Recent OTX Pulse activity highlights a diverse threat landscape involving both commodity malware distribution and state-sponsored cyberespionage. A notable "ClickFix" campaign is actively targeting macOS users via social engineering, distributing infostealers like AMOS and Shub Stealer through fake utility lures. Simultaneously, the evolution of the Lumma Stealer family, now known as "Remus," has been observed bypassing advanced browser encryption protections to steal credentials and cryptocurrency wallets. On the state-actor front, the Gamaredon group (FSB-linked UAC-0010) continues its aggressive targeting of Ukrainian entities with the GammaSteel infostealer, utilizing memory-resident payloads and USB propagation mechanisms.
Threat Actor / Malware Profile
ClickFix Campaign (MacOS)
- Adversary: Unknown
- Families: Macsync, Shub Stealer, AMOS, PhantomPulse
- Distribution: Fake blog sites hosting malicious troubleshooting advice. Victims are tricked into copying and pasting malicious commands into the macOS Terminal.
- Behavior: Upon execution, the shell commands download and execute infostealers designed to exfiltrate sensitive data from macOS systems.
Remus Stealer (Windows)
- Adversary: Unknown (Evolution of Lumma Stealer)
- Capabilities: 64-bit information stealer capable of bypassing Application-Bound Encryption (ABE) in browsers.
- Target: Cryptocurrency wallets, browser credentials, and session cookies.
- Evasion: Advanced techniques to evade detection and sandbox analysis, utilizing EtherHiding and blockchain-based C2 in some variants.
Gamaredon Group (Windows)
- Adversary: Gamaredon (UAC-0010, Armageddon) - FSB associated
- Families: GammaSteel, GammaLoad, GammaPhish, GammaWorm, GammaWipe
- Target: Ukrainian Government, Defense, and Critical Infrastructure.
- Behavior: GammaSteel operates primarily in-memory, storing 71 payload functions within the
HKCU\Printersregistry key for persistence. Uses USB drives (GammaWorm) for lateral movement in air-gapped or restricted networks.
IOC Analysis
Intelligence gathered reveals active infrastructure supporting these campaigns:
- Domains (ClickFix):
jihiz.com,kayeart.com,bintail.com,wusetail.com,malext.com,miappl.com,pla7ina.cfd,vagturk.com. These domains likely host the malicious payloads or act as initial redirectors. - Infrastructure (Gamaredon):
justsstop.ruresolving to165.22.170.129. This IP address and domain should be blocked immediately as they are associated with active espionage operations.
SOC Operationalization:
- DNS: Block query and response for listed domains.
- Firewall/Proxy: Blacklist
165.22.170.129. - EDR: Hunt for processes resolving to these IOCs and file modifications in
HKCU\Printers.
Detection Engineering
Sigma Rules
YAML
---
title: Potential MacOS ClickFix Terminal Activity
id: 20260607-001
status: experimental
description: Detects suspicious Terminal execution patterns associated with ClickFix campaigns delivering infostealers.
references:
- https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
author: Security Arsenal
date: 2026/06/07
tags:
- attack.initial_access
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/Terminal'
CommandLine|contains:
- 'curl '
- 'bash -c'
- 'chmod +x'
condition: selection
falsepositives:
- Legitimate system administration
level: high
---
title: Gamaredon GammaSteel Registry Persistence
id: 20260607-002
status: experimental
description: Detects potential Gamaredon GammaSteel activity via persistence in HKCU\Printers registry key.
references:
- https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/
author: Security Arsenal
date: 2026/06/07
tags:
- attack.persistence
- attack.defense_evasion
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Printers'
Details|contains: 'http'
condition: selection
falsepositives:
- Low
level: high
---
title: Suspicious Browser Database Access by Non-Browser Process
id: 20260607-003
status: experimental
description: Detects processes other than browsers accessing browser SQLite databases, indicative of stealer activity like Remus or Lumma.
references:
- https://cyberpress.org/remus-bypasses-browser-encryption/
author: Security Arsenal
date: 2026/06/07
tags:
- attack.credential_access
- attack.collection
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Google\Chrome\User Data\Default\'
- '\AppData\Local\Microsoft\Edge\User Data\Default\'
- '\AppData\Roaming\Mozilla\Firefox\Profiles\'
TargetFilename|endswith:
- '.sqlite'
- '.log'
filter_main_browsers:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\brave.exe'
condition: selection and not filter_main_browsers
falsepositives:
- Legitimate backup or synchronization software
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Gamaredon C2 and ClickFix Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("justsstop.ru", "jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com")
or RemoteIP in~ ("165.22.170.129")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| union (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("justsstop.ru", "jihiz.com", "kayeart.com", "bintail.com")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath
)
PowerShell Hunt Script
PowerShell
# Hunt for GammaSteel Registry Artifacts in HKCU\Printers
$RegistryPath = "HKCU:\Printers"
if (Test-Path $RegistryPath) {
Write-Host "Scanning $RegistryPath for GammaSteel artifacts..."
Get-ChildItem -Path $RegistryPath -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$key = $_
$values = Get-ItemProperty -Path $key.PSPath -ErrorAction SilentlyContinue
# GammaSteel stores payloads here; look for non-standard values or long strings
$values.PSObject.Properties | Where-Object { $_.Name -notlike 'PS*' -and $_.Value -is [string] -and $_.Value.Length -gt 50 } | ForEach-Object {
Write-Host "[!] Suspicious entry found in $($key.Name)"
Write-Host " Property: $($_.Name)"
Write-Host " Value: $($_.Value)"
}
}
} else {
Write-Host "Registry path not found."
}
# Response Priorities
* **Immediate:**
* Block all listed domains (ClickFix and Gamaredon) and IP `165.22.170.129` on perimeter firewalls and proxies.
* Trigger hunts for PowerShell scripts or Terminal commands containing `curl` to external non-corporate IPs on macOS endpoints.
* **24h:**
* If Remus infection is suspected, initiate forced password resets for browser-stored credentials and cryptocurrency wallets, as ABE protections may be bypassed.
* Review logs for access to `justsstop.ru` to identify potential Gamaredon victims.
* **1 week:**
* Implement strict Application Control (AppLocker) on Windows to prevent execution from user profile directories and obscure registry keys.
* Educate macOS users regarding the "ClickFix" social engineering tactic (fake troubleshooting guides requiring Terminal commands).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareclickfixremus-stealergamaredonmacos-malwareinfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.