Back to Intelligence

ClickFix & KICS Supply Chain: Trigona, GlassWorm, and Stealer Swarm — Enterprise Detection Pack

SA
Security Arsenal Team
April 26, 2026
6 min read

Executive Summary

The threat landscape from April 23-26, 2026, is characterized by a dangerous convergence of supply chain compromises and "living-off-the-land" (LotL) initial access techniques. Threat actors are actively exploiting trusted infrastructure—including official Docker Hub repositories and advertising trackers like Keitaro—to distribute sophisticated credential stealers (Lumma, Vidar, StealC) and ransomware (Trigona). Notably, the ClickFix social engineering campaign has evolved into five distinct clusters targeting Windows and macOS, while the TeamPCP supply chain attack has infiltrated the development tooling ecosystem via trojanized KICS binaries.

Threat Summary

Collectively, these OTX pulses reveal a multi-vector assault on enterprise integrity and credentials. The primary attack chains involve:

  1. ClickFix (Social Engineering): Adversaries are impersonating services like Intuit QuickBooks and Booking.com. Victims are manipulated into executing malicious commands via native system tools (LotL) to bypass traditional security controls, leading to Vidar, Lumma, and RedLine infestations.
  2. Supply Chain Poisoning (TeamPCP): Official Docker Hub images for Checkmarx KICS (tags v2.1.20, v2.1.21, alpine) and VS Code extensions were compromised. The malware (mcpAddon.js, Canister Worm) steals infrastructure-as-code credentials and exfiltrates them to attacker-controlled infrastructure.
  3. Infrastructure Abuse (Keitaro): The Keitaro TDS (Traffic Distribution System) is being abused to distribute DonutLoader and StealC, utilizing cloaking techniques to evade detection during malvertising campaigns.

The ultimate objective across these campaigns is credential harvesting for financial gain (crypto/banking), initial access brokerage, and data extortion via the Trigona ransomware affiliate program.

Threat Actor / Malware Profile

Trigona Ransomware (Rhantus)

  • Actor: Rhantus
  • Evolution: Shifted from generic tools (Rclone) to a custom exfiltration utility uploader_client.exe.
  • Behavior: Features parallel data streams and connection rotation to evade network monitoring. Associated with kernel driver abuse tools like DumpGuard and PCHunter to disable security solutions.

GlassWorm

  • Target: Developers and Blockchain users.
  • Methodology: Uses compromised code repositories. Leverages the Solana blockchain for C2 communication and payload fetching to remain under the radar.
  • Payload: Steals cryptocurrency wallet keys and development credentials.

ClickFix Clusters

  • Malware: Vidar, Lumma Stealer, Odyssey Stealer, NetSupport RAT.
  • Technique: Browser-based social engineering tricking users into running system commands (e.g., PowerShell/Bash) disguised as "fixes" for captchas or video players.

IOC Analysis

Indicator Types:

  • Domains (ClickFix/Keitaro): ustazazharidrus.com, account-help.info, ucaboodle.com, cibcsecurity2fa.com. These are used for phishing pages and payload delivery.
  • IPs (Infrastructure): 94.154.172.43 (C2 for KICS compromise).
  • File Hashes (Payloads):
    • Trigona Tools: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 (SHA256 - uploader_client).
    • KICS Binaries: d47de3772f2d61a043e7047431ef4cf4 (MD5).

Operational Guidance: SOC teams should immediately block the listed domains at the proxy/DNS firewall level. File hashes should be uploaded to EDR threat feeds for immediate quarantine. For the KICS compromise, inspect environment variables and CI/CD logs for connections to 94.154.172.43.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix PowerShell Execution
description: Detects PowerShell execution patterns often associated with ClickFix campaigns where users are tricked into running "fix" commands. Includes encoded commands and clipboard manipulation.
references:
  - https://otx.alienvault.com/pulse/662a1b1c8f4b10b123456789
author: Security Arsenal Research
date: 2026/04/26
status: experimental
tags:
  - attack.execution
  - attack.initial_access
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_clipboard:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Get-Clipboard'
      - 'Set-Clipboard'
  selection_encoded:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-e '
    CommandLine|contains: 'FromBase64'
  condition: 1 of selection_*
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Trigona Ransomware Custom Exfiltration Tool
description: Detects the execution of uploader_client.exe, a custom tool used by Trigona affiliates for data theft with connection rotation.
references:
  - https://otx.alienvault.com/pulse/662a1b1c8f4b10b123456790
author: Security Arsenal Research
date: 2026/04/26
status: experimental
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\uploader_client.exe'
    OriginalFileName: 'uploader_client.exe'
  condition: selection
falsepositives:
  - Unknown
level: critical
---
title: Compromised KICS Docker or VS Code Execution
description: Detects the execution of specific malicious hashes associated with the TeamPCP supply chain attack on Checkmarx KICS.
references:
  - https://otx.alienvault.com/pulse/662a1b1c8f4b10b123456791
author: Security Arsenal Research
date: 2026/04/26
status: experimental
tags:
  - attack.supply_chain
  - attack.t1195.002
logsource:
  category: file_event
  product: windows
detection:
  selection:
    Hashes|contains:
      - 'MD5=d47de3772f2d61a043e7047431ef4cf4'
      - 'SHA256=222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b'
  condition: selection
falsepositives:
  - None (Critical supply chain indicators)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Trigona Exfil Tool and ClickFix Suspicious Activity
let TrigonaHashes = dynamic(["e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173", "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"]);
let MaliciousDomains = dynamic(["ustazazharidrus.com", "account-help.info", "elive123go.com", "ucaboodle.com"]);
// 1. Process Creation Hunt for Trigona Tool
DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe"
| where ProcessCommandLine has "-e " or ProcessCommandLine has "Get-Clipboard"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| union (
    DeviceProcessEvents
    | where SHA256 in TrigonaHashes or FileName == "uploader_client.exe"
)
| union (
    // 2. Network Connections to Malicious Domains
    DeviceNetworkEvents
    | where RemoteUrl in MaliciousDomains
)

PowerShell Hunt Script

PowerShell
<#
    .SYNOPSIS
    Hunts for Trigona and TeamPCP KICS Supply Chain Compromise artifacts.
#>

$TargetHashes = @(
    "d47de3772f2d61a043e7047431ef4cf4", # KICS MD5
    "e1023db24a29ab0229d99764e2c8deba", # KICS MD5
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173"  # Trigona Uploader SHA256
)

Write-Host "[*] Scanning for Trigona uploader_client.exe and compromised KICS binaries..."

# Check Processes
$Processes = Get-Process | Where-Object { $_.Path -ne $null }
foreach ($Proc in $Processes) {
    $Hash = (Get-FileHash -Path $Proc.Path -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
    $Hash256 = (Get-FileHash -Path $Proc.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    
    if ($TargetHashes -contains $Hash -or $TargetHashes -contains $Hash256) {
        Write-Host "[!] MALICIOUS PROCESS DETECTED: $($Proc.ProcessName) - $($Proc.Path) - Hash: $Hash" -ForegroundColor Red
    }

    if ($Proc.ProcessName -eq "uploader_client.exe") {
        Write-Host "[!] CRITICAL: Trigona Exfil Tool Running: $($Proc.Id)" -ForegroundColor Red
    }
}

# Check file system for specific process names in common download/appdata paths
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:LOCALAPPDATA")
foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            $_.Name -eq "uploader_client.exe" -or 
            $_.Name -eq "kics.exe" -or
            $_.Name -eq "mcpAddon.js"
        } | ForEach-Object {
            Write-Host "[!] SUSPICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}

Response Priorities

  • Immediate:

    • Block all domains listed in the IOC Analysis (ClickFix/Keitaro) on secure web gateways.
    • Quarantine any systems identified running uploader_client.exe or the KICS binary hashes.
    • Pull the compromised Docker images (checkmarx/kics:v2.1.20, v2.1.21, alpine) and replace with clean versions.

  • 24 Hours:

    • Initiate credential resets for developer accounts and privileged users who may have been exposed to GlassWorm or the KICS compromise (check CI/CD logs for the past 2 weeks).
    • Conduct a forensic review of any endpoints where powershell.exe was spawned by a browser process (potential ClickFix).

  • 1 Week:

    • Review supply chain security; implement Image Signing verification for Docker Hub pulls.
    • Harden PowerShell usage policies (Constrained Language Mode) to mitigate ClickFix "living-off-the-land" techniques.
    • Audit Keitaro or similar TDS usage within marketing affiliate networks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chaintrigonaclickfixglassworm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action