Titan Infostealer Embedded in AI Assistant PyPI Package

    Thursday, June 18, 2026 In: Threat Research Print

    Date: 06/18/2026

    Severity: High

    Summary

    A malicious PyPI package masquerading as an AI assistant, myra-ai-assistant, was found to contain TITAN, a Python-based infostealer that uses OCR-driven screen monitoring to capture sensitive information such as login pages, emails, IDE sessions, and financial transactions. The malware exfiltrates screenshots, user conversations, and biometric enrollment images to attacker-controlled Firebase infrastructure while blending its traffic with legitimate Google Gemini API communications. Its use of trusted cloud services and social engineering prompts enables stealthy data theft without relying on traditional command-and-control infrastructure. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent

    https://speen-to-earn.firebaseapp.com

    speen-to-earn.firebaseapp.com

    Hash

    eff423e9b4589ddfd79ee23f6e6d9d5ef8d63695ffe9d68a29142ec29f6e6179

    164b06930c8d556ac6ac4ef0585dbdbb8f1ae5931395890b5e43a782dae2dca4

    dc6bb520e73f6c340beeeabe1ff3a9835b1fc9602e3c13a12b47310cb1d3ed1e

    9b3eacf597e5be5bb4f3222cc41f48d840e1739d0c3ddbe8409fc0fac343fcd

    b2bf5512ccd3924f1715d6816e1740e05699dbcbd635ebf2f3d018b843b71a71

    2bb741f84a126ab6e08410661f45e4e5c7a0b386b7256ba63d37ac563a1b57aa

    cf655a330c5425e14d21e207e07efea5b760488ab00a8af9754d7477c0a521b8

    33308868856c7f950d9acebdd8d9b10086fc7028c490d794f0c43989b1d99e34

    fefaba854db02cc7cca06a023c1de31d25e9a2690f891adfa78e452c26a5d231

    6554360f3b997d6ebc7e978a1c7dd7fbd9f082d03eedf593d23421b3ab719be8

    917759fc82a86b681f72c8a7384601d9692e523769442667cf9144e81d80e1e5

    60fe564289d0af6b187cd7caf3f943b2ea87feb52a3415306c4bd612ac8f6aa1

    76105bc2d917e3563043205d05f3d08d5627a8d0ff443ae2becfff4b7c1ff73e

    ccc32ea8b6031c8528c9c644bc597d9a11db62cd2c33be6d6e0d0af9881bfb3c

    2cf574b711e8fe9c8c5e693e8e1b9c743daab2410b3016067198ae14cda57ed0

    50429e34c6034f820dd4b99ecfeb5cf30fd0b51879cb5d25e23f928ed312656c

    5762b9895f804d82cb534a7f53c4dc2b33b427f1f5cc31dbc2bc73866b10ddb4

    6310d3ec33f905430e5f676693f82e33cc36394cbda497b98c90221246d62cfe

    719a11540976b4046639c20b082cfcc92b6d66c309333cf93ead620803deac1b

    2ecac6e18da0f1c970bfef1738a331d93602e411059f6b98bfe9e73ccd6e8a0d

    b8b1132a6ad78795389eca2eb605ad76848ffa88617f51d071842065ffb9447b

    2c7f6f39a5b9ffafd4555f5f090c23a9bc809873ff64a0c4634625f57f00e8c3

    023e4a254d0fe01229ca36db3cc2437722acd9596e1413084387e72900a8ab83

    eeeaaecef116903dfa4e2b6f7c3281aadabae513996268cb7cfc5353b4fdb8f6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent" or url like "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent" or siteurl like "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent" or domainname like "https://speen-to-earn.firebaseapp.com" or siteurl like "https://speen-to-earn.firebaseapp.com" or url like "https://speen-to-earn.firebaseapp.com" or domainname like "speen-to-earn.firebaseapp.com" or siteurl like "speen-to-earn.firebaseapp.com" or url like "speen-to-earn.firebaseapp.com"

    Detection Query 2 :

    sha256hash IN ("dc6bb520e73f6c340beeeabe1ff3a9835b1fc9602e3c13a12b47310cb1d3ed1e","cf655a330c5425e14d21e207e07efea5b760488ab00a8af9754d7477c0a521b8","2ecac6e18da0f1c970bfef1738a331d93602e411059f6b98bfe9e73ccd6e8a0d","6310d3ec33f905430e5f676693f82e33cc36394cbda497b98c90221246d62cfe","ccc32ea8b6031c8528c9c644bc597d9a11db62cd2c33be6d6e0d0af9881bfb3c","2c7f6f39a5b9ffafd4555f5f090c23a9bc809873ff64a0c4634625f57f00e8c3","eeeaaecef116903dfa4e2b6f7c3281aadabae513996268cb7cfc5353b4fdb8f6","60fe564289d0af6b187cd7caf3f943b2ea87feb52a3415306c4bd612ac8f6aa1","50429e34c6034f820dd4b99ecfeb5cf30fd0b51879cb5d25e23f928ed312656c","eff423e9b4589ddfd79ee23f6e6d9d5ef8d63695ffe9d68a29142ec29f6e6179","b2bf5512ccd3924f1715d6816e1740e05699dbcbd635ebf2f3d018b843b71a71","6554360f3b997d6ebc7e978a1c7dd7fbd9f082d03eedf593d23421b3ab719be8","164b06930c8d556ac6ac4ef0585dbdbb8f1ae5931395890b5e43a782dae2dca4","9b3eacf597e5be5bb4f3222cc41f48d840e1739d0c3ddbe8409fc0fac343fcd","2bb741f84a126ab6e08410661f45e4e5c7a0b386b7256ba63d37ac563a1b57aa","33308868856c7f950d9acebdd8d9b10086fc7028c490d794f0c43989b1d99e34","fefaba854db02cc7cca06a023c1de31d25e9a2690f891adfa78e452c26a5d231","917759fc82a86b681f72c8a7384601d9692e523769442667cf9144e81d80e1e5","76105bc2d917e3563043205d05f3d08d5627a8d0ff443ae2becfff4b7c1ff73e","2cf574b711e8fe9c8c5e693e8e1b9c743daab2410b3016067198ae14cda57ed0","5762b9895f804d82cb534a7f53c4dc2b33b427f1f5cc31dbc2bc73866b10ddb4","719a11540976b4046639c20b082cfcc92b6d66c309333cf93ead620803deac1b","b8b1132a6ad78795389eca2eb605ad76848ffa88617f51d071842065ffb9447b","023e4a254d0fe01229ca36db3cc2437722acd9596e1413084387e72900a8ab83")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-16-TITAN-infostealer-embedded%20in-AI-assistant-PyPI-pacakge.txt 


    Tags

    MalwareAIPythonInfostealerExfiltrationSocial EngineeringStealerFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.