Threat Summary
Analysis of recent OTX pulse data reveals a coordinated wave of credential theft and infostealer campaigns leveraging social engineering and technical sophistication. The primary vectors include:
-
ClickFix AI-Generated Campaigns: Threat actors are using AI-powered website builders to create typosquatting domains impersonating Brazilian banks (e.g., crefisa.online). Victims are presented with fake CAPTCHA challenges and BSOD screens that trick them into executing malicious PowerShell commands.
-
GST-Themed Phishing: Targeted attacks against Indian businesses use fraudulent GST refund notifications with legitimate-looking ARN references. These deliver Remcos RAT through multi-stage .NET frameworks employing bitmap steganography.
-
OkoBot Framework: A sophisticated crypto-focused malware family targeting cryptocurrency users via GitHub-hosted fake software and ClickFix attacks. The framework includes over 20 malicious modules including browser extension injectors (Rilide) and credential harvesters.
-
Lua Loader Campaigns: Global phishing distributing Agent Tesla, XWorm, and Snake Keylogger through low-detection Lua loaders within obfuscated JavaScript files.
-
NadMesh Botnet: An industrial-grade Go-based botnet autonomously scanning AI infrastructure and cloud services (Kubernetes, Redis, Docker) with 20+ exploitation vectors.
Collectively, these campaigns demonstrate a shift toward credential theft and financial compromise using fileless execution techniques and AI-enhanced deception.
Threat Actor / Malware Profile
SmartRAT
- Distribution: Typosquatting domains, fake CAPTCHA pages (ClickFix)
- Behavior: PowerShell-based banking trojan with encrypted C2 communication
- Persistence: PowerShell profile scripts, scheduled tasks
- Anti-Analysis: Obfuscated PowerShell, process hollowing
Remcos RAT
- Distribution: GST-themed phishing with malicious RAR archives
- Behavior: Remote access, credential theft, screen capture, keylogging
- Persistence: Registry run keys, service creation
- Anti-Analysis: Bitmap steganography for payload hiding, fileless execution
OkoBot Framework
- Distribution: GitHub fake software, ClickFix attacks
- Behavior: Cryptocurrency wallet theft, browser extension injection
- Persistence: SSH tunneling, scheduled PowerShell tasks
- Anti-Analysis: Modular architecture, polymorphic payloads
NadMesh Botnet
- Distribution: Autonomous scanning of cloud infrastructure
- Behavior: Credential harvesting from cloud services, MCP exploitation
- Persistence: Container deployment, systemd services
- Anti-Analysis: Polymorphic Go binaries, encrypted C2 channels
IOC Analysis
The collected indicators include:
- Domains (13): Banking typosquatting (crefisa.online), C2 infrastructure (windowsupdate-cdn.com, cdnorigin.net), and staging domains (coffeesaloon.online, livewallpapers.online)
- File Hashes (24): MD5, SHA1, and SHA256 hashes for malware loaders, PowerShell scripts, and .NET executables
- Hostnames (4): Phishing mail servers and C2 endpoints
- IPv4 (1): Direct IP-based payload delivery (64.95.13.238, 209.99.186.235)
- CVE (1): CVE-2016-0638 for exploitation vectors
Operational Guidance:
- Deploy domain IOCs to DNS Sinkhole and Proxy filtering immediately
- Load file hash IOCs into EDR solutions for immediate quarantining
- Correlate network IOCs with SecurityEvent logs for lateral movement detection
- Use VirusTotal for hash validation before blocklisting
Detection Engineering
---
title: Suspicious PowerShell Execution with Encoded Commands
description: Detects PowerShell execution patterns associated with SmartRAT and OkoBot delivery chains
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-e '
- 'FromBase64String'
condition: selection | count(CommandLine) > 200
falsepositives:
- Legitimate administrative scripts
level: high
---
title: Malicious Domain Connection to Banking Typosquatting Infrastructure
description: Detects network connections to known ClickFix and OkoBot C2 domains
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
category: network_connection
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'windowsupdate-cdn'
- 'crefisa.online'
- 'cdnorigin.net'
- 'duckdns.org'
- 'coffeesaloon.online'
- 'livewallpapers.online'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious File Download from Untrusted Domains
description: Detects downloads from domains associated with phishing campaigns and malware distribution
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
- attack.initial_access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.exe'
- '.rar'
- '.zip'
- '.ps1'
- '.js'
filter_legit:
SourceHostname|contains:
- 'microsoft.com'
- 'adobe.com'
- 'google.com'
condition: selection and not filter_legit
falsepositives:
- Legitimate software downloads
level: medium
kql// Hunt for suspicious PowerShell execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "FromBase64String", "IEX", "Invoke-Expression")
| where strlen(ProcessCommandLine) > 500
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// Hunt for network connections to known C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("windowsupdate-cdn", "crefisa", "cdnorigin", "duckdns", "coffeesaloon", "livewallpapers", "2baserec2")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc
// Hunt for file creations matching malware hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be",
"2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279",
"417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b",
"fc4109f5dd1d30b65dd60e57dc639ac1d313bfa5241e36e61fbc4aabc1cda482")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc
// Hunt for suspicious RAR/ZIP archive execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("winrar.exe", "7z.exe", "explorer.exe")
| where ProcessCommandLine has_any (".rar", ".zip", ".7z")
| where ProcessCommandLine has_any ("-p", "-e", "-x")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
powershell<#
.SYNOPSIS
IOC Hunter for SmartRAT, Remcos, OkoBot, and NadMesh
.DESCRIPTION
Scans endpoints for indicators of compromise related to recent infostealer campaigns
.NOTES
File Name : IOC-Hunter.ps1
Author : Security Arsenal
Prerequisite : Administrator privileges
#>
# Known malicious file hashes from OTX pulses
$MaliciousHashes = @(
"297eb45f028d44d750297d2f932b9c91",
"3c72e1f37f115b00c3ad6ed31bacfe8a",
"6bf4d4c62b5138ace281ce3d08297787",
"b17ccdb5531555e43f082d6e77c07227",
"511ba918e1781ff38310530801b8cec5",
"ca024acead8f54cfe5b07ac4bdf7fcea",
"07d7d21c2c0920d198efb9ea54900a80",
"20476f3a51dfddf3dc0603fc7858d894",
"b07d451ee65a1580f20a784c8f0e7a46",
"187a1f68ae786e53d3831166dc84e6d2"
)
# Known C2 domains
$MaliciousDomains = @(
"crefisa.online",
"windowsupdate-cdn.com",
"cdnorigin.net",
"coffeesaloon.online",
"livewallpapers.online",
"2baserec2.guru",
"kbeautyreviews.com"
)
# Suspicious process patterns
$SuspiciousProcesses = @(
"*powershell*-encodedcommand*",
"*powershell*-e *",
"*powershell*FromBase64String*",
"*cmd*/c powershell*"
)
function Check-FileHashes {
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow
$Paths = @(
"$env:TEMP\*",
"$env:APPDATA\*",
"$env:LOCALAPPDATA\*",
"C:\ProgramData\*",
"$env:USERPROFILE\Downloads\*"
)
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.Length -gt 0 -and $_.Length -lt 100MB) {
try {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction Stop).Hash.ToLower()
if ($MaliciousHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
} catch {
# Ignore access errors
}
}
}
}
}
}
function Check-NetworkConnections {
Write-Host "[+] Checking for suspicious network connections..." -ForegroundColor Yellow
$Connections = Get-NetTCPConnection -ErrorAction SilentlyContinue |
Where-Object { $_.State -eq "Established" }
foreach ($Connection in $Connections) {
try {
$RemoteAddress = $Connection.RemoteAddress
$Process = Get-Process -Id $Connection.OwningProcess -ErrorAction SilentlyContinue
if ($Process) {
$RemoteHost = [System.Net.Dns]::GetHostEntry($RemoteAddress).HostName
foreach ($Domain in $MaliciousDomains) {
if ($RemoteHost -like "*$Domain*") {
Write-Host "[!] SUSPICIOUS CONNECTION: $($RemoteAddress) ($RemoteHost) via $($Process.ProcessName)" -ForegroundColor Red
}
}
}
} catch {
# Ignore DNS lookup failures
}
}
}
function Check-SuspiciousProcesses {
Write-Host "[+] Checking for suspicious process patterns..." -ForegroundColor Yellow
$Processes = Get-CimInstance Win32_Process -ErrorAction SilentlyContinue |
Where-Object { $_.Name -like "*powershell*" -or $_.Name -like "*cmd*" }
foreach ($Process in $Processes) {
foreach ($Pattern in $SuspiciousProcesses) {
if ($Process.CommandLine -like $Pattern) {
Write-Host "[!] SUSPICIOUS PROCESS: $($Process.Name) with command line pattern: $Pattern" -ForegroundColor Red
Write-Host " Command: $($Process.CommandLine)" -ForegroundColor Gray
}
}
}
}
function Check-PersistenceMechanisms {
Write-Host "[+] Checking for persistence mechanisms..." -ForegroundColor Yellow
# Check Run registry keys
$RunKeys = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($Key in $RunKeys) {
if (Test-Path $Key) {
Get-Item -Path $Key -ErrorAction SilentlyContinue | ForEach-Object {
$_.Property | ForEach-Object {
$Value = (Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue).$_
if ($Value -match "powershell" -and $Value.Length -gt 100) {
Write-Host "[!] SUSPICIOUS RUN KEY: $Key\$_ = $Value" -ForegroundColor Red
}
}
}
}
}
# Check Scheduled Tasks
$Tasks = Get-ScheduledTask -ErrorAction SilentlyContinue |
Where-Object { $_.State -eq "Ready" -or $_.State -eq "Running" }
foreach ($Task in $Tasks) {
$TaskInfo = $Task | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
if ($Task.Actions.Execute -match "powershell") {
Write-Host "[!] SUSPICIOUS SCHEDULED TASK: $($Task.TaskName)" -ForegroundColor Red
Write-Host " Command: $($Task.Actions.Execute) $($Task.Actions.Arguments)" -ForegroundColor Gray
}
}
}
# Main execution
Write-Host "
=========================================
OTX Pulse IOC Hunter
Targeting: SmartRAT, Remcos, OkoBot, NadMesh
Date: 2026-07-17
=========================================
" -ForegroundColor Cyan
Check-FileHashes
Check-NetworkConnections
Check-SuspiciousProcesses
Check-PersistenceMechanisms
Write-Host "
[+] Scan completed. Review findings above." -ForegroundColor Green
Response Priorities
Immediate (Within 4 Hours)
- Block all domain IOCs at DNS and web proxy level
- Load file hash IOCs into EDR for automated quarantine
- Hunt for PowerShell execution with encoded commands on all endpoints
- Isolate systems with confirmed indicators
24 Hours
- Initiate credential rotation for users with potential exposure (especially banking and crypto accounts)
- Review and quarantine suspicious email attachments from last 30 days
- Analyze network logs for connections to identified C2 infrastructure
- Run PowerShell IOC hunter script across all endpoints
1 Week
- Implement AI-generated content detection for email and web filtering
- Deploy strict URL filtering for typosquatting patterns
- Review and harden cloud infrastructure against NadMesh exploitation vectors
- Conduct user awareness training focused on fake CAPTCHA and ClickFix techniques
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.