Back to Intelligence

Argamal RAT, RemusStealer, and Operation GriefLure: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 6, 2026
6 min read

Excerpt

Active credential theft campaigns targeting gamers and devs, alongside PAN-OS zero-day exploitation. Critical detection rules included.

Threat Summary

Recent OTX pulses indicate a surge in diverse threat activity ranging from consumer-focused infostealers to sophisticated APT operations and critical infrastructure exploitation. The primary theme across these pulses is the ** commoditization of credential theft and initial access vectors**.

  • The "Gamer" Vector: The Argamal campaign demonstrates a shift towards niche social engineering, hiding RATs within adult-themed games (hentai) to deploy Termixia and establish persistence via COM hijacking.
  • The Supply Chain/Researcher Vector: A massive Traffic Distribution System (TDS) is impersonating popular security tools (Ghidra, dnSpy) to deliver SessionGate and RemusStealer. This SEO poisoning operation targets technical users, leveraging fake sites and CloudFront redirection to bypass filters.
  • The macOS Vector: ClickFix campaigns have evolved to target macOS users, utilizing fake utility lures and Terminal commands to deliver AMOS and PhantomPulse.
  • The APT Vector: Operation GriefLure represents a highly targeted spear-phishing campaign against military telecom (Viettel) and healthcare (Philippines) sectors, utilizing legal document lures.
  • The Critical Infrastructure Vector: A state-sponsored actor (CL-STA-1132) is actively exploiting a PAN-OS zero-day (Captive Portal RCE) to deploy tunneling tools like EarthWorm and ReverseSocks5.

Threat Actor / Malware Profile

Argamal & Termixia

  • Distribution: Malicious adult game installers hosted on platforms like PixelDrain.
  • Behavior: Argamal acts as a dropper, executing after a multi-day delay to evade analysis. It downloads the Termixia RAT.
  • Persistence: Uses COM Hijacking by modifying the InprocServer32 entry for the Windows Color System Calibration Loader DLL (mscms.dll context).
  • Targets: Gamers in Russia, Brazil, and Germany.

RemusStealer & SessionGate

  • Distribution: Professional-looking SEO poisoning sites impersonating freeware (guiformat.com, Ghidra clones). Traffic is routed through a TDS that validates user interaction before delivering payloads.
  • Behavior: SessionGate focuses on session hijacking; RemusStealer targets cryptocurrency and browser data.
  • Targets: Developers and researchers in Brazil, France, Germany, Poland, UK, and Russia.

Operation GriefLure

  • Actor: Unknown APT group.
  • Distribution: Spear-phishing emails containing weaponized legal documents and fake whistleblower complaints.
  • Malware: Custom implants (sfsvc.exe, 360.dll) utilizing living-off-the-land binaries.
  • Targets: Viettel Group (Vietnam) and St. Luke's Medical Center (Philippines).

CL-STA-1132 (PAN-OS Exploitation)

  • Actor: Likely state-sponsored.
  • Vulnerability: Buffer overflow in PAN-OS User-ID Authentication Portal (CVE-2026-1281 and related CVEs).
  • Payload: EarthWorm (tunneling) and ReverseSocks5 for lateral movement.
  • Targets: Global, exploiting edge firewalls.

IOC Analysis

The pulses provide over 250 indicators, primarily:

  • Domains (High Priority): guiformat.com (TDS/Impersonation), jihiz.com, kayeart.com (ClickFix), www.whatsappcenter.com (GriefLure), asper1.freeddns.org (Argamal C2).
  • IPs: 194.150.220.218, 217.156.122.75 associated with the TDS infrastructure.
  • File Hashes: SHA1 and SHA256 hashes for the malware loaders (Argamal, RemusStealer) and decoy documents.
  • CVEs: A cluster of CVEs (CVE-2026-1281, CVE-2025-66478) related to the PAN-OS exploitation.

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter. File hashes should be loaded into EDR solutions for quarantine. The PAN-OS CVEs require immediate patching or signature updates on firewall devices.

Detection Engineering

Sigma Rules

YAML
title: Potential Argamal RAT COM Hijacking Persistence
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects modifications to InprocServer32 registry keys often associated with Argamal COM hijacking via Windows Color System Calibration Loader.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/12345678 # Placeholder for Argamal Pulse
tags:
    - attack.persistence
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'CLSID'
        TargetObject|contains: 'InprocServer32'
        Details|contains:
            - '.dll'
    filter_legit:
        Details|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installing custom handlers
level: high
---
title: Suspicious Connection to Fake Freeware/TDS Domains
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects network connections to domains associated with the SessionGate/RemusStealer TDS ecosystem (e.g., guiformat.com impersonation).
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/87654321 # Placeholder for TDS Pulse
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'guiformat.com'
            - 'freeddns.org'
            - 'maxdatahost1.cyou'
    condition: selection
falsepositives:
    - Legitimate access to these specific domains if owned by authorized entities (unlikely for listed IOCs)
level: critical
---
title: MacOS ClickFix Terminal Download Execution
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects macOS suspicious Terminal commands often used in ClickFix campaigns to download payloads from external domains.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/11223344 # Placeholder for ClickFix Pulse
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/bin/bash'
        CommandLine|contains:
            - 'curl '
            - 'wget '
        CommandLine|contains:
            - ' | bash'
            - ' > /dev/null'
    filter_tech:
        ParentImage|endswith:
            - '/Terminal.app/Contents/MacOS/Terminal'
            - '/iTerm2'
    condition: selection and not filter_tech
falsepositives:
    - Admins running curl manually for updates (rare)
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known TDS and Argamal infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    "guiformat.com",
    "asper1.freeddns.org",
    "www.whatsappcenter.com",
    "jihiz.com",
    "kayeart.com",
    "bintail.com",
    "forestoaker.com"
) or RemoteIP in (
    "194.150.220.218",
    "217.156.122.75"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IoC_Type = iff(RemoteUrl != "", "Domain", "IP")

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for Argamal COM Hijacking persistence indicators.
.DESCRIPTION
    Checks for suspicious InprocServer32 modifications under CLSID keys.
#>

$SuspiciousPaths = @()
$CLSIDPaths = @("HKLM:\SOFTWARE\Classes\CLSID", "HKCU:\SOFTWARE\Classes\CLSID")

foreach ($Path in $CLSIDPaths) {
    if (Test-Path $Path) {
        $CLSIDs = Get-ChildItem -Path $Path -ErrorAction SilentlyContinue
        foreach ($CLSID in $CLSIDs) {
            $ServerPath = Join-Path -Path $CLSID.PSPath -ChildPath "InprocServer32"
            if (Test-Path $ServerPath) {
                $DefaultVal = Get-ItemProperty -Path $ServerPath -Name "(default)" -ErrorAction SilentlyContinue
                if ($DefaultVal -and $DefaultVal."(default)" -match ".dll") {
                    $DllPath = $DefaultVal."(default)"
                    # Check if not in system32 or syswow64
                    if ($DllPath -notmatch "^C:\\Windows\\(System32|SysWOW64)") {
                        $SuspiciousPaths += [PSCustomObject]@{
                            CLSID = $CLSID.PSChildName
                            Path = $DllPath
                            Risk = "High"
                        }
                    }
                }
            }
        }
    }
}

if ($SuspiciousPaths.Count -gt 0) {
    Write-Host "[!] Potential COM Hijacking detected:" -ForegroundColor Red
    $SuspiciousPaths | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious CLSID InprocServer32 entries found." -ForegroundColor Green
}

Response Priorities

  • Immediate:
    • Block all listed domains and IPs on perimeter firewalls and proxies.
    • Patch PAN-OS devices against CVE-2026-1281 and related CVEs immediately.
    • Scan endpoints for the SHA1/SHA256 file hashes provided in the pulses.
  • 24h:
    • Hunt for Argamal persistence (COM Hijacking) and RemusStealer execution artifacts.
    • Initiate credential reset for users who may have accessed the flagged TDS domains (guiformat.com) or downloaded infected game files.
    • Review logs for access to www.whatsappcenter.com (GriefLure C2).
  • 1 Week:
    • Update browser policies to block downloads from non-approved software repositories (mitigates TDS/SEO poisoning).
    • Conduct awareness training regarding "ClickFix" social engineering and fake troubleshooting sites.
    • Implement stricter Egress filtering to detect EarthWorm/ReverseSocks5 tunneling activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsargamalremusstealerclickfixaptcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action