Back to Intelligence

ACR Stealer, OkoBot & Kratos PhaaS: OTX Pulse Analysis — Multi-Vector Credential Theft & RAT Campaigns

SA
Security Arsenal Team
July 17, 2026
6 min read

Threat Summary

Recent OTX pulse data reveals a coordinated surge in credential theft and infostealer operations targeting enterprise and government sectors globally. The intelligence highlights five distinct yet overlapping campaigns involving the ACR Stealer (rebranded Amatera), a Lua-based loader distributing Agent Tesla and XWorm, the GoSerpent backdoor targeting SE Asian diplomatic entities, the OkoBot framework focusing on cryptocurrency theft, and the Kratos PhaaS platform automating Microsoft 365 account takeovers.

Collectively, these campaigns demonstrate a shift towards "ClickFix" social engineering (ACR, OkoBot), fileless execution via Lua scripts (TTF Trap), and the commoditization of phishing kits (Kratos). The primary objective across all vectors is the harvesting of credentials, sensitive data exfiltration, and financial theft via cryptocurrency wallet compromise.

Threat Actor / Malware Profile

Malware / ActorDistribution MethodPayload BehaviorC2 CommunicationPersistenceAnti-Analysis
ACR Stealer / AmateraClickFix social engineering lures; WebDAV-delivered payloads.Python loader; Steganography used to hide configs.Blockchain C2 infrastructure; utilizes *.icu domains.Registry run keys / Scheduled tasks (implied).Obfuscation; Steganography.
The TTF Trap (Lua Loader)Phishing emails with malicious archives; impersonates well-known companies.Drops obfuscated JavaScript; deploys AutoIt or LuaJIT loaders.Hardcoded C2 domains; deploys Agent Tesla, XWorm, Remcos.Registry AutoRun; Startup folder.Donut shellcode; Heavy script obfuscation.
TetrisPhantom / GoSerpentLikely spear-phishing or supply chain (specific targeting implied).Go-based RAT; Proxy capabilities; Deploys Mimikatz/QuarksDumpLocalHash.Encrypted (AES-CBC, ChaCha20) communications.Windows Service manipulation.Custom encryption; Go binary packing.
OkoBot FrameworkClickFix attacks; Fake software on GitHub.TookPS PowerShell scripts; SSH Bot; Browser extension injectors (Rilide).SSH Tunneling; C2 domains including *.online TLDs.Browser extensions; Scheduled tasks.PowerShell obfuscation.
Kratos PhaaSPhishing-as-a-Service kits distributed via dark web.Reverse proxy kits; Anti-bot verification; M365 login spoofing.Dedicated infrastructure; extensive use of compromised domains.N/A (External infrastructure).CAPTCHA/Anti-bot integration.

IOC Analysis

The provided indicators of compromise (IOCs) consist of:

  • Domains & Hostnames: A high volume of suspicious domains, primarily utilizing TLDs such as .icu, .online, .guru, and specific country-code TLDs (.de, .my). These serve as Command and Control (C2) servers for stealer malware and landing pages for PhaaS campaigns.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with Lua loaders, AutoIt scripts, Go binaries, and PowerShell payloads.

Operational Guidance: SOC teams should immediately block the listed domains at the perimeter (firewall/DNS proxy) and within secure web gateways. File hashes should be uploaded to EDR solutions for scanning. The prevalence of .icu and .online TLDs in this dataset suggests a specific TLD heuristic might be useful for temporary alerting, though caution is advised to avoid false positives.

Detection Engineering

Sigma Rules

YAML
title: Potential ACR Stealer or OkoBot ClickFix Activity
description: Detects suspicious PowerShell execution patterns associated with ClickFix campaigns, including WebDAV interactions and base64 encoded commands.
status: experimental
date: 2026/07/17
references:
    - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-activity/
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'WebClient'
            - 'DownloadString'
    filter_webdav:
        CommandLine|contains: 'WebDAV'
    condition: selection and filter_webdav
falsepositives:
    - Administrative scripts
level: high
---
title: Suspicious Lua or AutoIt Script Execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\autoit3.exe'
            - '\lua53.exe'
            - '\luac.exe'
            - '\wscript.exe'
    selection_parent:
        ParentImage|endswith:
            - '\winword.exe'
            - '\excel.exe'
            - '\outlook.exe'
    condition: selection_img and selection_parent
date: 2026/07/17
level: high
tags:
    - attack.defense_evasion
    - attack.execution
---
title: GoSerpent Backdoor Process Activity
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\go.exe'
    selection_network:
        CommandLine|contains:
            - 'connect'
            - 'proxy'
    condition: selection and selection_network
date: 2026/07/17
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known malicious domains from OTX Pulses
let MaliciousDomains = dynamic([
    "proton-network.com", "strainedeasily.icu", "looksta.icu", "raidher.icu", 
    "apigrokcloud.icu", "deep-harborio.com", "zealpraxis.com", "prism-vertex.com",
    "taikei-rmc-co.biz", "allportcargoservice.com", "vilaribit.com",
    "coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com",
    "buenne.de", "enerdizerandtron.de", "ihrsupportcenter.de", "rundwasser.de",
    "sonnenbrillenspot.de", "abal.my", "starwellmedia.com"
]);
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) 
   or RemoteUrl has_any (".icu", ".online") // Broad heuristic for investigation
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Count desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for ACR Stealer, OkoBot, and Associated Malware
.DESCRIPTION
    Checks running processes against known malicious hashes and hunts for registry keys
    associated with common persistence mechanisms found in these pulses.
#>

# Known Malicious Hashes from Pulses
$MaliciousHashes = @(
    "511ba918e1781ff38310530801b8cec5",
    "c029ceede8f8f8c8a4f58687e6681536fe4cc97b",
    "41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be",
    "2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279",
    "417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b",
    "ebffd5a76aaa690bcdb922f82e0bacc5",
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2"
)

Write-Host "[*] Scanning running processes for known malicious hashes..." -ForegroundColor Cyan

$Processes = Get-Process
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.Path
        if ($FilePath -and (Test-Path $FilePath)) {
            $Hash = (Get-FileHash -Path $FilePath -Algorithm MD5).Hash.ToLower()
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS PROCESS FOUND: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
                Write-Host "    Path: $FilePath"
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[*] Checking for suspicious network connections to C2 domains..." -ForegroundColor Cyan

$Domains = @(
    "proton-network.com", "taikei-rmc-co.biz", "coffeesaloon.online", "kbeautyreviews.com"
)

$TCPConnections = Get-NetTCPConnection -State Established
foreach ($Conn in $TCPConnections) {
    try {
        $OwningProcess = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        $RemoteAddress = $Conn.RemoteAddress
        
        # Resolve IP to Hostname to check against domain list
        $HostName = [System.Net.Dns]::GetHostEntry($RemoteAddress).HostName
        
        foreach ($Domain in $Domains) {
            if ($HostName -like "*$Domain*") {
                Write-Host "[!] SUSPICIOUS CONNECTION FOUND: $HostName ($RemoteAddress)" -ForegroundColor Red
                Write-Host "    Local Process: $($OwningProcess.ProcessName) (PID: $($OwningProcess.Id))"
            }
        }
    } catch {
        # Ignore resolution errors
    }
}

Write-Host "[*] Hunt complete."

Response Priorities

  • Immediate:

    • Block all IOCs (domains, hashes) at the firewall, proxy, and EDR levels.
    • Isolate any endpoints identified by the PowerShell hunt script.
    • Kill suspicious processes matching the Lua/AutoIt or GoSerpent profiles.
  • 24 Hours:

    • Conduct identity verification for all users who may have interacted with the Kratos PhaaS pages (specifically M365 account login attempts from unusual geo-locations).
    • Rotate credentials for any accounts potentially exposed to ACR Stealer or OkoBot.
    • Review browser extension logs for unauthorized installations (Rilide).
  • 1 Week:

    • Implement stricter filtering for WebDAV requests and PowerShell usage policies to mitigate ClickFix vectors.
    • Harden M365 configuration with Conditional Access policies to block legacy authentication and suspicious login flows used by PhaaS kits.
    • Update security awareness training to include "ClickFix" and fake browser update social engineering techniques.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsacr-stealerokobotkratos-phaasgoserpentcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.