Back to Intelligence

ClickFix & OkoBot: AI-Generated Typosquatting and Crypto Theft Targeting LATAM — OTX Pulse Analysis

SA
Security Arsenal Team
July 17, 2026
6 min read

Recent OTX pulses have identified a surge in sophisticated "ClickFix" campaigns heavily targeting the Latin American (LATAM) region, specifically Brazil, with spill-over into Canada and Mexico. These campaigns mark a disturbing evolution in social engineering, leveraging AI-generated website builders to create convincing typosquatting domains.

The primary campaign impersonates a Brazilian bank to deliver SmartRAT, a PowerShell-based banking trojan, via fake CAPTCHA and BSOD screens that trick users into executing malicious commands. Simultaneously, a separate but related campaign utilizes the OkoBot framework, targeting cryptocurrency users through a multi-stage infection chain involving fake GitHub repositories and malicious browser extensions (Rilide). Both campaigns rely heavily on PowerShell for execution and establish persistence using modular loaders like GhostLoader and HDUtil.

Threat Actor / Malware Profile

Adversary Tactics: The threat actors demonstrate a high degree of operational security by utilizing AI to scale the creation of typosquatting domains (e.g., crefisa.online, windowsupdate-cdn.com). They employ the "ClickFix" technique—presenting fake error or CAPTCHA pages—to coerce victims into manually copying and pasting PowerShell commands, effectively bypassing traditional file-based detection.

Malware Families & Behavior:

  • SmartRAT: A PowerShell-based banking trojan targeting Brazilian financial institutions. It features encrypted C2 communication and is often delivered via GhostLoader. It utilizes PowerShell commands to establish reverse shells or download further payloads.
  • OkoBot Framework: A modular malware ecosystem targeting cryptocurrency wallets. Key components include:
    • TookPS: Initial PowerShell scripts used for execution.
    • Rilide: A malicious browser extension injected to steal session cookies and facilitate crypto transactions.
    • HDUtil: A launcher/utilities module for maintaining persistence.
    • OkoSpyware/SeedHunter: Modules designed to harvest seed phrases and wallet credentials.

C2 & Infrastructure: Infrastructure relies on compromised domains and legitimate-looking CDN-spoofing domains. OkoBot specifically utilizes automated SSH tunnels for C2 obfuscation, making network detection challenging.

IOC Analysis

The provided IOCs are critical for immediate network defense:

  • Domains: Multiple typosquatting domains detected (crefisa.online, windowsupdate-cdn.com, coffeesaloon.online, livewallpapers.online). These should be added to blocklists (DNS Sinkhole) immediately.
  • File Hashes (MD5): Over 20 unique MD5 hashes associated with the loaders (GhostLoader, HDUtil) and payloads (SmartRAT, OkoBot modules). EDR solutions should be configured to alert on execution of these specific hashes.
  • Operationalization: SOC teams should ingest these IOCs into SIEM correlation engines to look for outbound connections to the domains. Due to the AI-generation of domains, hash-based detection is more reliable for the payloads, while network detection should focus on the specific C2 domains listed.

Detection Engineering

YAML
title: Potential ClickFix PowerShell Execution Pattern
date: 2026/07/17
status: experimental
description: Detects suspicious PowerShell execution patterns often associated with ClickFix campaigns where users are tricked into running commands via clipboard or copy-paste. Looks for encoded commands and common obfuscation used in SmartRAT and OkoBot delivery.
references:
    - https://otx.alienvault.com/pulse/66971c2f8d2b1f0f8c2b1f8c
author: Security Arsenal
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'CopyToClipboard'
            - 'IEX'
            - 'Invoke-Expression'
            - 'DownloadString'
    condition: selection
falsepositives:
    - Administrative scripts
level: high
---
title: SmartRAT & OkoBot C2 Domain Connection
date: 2026/07/17
status: experimental
description: Detects network connections to known Command and Control (C2) domains associated with the active SmartRAT and OkoBot campaigns targeting Brazil and Crypto users.
references:
    - https://otx.alienvault.com/pulse/66971c2f8d2b1f0f8c2b1f8c
author: Security Arsenal
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'crefisa.online'
            - 'windowsupdate-cdn.com'
            - 'coffeesaloon.online'
            - 'livewallpapers.online'
            - '2baserec2.guru'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Malicious Browser Extension Injection - Rilide/OkoBot
date: 2026/07/17
status: experimental
description: Detects registry modifications indicative of malicious browser extension injection used by the OkoBot framework (Rilide).
references:
    - https://otx.alienvault.com/pulse/66971c2f8d2b1f0f8c2b1f8c
author: Security Arsenal
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: registry_add
detection:
    selection:
        TargetObject|contains:
            - '\Software\Google\Chrome\Extensions'
            - '\Software\Microsoft\Edge\Extensions'
        Details|contains:
            - 'update_url'
            - ''
    condition: selection
falsepositives:
    - Legitimate software installing extensions
level: medium


kql
// Hunt for network connections to known SmartRAT and OkoBot C2 domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "crefisa.online", 
    "windowsupdate-cdn.com", 
    "coffeesaloon.online", 
    "livewallpapers.online",
    "2baserec2.guru",
    "kbeautyreviews.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend URLHex = hash(tostring(RemoteUrl))
// Hunt for suspicious PowerShell execution often used in ClickFix
DeviceProcessEvents  
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("IEX", "DownloadString", "FromBase64String", "CopyToClipboard")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| summarize count() by DeviceName, InitiatingProcessFileName


powershell
# IOC Hunt Script for SmartRAT and OkoBot Artifacts
# Run as Administrator

Write-Host "[+] Starting Hunt for SmartRAT and OkoBot Artifacts..." -ForegroundColor Cyan

# 1. Check Hosts File for Malicious Domains
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @(
    "crefisa.online", 
    "windowsupdate-cdn.com", 
    "coffeesaloon.online", 
    "livewallpapers.online"
)

if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($domain in $maliciousDomains) {
        if ($hostsContent -match $domain) {
            Write-Host "[!] ALERT: Malicious domain found in hosts file: $domain" -ForegroundColor Red
        }
    }
}

# 2. Check for Suspicious Scheduled Tasks (GhostLoader/HDUtil Persistence)
Write-Host "[+] Checking Scheduled Tasks for suspicious patterns..."
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*cmd.exe*" -and
    ($_.Actions.Arguments -like "*DownloadString*" -or $_.Actions.Arguments -like "*IEX*")
} | Select-Object TaskName, TaskPath, State | Format-Table

# 3. Scan for Specific File Hashes (Requires Hash computation)
Write-Host "[+] Scanning user directories for suspicious executables..."
$targetHashes = @(
    "297eb45f028d44d750297d2f932b9c91",
    "3c72e1f37f115b00c3ad6ed31bacfe8a",
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2"
)

$pathsToScan = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP")

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue -File | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash.ToLower()
            if ($targetHashes -contains $hash) {
                Write-Host "[!] CRITICAL: Malware found at $($_.FullName) with hash $hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green


# Response Priorities

**Immediate (0-4 hours):**
*   **Block IOCs:** Immediately block all listed domains and IP addresses at the perimeter firewall and proxy.
*   **Scan Endpoints:** Initiate a targeted scan for the MD5 file hashes provided in the IOCs.
*   **Hunt PowerShell:** Use the provided KQL and PowerShell scripts to identify active infections or past execution attempts.

**Within 24 Hours:**
*   **Identity Verification:** Given the presence of banking trojans (SmartRAT) and crypto-stealers (OkoBot), perform forced password resets and MFI challenges for users who may have been exposed, particularly in finance departments or those known to hold crypto assets.
*   **Browser Review:** Audit browser extensions on corporate endpoints to identify instances of Rilide or unknown/unsigned extensions.

**Within 1 Week:**
*   **Architecture Hardening:** Implement strict browser extension policies (allowlist only) to prevent Rilide-style injection.
*   **User Awareness:** Conduct security awareness training specifically focusing on "ClickFix" and fake CAPTCHA/tech support scams.
*   **PowerShell Constrained Mode:** Evaluate enforcing Constrained Language Mode for PowerShell to prevent the execution of the obfuscated scripts used in these campaigns.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixsmartratokobotbanking-trojancryptocurrency-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.