Back to Intelligence

Argamal RAT, RemusStealer & ClickFix: Multi-Platform Credential Theft Campaigns

SA
Security Arsenal Team
June 6, 2026
5 min read

Recent OTX pulses indicate a surge in credential theft campaigns utilizing diverse delivery vectors, including "living-off-the-land" binaries, traffic distribution systems (TDS), and social engineering lures. The activity encompasses the Argamal and Termixia malware families targeting gamers via COM hijacking, a sophisticated TDS ecosystem distributing RemusStealer and SessionGate through impersonated developer tools, and the Operation GriefLure APT campaign focusing on military telecom in Vietnam and healthcare in the Philippines. Additionally, a PAN-OS zero-day (CVE-2026-1340, CVE-2026-1731) is being actively exploited to deploy tunneling tools like EarthWorm, while macOS users face ClickFix attacks delivering Macsync and AMOS stealers.

The collective objective of these campaigns is credential harvesting (corporate, crypto, and banking), persistent access via RATs, and lateral movement through compromised edge infrastructure.

Threat Actor / Malware Profile

Argamal / Termixia (Pulse 1)

  • Distribution: Hidden in adult-themed (hentai) games.
  • Persistence: COM Hijacking. Specifically targets the Windows Color System Calibration Loader DLL by replacing the InprocServer32 registry entry.
  • Behavior: Dwell time of several days before downloading and executing a Remote Access Trojan (RAT). Uses PowerShell for execution.

RemusStealer / SessionGate / AnimateClipper (Pulse 2)

  • Distribution: Large-scale TDS impersonating open-source tools (Ghidra, dnSpy). Uses CloudFront-hosted JavaScript for click hijacking.
  • Behavior: RemusStealer exfiltrates browser data; AnimateClipper replaces cryptocurrency wallet addresses in the clipboard; SessionGate hijacks active sessions.
  • C2: Communicates with IPs like 194.150.220.218 and domains on non-standard ports (e.g., :48261).

Operation GriefLure (Pulse 3)

  • Actor: Likely state-sponsored or sophisticated criminal group targeting high-value sectors (Telecom, Healthcare).
  • Distribution: Spear-phishing with weaponized RTF documents utilizing legitimate legal document templates as lures.
  • Payload: Custom implants (sfsvc.exe, 360.dll) utilizing Living-off-the-Land (LotL) techniques.

IOC Analysis

The provided pulses present a high volume of actionable indicators across multiple categories:

  • File Hashes: A mixture of SHA1, MD5, and SHA256 hashes (e.g., 02819d200d1424882af81cb504b3e8614b32397a, 87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886). SOC teams should immediately load these into EDR solutions for quarantine.
  • Network Infrastructure: Domains utilizing Dynamic DNS (freeddns.org) and specific TLDs (.cfd, .pics) alongside hardcoded IPv4 addresses (194.150.220.218, 217.156.122.75). These should be blocked at the perimeter.
  • CVEs: Critical vulnerability indicators for PAN-OS devices (CVE-2026-1340, CVE-2026-1731, etc.) requiring immediate patching.
  • Operationalization: Decoders are not strictly necessary for standard hash/IP lookups, but the TDS URLs require web proxy logs to identify users attempting to download the impersonated software.

Detection Engineering

Sigma Rules

YAML
title: Potential Argamal COM Hijacking Persistence
id: 6f3b2c1a-8e9d-4a2b-9c5d-1e0f3a4b5c6d
description: Detects registry modifications associated with Argamal malware persistence via Windows Color System Calibration Loader COM hijacking.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/625a3c2d4e1f6b001c8e9d0a
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'CLSID\\{d1e6c267-24c6-4e3d-a4a7-0e0b9736df21}\\InprocServer32'
    condition: selection
falsepositives:
    - Legitimate system calibration software (rare)
level: high
---
title: Suspicious PowerShell Download via Non-Standard Port
description: Detects PowerShell downloading content from IPs or domains on non-standard ports, typical of TDS malware delivery like RemusStealer.
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/625a3c2d4e1f6b001c8e9d0b
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\powershell.exe'
        - Image|endswith: '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'DownloadString'
            - 'IEX'
    selection_port:
        CommandLine|re: ':[0-9]{4,5}/'
    filter_legit:
        CommandLine|contains: 
            - 'windowsupdate.com'
            - 'microsoft.com'
    condition: all of selection_* and not filter_legit
falsepositives:
    - System administration scripts
level: medium
---
title: MacOS ClickFix Terminal Command Execution
description: Detects execution of suspicious shell commands via Terminal often seen in ClickFix campaigns targeting macOS users with fake utility lures.
id: b2c3d4e5-6789-01ab-cdef-234567890abc
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/625a3c2d4e1f6b001c8e9d0c
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/Terminal.app/Contents/MacOS/Terminal'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'bash -c'
            - 'echo'
    exclusion:
        ParentImage|endswith:
            - '/Xcode.app/'
            - '/Visual Studio Code.app/'
    condition: selection and not exclusion
falsepositives:
    - Legitimate developer activity
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Argamal Persistence Registry Changes
DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where RegistryKey contains "CLSID" and RegistryKey contains "InprocServer32"
| where RegistryKey contains "d1e6c267-24c6-4e3d-a4a7-0e0b9736df21"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName
;
// Hunt for Network Connections to Malicious IOCs
DeviceNetworkEvents
| where RemoteUrl has_any ("guiformat.com", "forestoaker.com", "jihiz.com", "kayeart.com", "baxe.pics", "asper1.freeddns.org")
  or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Argamal COM Hijacking artifacts.
.DESCRIPTION
    Checks the registry for the specific InprocServer32 modification used by Argamal.
#>

$Path = "HKLM:\SOFTWARE\Classes\CLSID\{d1e6c267-24c6-4e3d-a4a7-0e0b9736df21}\InprocServer32"
$ExpectedDefault = "%SystemRoot%\system32\mscms.dll"

if (Test-Path $Path) {
    $CurrentValue = (Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue).'(default)'
    
    if ($CurrentValue -ne $ExpectedDefault) {
        Write-Host "[!] ALERT: Potential Argamal COM Hijacking Detected." -ForegroundColor Red
        Write-Host "    Path: $Path"
        Write-Host "    Expected: $ExpectedDefault"
        Write-Host "    Current:  $CurrentValue"
        
        # Check file existence of the payload
        if ($CurrentValue -match "^[a-zA-Z]:\\.+" -and (Test-Path $CurrentValue)) {
            Write-Host "    Payload File Exists: YES"
            $FileHash = Get-FileHash -Path $CurrentValue -Algorithm SHA256
            Write-Host "    Payload Hash: $($FileHash.Hash)"
        }
    } else {
        Write-Host "[+] System Clean: No COM hijacking detected on Windows Color System Calibration Loader." -ForegroundColor Green
    }
} else {
    Write-Host "[?] Registry path not found. System may be clean or using different defaults." -ForegroundColor Yellow
}

Response Priorities

  • Immediate:

    • Block all domains and IPs listed in the IOC section at the firewall and proxy level.
    • Scan endpoints for the SHA256 hashes provided (e.g., 87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886).
    • Patch PAN-OS firewalls against CVE-2026-1340 and CVE-2026-1731 immediately.

  • 24h:

    • Initiate credential reset for privileged accounts if credential theft (RemusStealer/Argamal) is suspected.
    • Hunt for the specific registry key HKCR\CLSID\{d1e6c267-24c6-4e3d-a4a7-0e0b9736df21} across the environment using the provided script.
    • Investigate logs for access to impersonated domains like guiformat.com.

  • 1 Week:

    • Review software supply chain policies to mitigate TDS risks (block non-approved software downloads).
    • Deploy application controls to prevent unsigned executables from running in user directories.
    • Conduct a review of remote access (VPN/RDP) logs for anomalous behavior that might indicate EarthWorm tunneling.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsargamal-ratremusstealercredential-theftclickfixapt-campaign

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action