Queries\r\nDetects network connections to the campaign's C\u0026C server \r\neventSubId:201 AND request:\"*83.142.209.203*\"\r\nMore hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. \r\nIndicators of Compromise (IoCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html"
	],
	"report_names": [
		"teampcp-telnyx-attack-marks-a-shift-in-tactics.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791236,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/998799486c2bc89b4e7a75b36dc55132d43b45f7.pdf",
		"text": "https://archive.orkl.eu/998799486c2bc89b4e7a75b36dc55132d43b45f7.txt",
		"img": "https://archive.orkl.eu/998799486c2bc89b4e7a75b36dc55132d43b45f7.jpg"
	}
}