The latest OTX pulses indicate a convergence of opportunistic financial crime and state-sponsored cyberespionage. Three distinct threat campaigns have been identified:
-
ClickFix / CastleLoader Campaign: A sophisticated phishing operation is abusing trust in job platforms (LinkedIn, Indeed) via typosquatted domains. This campaign utilizes "ClickFix" techniques—fake CAPTCHAs that trick users into executing malicious PowerShell or Batch commands. These commands download and execute portable Python runtimes to deliver remote access trojans (RATs).
-
Malware Distribution Ecosystem (SessionGate): A large-scale Traffic Distribution System (TDS) is hijacking search traffic for popular open-source tools (e.g., Ghidra, dnSpy). This operation uses "click hijacking" via CloudFront-hosted JavaScript to redirect victims to malicious payloads, including stealers like RemusStealer and cryptocurrency clippers.
-
Gamaredon (UAC-0010) GammaSteel: The Russian FSB-linked APT group continues relentless attacks against Ukrainian entities. The focus is on "GammaSteel," an in-memory stealer that utilizes Windows DPAPI and registry persistence (HKCU\Printers) to exfiltrate sensitive data without touching the disk.
Collectively, these pulses reveal a landscape where adversaries are increasingly relying on social engineering (fake job offers, fake software sites) and fileless execution techniques (Python runtimes, in-memory payloads) to evade traditional signature-based defenses.
Threat Actor / Malware Profile
CastleLoader (ClickFix Campaign)
- Distribution Method: Typosquatting of job platforms (LinkedIn, Indeed), distributed via malicious Google Ads.
- Attack Vector: Victims are served fake CAPTCHA pages (ClickFix). Clicking "Verify" executes a hidden command (often leveraging
mshtaor PowerShell) via the legacy Finger protocol. - Payload Behavior: The command retrieves a portable Python runtime (CPython/IronPython). This python environment is then used to execute the CastleLoader RAT payload, likely to establish initial access or C2.
- C2 Communication: Suspected HTTP/HTTPS communication to C2 domains listed in IOCs.
SessionGate / RemusStealer (TDS Campaign)
- Distribution Method: SEO poisoning and impersonation of legitimate freeware/open-source download sites (e.g., guiformat.com).
- Attack Vector: "Click Hijacking." Malicious JavaScript on compromised or fake sites intercepts download button clicks, redirecting the user through a rigorous TDS (Traffic Distribution System) to filter bots and researchers before serving the malware.
- Payload Behavior: Delivers information stealers (RemusStealer) and cryptocurrency clippers (AnimateClipper) designed to harvest credentials and hijack crypto transactions.
- C2 Communication: HTTP/HTTPS POST requests to C2 infrastructure, often involving encrypted or obfuscated data exfiltration.
GammaSteel (Gamaredon Group)
- Threat Actor: Gamaredon (aka Armageddon, UAC-0010), associated with the Russian FSB.
- Targeting: Ukrainian government, defense, and critical infrastructure sectors.
- Payload Behavior: GammaSteel is a modular stealer operating entirely in memory to avoid disk forensics. It decrypts 71 distinct payload functions.
- Persistence Mechanism: Stores encrypted payload functions in the Windows Registry under
HKCU\Printers. - C2 Communication: Utilizes HTTP/HTTPS, likely with custom encryption. Known for high frequency of C2 infrastructure rotation.
IOC Analysis
The provided IOCs span multiple categories, requiring a layered defense approach:
- Domains: A mix of typosquatted domains for job hunting (e.g.,
teamsvoicehub.com) and infrastructure for C2/TDS (e.g.,guiformat.com,justsstop.ru). SOC teams should immediately block these at the DNS layer and hunt for any DNS resolution requests in EDR logs. - IPv4 Addresses: Specific IP addresses (e.g.,
194.150.220.218,165.22.170.129) are associated with malware hosting and C2. These should be blocked on perimeter firewalls and monitored for outbound connections. - File Hashes (SHA256): Hashes for payloads and loaders (e.g.,
08a474...acca4). These are critical for EDR/Vendor scans to identify infected endpoints. Specific process creation events involving these files should trigger alerts. - URLs: Direct download links and C2 check-in URLs (e.g.,
http://194.150.220.218/...). These can be used in network inspection tools (IDS/IPS) to detect payload delivery or beaconing.
Operationalization:
- SIEM: Ingest IOC lists into threat intelligence platforms (e.g., Microsoft Sentinel Threat Intelligence, Splunk Enterprise Security) to correlate with network and endpoint logs.
- EDR: Configure advanced hunting queries to scan process execution history for known hashes and suspicious parent-child process relationships (e.g.,
cmd.exeorpowershell.exespawningpython.exe). - Network: Deploy IDS signatures for the specific URLs and block domains at the DNS forwarder level.
Detection Engineering
YAML
---
title: Suspicious Portable Python Execution via ClickFix Pattern
id: 10d9c9d0-7a6f-4b8c-9e1f-1a2b3c4d5e6f
description: Detects the execution of portable python instances initiated by browser processes or command line patterns associated with ClickFix attacks.
status: experimental
date: 2026/06/06
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/66000000/
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection_python:
Image|endswith:
- '\python.exe'
- '\pythonw.exe'
CommandLine|contains:
- 'python '
- 'python3 '
selection_portable_context:
ParentImage|endswith:
- '\msedge.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
OR
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- ' -c '
- ' -C '
- 'http://'
condition: 1 of selection_*
falsepositives:
- Legitimate developer use of portable python (rare)
level: high
---
title: Potential Gamaredon GammaSteel Registry Persistence
id: 2e8d9e1f-8b7a-0c1d-2e3f-4a5b6c7d8e9f
description: Detects creation or modification of registry keys under HKCU\Printers, a known persistence mechanism for Gamaredon malware like GammaSteel.
status: experimental
date: 2026/06/06
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/66000002/
tags:
- attack.persistence
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Printers'
selection_data:
Details|contains:
- 'http://'
- 'https://'
- 'vbscript:'
condition: all of selection_*
falsepositives:
- Legitimate printer driver installation (low probability for user context)
level: high
---
title: Traffic Distribution System (TDS) Click Hijacking
id: 3f9e0f2g-9c8b-1d2e-3f4a-5b6c7d8e9f0a
description: Detects suspicious process chains often seen in TDS operations, such as a browser spawning a script host which then downloads a file.
status: experimental
date: 2026/06/06
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/66000001/
tags:
- attack.initial_access
- attack.execution
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection_browser:
ParentImage|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
selection_script:
Image|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
selection_download:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'curl'
- 'wget'
- 'bitsadmin'
- 'certutil'
condition: all of selection_*
falsepositives:
- Legitimate web-based installations and scripting
level: medium
kql
let IOCs = datatable(Domain:string, IP:string, SHA256:string) [
"teamsvoicehub.com", "", "",
"dapala.net", "", "",
"staruxaproruha.com", "", "",
"ai-like.net", "", "",
"mtg-life.net", "", "",
"novayastaruxa.com", "", "",
"kevinnotanother.com", "", "",
"guiformat.com", "", "",
"forestoaker.com", "", "",
"justsstop.ru", "", "",
"", "194.150.220.218", "",
"", "217.156.122.75", "",
"", "165.22.170.129", "",
"", "", "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
"", "", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
];
// Network Connection Hunt
DeviceNetworkEvents
| where Timestamp > ago(7d)
| extend IOC = iff(RemoteUrl has_any (IOCs.Domain), RemoteUrl,
iff(RemoteIP in (IOCs.IP), RemoteIP, ""))
| where isnotempty(IOC)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, IOC
;
// File Hash Hunt
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (IOCs.SHA256)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
;
// Process Creation Hunt for GammaSteel persistence
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "reg" and (ProcessCommandLine has "add" or ProcessCommandLine has "copy")
| where ProcessCommandLine has "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Printers"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
powershell
<#
.SYNOPSIS
Hunt script for CastleLoader, SessionGate, and Gamaredon GammaSteel IOCs and Artifacts.
.DESCRIPTION
Checks for malicious file hashes, registry persistence keys, and recent network connections.
#>
# Known Malicious File Hashes
$maliciousHashes = @(
"08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
"87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
)
# Known Malicious Domains and IPs
$maliciousNetworkIOCs = @(
"teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net",
"novayastaruxa.com", "kevinnotanother.com", "guiformat.com", "forestoaker.com", "justsstop.ru",
"194.150.220.218", "217.156.122.75", "165.22.170.129"
)
Write-Host "Starting Threat Hunt..." -ForegroundColor Cyan
# 1. Scan for malicious file hashes in common user directories
Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow
$userProfiles = Get-ChildItem "C:\Users" -Directory
foreach ($profile in $userProfiles) {
$path = Join-Path -Path $profile.FullName -ChildPath "*"
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.Length -gt 0) { # Check non-empty files
$hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($maliciousHashes -contains $hash.Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
}
# 2. Check for Gamaredon GammaSteel Registry Persistence
Write-Host "Checking for Gamaredon GammaSteel registry persistence..." -ForegroundColor Yellow
$printerKeys = Get-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Printers" -ErrorAction SilentlyContinue
if ($printerKeys) {
foreach ($property in $printerKeys.Property) {
$value = $printerKeys.GetValue($property)
# Simple heuristic: check for URLs or script content
if ($value -match "http://|https://|vbscript:|javascript:") {
Write-Host "[!] SUSPICIOUS REGISTRY VALUE FOUND in HKCU\Printers: Name='$property', Value='$value'" -ForegroundColor Red
}
}
}
# 3. Check DNS Cache for malicious domains
Write-Host "Checking DNS cache for malicious domains..." -ForegroundColor Yellow
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($dnsCache) {
foreach ($entry in $dnsCache) {
if ($maliciousNetworkIOCs -contains $entry.Name) {
Write-Host "[!] MALICIOUS DOMAIN FOUND IN DNS CACHE: $($entry.Name) -> $($entry.Data)" -ForegroundColor Red
}
}
}
Write-Host "Threat Hunt Completed." -ForegroundColor Cyan
Response Priorities
Immediate Actions (Now)
- Block IOCs: Immediately block all listed domains, IP addresses, and file hashes across network perimeter (firewalls, proxies), endpoints (EDR), and mail gateways.
- Hunt for Compromise: Execute the provided PowerShell script or KQL queries across the enterprise to identify any hosts that have already communicated with the C2 infrastructure or are hosting the malicious files.
- Isolate Infected Hosts: If any artifacts are found, isolate the affected endpoint from the network immediately to prevent further data exfiltration or lateral movement.
Short-term Actions (Within 24 Hours)
- Investigate Initial Access Vectors: For hosts showing evidence of compromise, identify the initial access vector (e.g., malicious email, fake download site) to scope the exposure. Check browser history for visits to typosquatted domains or freeware impersonation sites.
- Credential Reset: Given the presence of infostealers (RemusStealer) and credential-harvesting malware (GammaSteel), assume credentials are compromised. Reset passwords for affected users and enforce MFA.
- Review Cloud Storage: Audit cloud storage accounts (OneDrive, SharePoint, Google Drive) for signs of unauthorized access or data exfiltration, as stealers often target these platforms.
Medium-term Actions (Within 1 Week)
- User Awareness Training: Conduct targeted security awareness training focused on identifying typosquatting, social engineering in job recruitment, and the dangers of downloading software from unofficial sources.
- Application Control: Implement or enforce application whitelisting (AppLocker, Windows Defender Application Control) to prevent the execution of unauthorized portable Python runtimes or unsigned scripts.
- Architecture Hardening: Review and harden the security posture for remote access tools and legitimate software distribution channels to prevent their abuse by threat actors.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptcastleloadersessiongategamaredongammasteelphishing
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.