Recent OTX Pulse data reveals a converging trend in credential theft operations utilizing highly diverse initial access vectors. Threat actors are distributing information stealers and RATs—including Argamal, RemusStealer, and Macsync/AMOS—through a mix of socially engineered lures ranging from adult-themed gaming and fake open-source developer utilities to fabricated macOS troubleshooting guides.
The infrastructure supporting these campaigns is sophisticated. The Impersonation/TDS pulse indicates a professional Traffic Distribution System (TDS) utilizing CloudFront to filter victims before delivering payloads like SessionGate and AnimateClipper. Simultaneously, the PAN-OS Zero-Day exploitation (CL-STA-1132) suggests state-aligned actors leveraging EarthWorm and ReverseSocks5 to tunnel through compromised perimeter appliances, likely to facilitate stealthy C2 traffic for these stealers. Collectively, these operations aim to harvest session cookies, crypto wallets, and system credentials for initial access brokering and financial fraud.
Threat Actor / Malware Profile
Malware Families:
- Argamal / Termixia: Delivered via "hentai" game installers. Uses COM Hijacking for persistence by modifying the
InprocServer32entry for the Windows Color System Calibration Loader DLL. Establishes a RAT after a dwell period of several days. - RemusStealer / SessionGate: Distributed via a Traffic Distribution System (TDS) impersonating tools like Ghidra and dnSpy. Specialized in browser credential and cryptocurrency wallet theft (clipping).
- Macsync / Shub Stealer / AMOS: Targeting macOS users via "ClickFix" tactics. Fake utility sites prompt users to run malicious Terminal commands, resulting in the installation of info stealers that exfiltrate Keychain data and browser sessions.
- EarthWorm / ReverseSocks5: Tunneling tools observed in the PAN-OS exploitation campaign, used to proxy traffic through compromised firewalls.
Distribution Vectors:
- SEO Poisoning & TDS: Fake websites mimicking legitimate security tools.
- Social Engineering (Gaming/Mac): Malicious game files and fake tech support blogs.
- Spear Phishing: Weaponized legal documents targeting Telecom and Healthcare sectors (Operation GriefLure).
- Exploitation: Unauthenticated RCE on PAN-OS firewalls.
IOC Analysis
The provided IOCs span multiple layers of the kill chain:
- Domains & Hostnames: Numerous suspicious domains (e.g.,
guiformat.com,forestoaker.com,jihiz.com) associated with TDS landing pages and C2 infrastructure. SOC teams should immediately block these at the perimeter. - File Hashes: A significant volume of SHA1 and SHA256 hashes corresponding to the malware droppers (Argamal), malicious RTF documents (GriefLure), and infostealer payloads. These should be loaded into EDR solutions for execution blocking.
- CVEs: Critical attention required for CVE-2023-33538 and the cluster of 2025/2026 PAN-OS vulnerabilities. These indicate an active exploit chain for perimeter breach.
- IPs: IPs such as
194.150.220.218are linked to direct payload hosting.
Operationalizing IOCs: Utilize SIEM integrations to correlate file hash execution with network connections to the listed domains. Decode the TDS URLs to identify redirection patterns characteristic of the SessionGate campaign.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Argamal COM Hijacking Persistence
id: 6f3b1a1c-5a6c-4b7a-9c8d-1e2f3a4b5c6d
description: Detects registry modifications associated with Argamal malware persisting via COM hijacking of the Windows Color System Calibration Loader.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/62c9e8d81c64160893f9a7c7/
tags:
- attack.persistence
- attack.t1546.015
logsource:
product: windows
registry:
- *
detection:
selection:
TargetObject|contains: 'Software\Classes\CLSID'
TargetObject|contains: 'InprocServer32'
Details|contains:
- '.dll'
filter_legit:
Details|contains:
- 'C:\\Windows\\System32\\'
- 'C:\\Windows\\SysWOW64\\'
condition: selection and not filter_legit
falsepositives:
- Legitimate software installing shell extensions
level: high
---
title: Suspicious Child Process of Browser via TDS
id: 7a4b2c2d-6b7d-4e8f-9a0b-1c2d3e4f5a6b
description: Detects browsers spawning suspicious shells or scripts, a common behavior in Traffic Distribution System (TDS) malware delivery like RemusStealer.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/62c9e8d81c64160893f9a7c8/
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
parent:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
suspicious_cli:
CommandLine|contains:
- '/c'
- 'powershell'
- 'cmd.exe'
img:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\mshta.exe'
condition: parent and suspicious_cli and img
falsepositives:
- Legitimate web-based utilities
level: medium
---
title: Operation GriefLure Spear Phishing Pattern
id: 8b5c3d3e-7c8e-5f9a-0b1c-2d3e4f5a6b7c
description: Detects Office applications spawning child processes consistent with the GriefLure campaign's weaponized documents.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/62c9e8d81c64160893f9a7c9/
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\mshta.exe'
condition: selection
falsepositives:
- Legitimate macro usage
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Argamal and RemusStealer IOCs and behaviors
let IOCs = dynamic([
"asper1.freeddns.org", "guiformat.com", "forestoaker.com", "jihiz.com",
"194.150.220.218", "217.156.122.75",
"02819d200d1424882af81cb504b3e8614b32397a", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
]);
// Network Connections to C2 or TDS
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
// File Hash Matches
DeviceFileEvents
| where SHA1 in (IOCs) or SHA256 in (IOCs)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)
| union (
// GriefLure Suspicious Process Creation
DeviceProcessEvents
| where ParentProcessName has @"WINWORD.EXE" and (ProcessName has @"powershell.exe" or ProcessName has @"cmd.exe")
| project Timestamp, DeviceName, ProcessName, ProcessCommandLine, InitiatingProcessAccountName
)
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunt for Argamal Persistence and Malicious Files
.DESCRIPTION
Checks for registry hijacks associated with Argamal and scans for
specific file hashes related to the active OTX pulses.
#>
Write-Host "[+] Starting Argamal & Stealer IOC Hunt..." -ForegroundColor Cyan
# 1. Check for COM Hijacking (Argamal Persistence)
Write-Host "[*] Checking Registry for Windows Color System Hijacks..." -ForegroundColor Yellow
$clsidPath = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID"
if (Test-Path $clsidPath) {
Get-ChildItem -Path $clsidPath -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$inprocPath = Join-Path -Path $_.PSPath -ChildPath "InprocServer32"
if (Test-Path $inprocPath) {
$defaultValue = (Get-ItemProperty -Path $inprocPath -ErrorAction SilentlyContinue)."(default)"
if ($defaultValue -and $defaultValue -notmatch "C:\\Windows\\System32") {
Write-Host "[!] Suspicious DLL found at: $inprocPath" -ForegroundColor Red
Write-Host " Value: $defaultValue" -ForegroundColor Red
}
}
}
}
# 2. File Hash Scan
Write-Host "[*] Scanning for known malicious file hashes..." -ForegroundColor Yellow
$targetHashes = @(
"02819d200d1424882af81cb504b3e8614b32397a",
"87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886",
"197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6"
)
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($hash in $targetHashes) {
foreach ($drive in $drives) {
Write-Host " Searching drive $drive for hash $hash..."
Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.rtf | ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA1 -ErrorAction Stop).Hash.ToLower()
if ($fileHash -eq $hash.ToLower()) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
} catch {}
}
}
}
Write-Host "[+] Hunt complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block all domain and IP IOCs at the firewall and proxy level.
- Patch all PAN-OS firewalls against the referenced CVEs (CVE-2023-33538, CVE-2025-55182, CVE-2026-1340) and review logs for indicators of EarthWorm activity.
- Run the PowerShell hunt script on endpoints to identify Argamal persistence mechanisms.
-
24 Hours:
- Initiate credential reset for users with potential exposure to fake dev-tool sites or gaming lures.
- Review web gateway logs for traffic to
pixeldrain.comand specific CloudFront fronts linked to the TDS infrastructure. - Isolate systems flagged by the Sigma rules for forensic imaging.
-
1 Week:
- Implement application allow-listing to prevent the execution of unauthorized gaming or utility software.
- Deploy DNS filtering to block new TDS domains identified through threat intelligence feeds.
- Conduct security awareness training focused on "ClickFix" social engineering and verifying software download sources.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsargamal-ratremusstealerclickfix-macospanos-rcecredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.