FIRESCALE

FIRESCALE is a fallback command-and-control/dead-drop mechanism used within a 13-file Python second-stage toolkit attributed to TeamPCP and deployed after a supply-chain compromise in the Mini Shai-Hulud campaign. The toolkit targets Linux developer environments, exits on non-Linux systems, and includes anti-analysis checks that terminate execution on Russian-locale systems or hosts with four or fewer CPU cores. Its primary C2 is hardcoded as 83.142.209[.]194; FIRESCALE activates only when that primary address is unreachable, providing operational resilience after C2 disruption. According to the reporting, FIRESCALE queries GitHub’s commit search API at api.github[.]com/search/commits?q=FIRESCALE to obtain alternate C2 information and verifies redirect data with an embedded 4096-bit RSA public key. If both the primary C2 and FIRESCALE path fail, the toolkit falls back again to victim-hosted exfiltration by abusing the victim’s own GitHub account, creating a public repository and uploading stolen data as JSON. The broader toolkit establishes persistence via a systemd service named pgsql-monitor.service, runs 13 modular Python collectors in parallel, and steals credentials and secrets from local files, environment variables, SSH material, Docker containers, password managers, AWS, Azure, GCP, Kubernetes, HashiCorp Vault, package registries, CI/CD systems, VPN configs, Terraform state, and AI coding tools. Collected data is compressed, encrypted with AES-256-GCM, and the session key is wrapped with 4096-bit RSA-OAEP before exfiltration. The reporting also describes a wiper component tied to the same toolkit that checks for Israeli or Iranian indicators and, with a 1-in-6 probability when triggered, downloads RunForCover.mp3 from C2, plays it at maximum volume, and deletes accessible files; Russian-locale systems exit before payload execution. High-confidence infrastructure and indicators mentioned in the content include 83.142.209[.]194, GitHub commit-search use for "FIRESCALE," the persistence service name pgsql-monitor.service, and additional linked IPs 83.142.209[.]11, 83.142.209[.]203, 35.192.220[.]222, 34.66.134[.]145, 35.188.190[.]218, and 136.115.211[.]254.