Back to Intelligence

ClickFix & OkoBot Campaigns: Multi-Vector Infostealer Wave Targeting Finance and Crypto Sectors — Detection Engineering Brief

SA
Security Arsenal Team
July 17, 2026
8 min read

Threat Summary

Analysis of recent OTX pulse data reveals a coordinated wave of credential theft and infostealer campaigns leveraging social engineering and technical sophistication. The primary vectors include:

  1. ClickFix AI-Generated Campaigns: Threat actors are using AI-powered website builders to create typosquatting domains impersonating Brazilian banks (e.g., crefisa.online). Victims are presented with fake CAPTCHA challenges and BSOD screens that trick them into executing malicious PowerShell commands.

  2. GST-Themed Phishing: Targeted attacks against Indian businesses use fraudulent GST refund notifications with legitimate-looking ARN references. These deliver Remcos RAT through multi-stage .NET frameworks employing bitmap steganography.

  3. OkoBot Framework: A sophisticated crypto-focused malware family targeting cryptocurrency users via GitHub-hosted fake software and ClickFix attacks. The framework includes over 20 malicious modules including browser extension injectors (Rilide) and credential harvesters.

  4. Lua Loader Campaigns: Global phishing distributing Agent Tesla, XWorm, and Snake Keylogger through low-detection Lua loaders within obfuscated JavaScript files.

  5. NadMesh Botnet: An industrial-grade Go-based botnet autonomously scanning AI infrastructure and cloud services (Kubernetes, Redis, Docker) with 20+ exploitation vectors.

Collectively, these campaigns demonstrate a shift toward credential theft and financial compromise using fileless execution techniques and AI-enhanced deception.

Threat Actor / Malware Profile

SmartRAT

  • Distribution: Typosquatting domains, fake CAPTCHA pages (ClickFix)
  • Behavior: PowerShell-based banking trojan with encrypted C2 communication
  • Persistence: PowerShell profile scripts, scheduled tasks
  • Anti-Analysis: Obfuscated PowerShell, process hollowing

Remcos RAT

  • Distribution: GST-themed phishing with malicious RAR archives
  • Behavior: Remote access, credential theft, screen capture, keylogging
  • Persistence: Registry run keys, service creation
  • Anti-Analysis: Bitmap steganography for payload hiding, fileless execution

OkoBot Framework

  • Distribution: GitHub fake software, ClickFix attacks
  • Behavior: Cryptocurrency wallet theft, browser extension injection
  • Persistence: SSH tunneling, scheduled PowerShell tasks
  • Anti-Analysis: Modular architecture, polymorphic payloads

NadMesh Botnet

  • Distribution: Autonomous scanning of cloud infrastructure
  • Behavior: Credential harvesting from cloud services, MCP exploitation
  • Persistence: Container deployment, systemd services
  • Anti-Analysis: Polymorphic Go binaries, encrypted C2 channels

IOC Analysis

The collected indicators include:

  • Domains (13): Banking typosquatting (crefisa.online), C2 infrastructure (windowsupdate-cdn.com, cdnorigin.net), and staging domains (coffeesaloon.online, livewallpapers.online)
  • File Hashes (24): MD5, SHA1, and SHA256 hashes for malware loaders, PowerShell scripts, and .NET executables
  • Hostnames (4): Phishing mail servers and C2 endpoints
  • IPv4 (1): Direct IP-based payload delivery (64.95.13.238, 209.99.186.235)
  • CVE (1): CVE-2016-0638 for exploitation vectors

Operational Guidance:

  • Deploy domain IOCs to DNS Sinkhole and Proxy filtering immediately
  • Load file hash IOCs into EDR solutions for immediate quarantining
  • Correlate network IOCs with SecurityEvent logs for lateral movement detection
  • Use VirusTotal for hash validation before blocklisting

Detection Engineering

YAML
---
title: Suspicious PowerShell Execution with Encoded Commands
description: Detects PowerShell execution patterns associated with SmartRAT and OkoBot delivery chains
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1027
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '-EncodedCommand'
            - '-e '
            - 'FromBase64String'
    condition: selection | count(CommandLine) > 200
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Malicious Domain Connection to Banking Typosquatting Infrastructure
description: Detects network connections to known ClickFix and OkoBot C2 domains
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'windowsupdate-cdn'
            - 'crefisa.online'
            - 'cdnorigin.net'
            - 'duckdns.org'
            - 'coffeesaloon.online'
            - 'livewallpapers.online'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Suspicious File Download from Untrusted Domains
description: Detects downloads from domains associated with phishing campaigns and malware distribution
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6697a2f1c5d3e6a92c8b4567
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '.exe'
            - '.rar'
            - '.zip'
            - '.ps1'
            - '.js'
    filter_legit:
        SourceHostname|contains:
            - 'microsoft.com'
            - 'adobe.com'
            - 'google.com'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software downloads
level: medium


kql// Hunt for suspicious PowerShell execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "FromBase64String", "IEX", "Invoke-Expression")
| where strlen(ProcessCommandLine) > 500
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for network connections to known C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("windowsupdate-cdn", "crefisa", "cdnorigin", "duckdns", "coffeesaloon", "livewallpapers", "2baserec2")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for file creations matching malware hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be", 
                          "2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279",
                          "417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b",
                          "fc4109f5dd1d30b65dd60e57dc639ac1d313bfa5241e36e61fbc4aabc1cda482")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc

// Hunt for suspicious RAR/ZIP archive execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("winrar.exe", "7z.exe", "explorer.exe")
| where ProcessCommandLine has_any (".rar", ".zip", ".7z")
| where ProcessCommandLine has_any ("-p", "-e", "-x")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell<#
.SYNOPSIS
    IOC Hunter for SmartRAT, Remcos, OkoBot, and NadMesh
.DESCRIPTION
    Scans endpoints for indicators of compromise related to recent infostealer campaigns
.NOTES
    File Name      : IOC-Hunter.ps1
    Author         : Security Arsenal
    Prerequisite   : Administrator privileges
#>

# Known malicious file hashes from OTX pulses
$MaliciousHashes = @(
    "297eb45f028d44d750297d2f932b9c91",
    "3c72e1f37f115b00c3ad6ed31bacfe8a",
    "6bf4d4c62b5138ace281ce3d08297787",
    "b17ccdb5531555e43f082d6e77c07227",
    "511ba918e1781ff38310530801b8cec5",
    "ca024acead8f54cfe5b07ac4bdf7fcea",
    "07d7d21c2c0920d198efb9ea54900a80",
    "20476f3a51dfddf3dc0603fc7858d894",
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2"
)

# Known C2 domains
$MaliciousDomains = @(
    "crefisa.online",
    "windowsupdate-cdn.com",
    "cdnorigin.net",
    "coffeesaloon.online",
    "livewallpapers.online",
    "2baserec2.guru",
    "kbeautyreviews.com"
)

# Suspicious process patterns
$SuspiciousProcesses = @(
    "*powershell*-encodedcommand*",
    "*powershell*-e *",
    "*powershell*FromBase64String*",
    "*cmd*/c powershell*"
)

function Check-FileHashes {
    Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow
    
    $Paths = @(
        "$env:TEMP\*",
        "$env:APPDATA\*",
        "$env:LOCALAPPDATA\*",
        "C:\ProgramData\*",
        "$env:USERPROFILE\Downloads\*"
    )
    
    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
                if ($_.Length -gt 0 -and $_.Length -lt 100MB) {
                    try {
                        $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction Stop).Hash.ToLower()
                        if ($MaliciousHashes -contains $Hash) {
                            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                        }
                    } catch {
                        # Ignore access errors
                    }
                }
            }
        }
    }
}

function Check-NetworkConnections {
    Write-Host "[+] Checking for suspicious network connections..." -ForegroundColor Yellow
    
    $Connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | 
        Where-Object { $_.State -eq "Established" }
    
    foreach ($Connection in $Connections) {
        try {
            $RemoteAddress = $Connection.RemoteAddress
            $Process = Get-Process -Id $Connection.OwningProcess -ErrorAction SilentlyContinue
            
            if ($Process) {
                $RemoteHost = [System.Net.Dns]::GetHostEntry($RemoteAddress).HostName
                
                foreach ($Domain in $MaliciousDomains) {
                    if ($RemoteHost -like "*$Domain*") {
                        Write-Host "[!] SUSPICIOUS CONNECTION: $($RemoteAddress) ($RemoteHost) via $($Process.ProcessName)" -ForegroundColor Red
                    }
                }
            }
        } catch {
            # Ignore DNS lookup failures
        }
    }
}

function Check-SuspiciousProcesses {
    Write-Host "[+] Checking for suspicious process patterns..." -ForegroundColor Yellow
    
    $Processes = Get-CimInstance Win32_Process -ErrorAction SilentlyContinue | 
        Where-Object { $_.Name -like "*powershell*" -or $_.Name -like "*cmd*" }
    
    foreach ($Process in $Processes) {
        foreach ($Pattern in $SuspiciousProcesses) {
            if ($Process.CommandLine -like $Pattern) {
                Write-Host "[!] SUSPICIOUS PROCESS: $($Process.Name) with command line pattern: $Pattern" -ForegroundColor Red
                Write-Host "    Command: $($Process.CommandLine)" -ForegroundColor Gray
            }
        }
    }
}

function Check-PersistenceMechanisms {
    Write-Host "[+] Checking for persistence mechanisms..." -ForegroundColor Yellow
    
    # Check Run registry keys
    $RunKeys = @(
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    )
    
    foreach ($Key in $RunKeys) {
        if (Test-Path $Key) {
            Get-Item -Path $Key -ErrorAction SilentlyContinue | ForEach-Object {
                $_.Property | ForEach-Object {
                    $Value = (Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue).$_
                    if ($Value -match "powershell" -and $Value.Length -gt 100) {
                        Write-Host "[!] SUSPICIOUS RUN KEY: $Key\$_ = $Value" -ForegroundColor Red
                    }
                }
            }
        }
    }
    
    # Check Scheduled Tasks
    $Tasks = Get-ScheduledTask -ErrorAction SilentlyContinue | 
        Where-Object { $_.State -eq "Ready" -or $_.State -eq "Running" }
    
    foreach ($Task in $Tasks) {
        $TaskInfo = $Task | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
        if ($Task.Actions.Execute -match "powershell") {
            Write-Host "[!] SUSPICIOUS SCHEDULED TASK: $($Task.TaskName)" -ForegroundColor Red
            Write-Host "    Command: $($Task.Actions.Execute) $($Task.Actions.Arguments)" -ForegroundColor Gray
        }
    }
}

# Main execution
Write-Host "
=========================================
   OTX Pulse IOC Hunter
   Targeting: SmartRAT, Remcos, OkoBot, NadMesh
   Date: 2026-07-17
=========================================
" -ForegroundColor Cyan

Check-FileHashes
Check-NetworkConnections
Check-SuspiciousProcesses
Check-PersistenceMechanisms

Write-Host "
[+] Scan completed. Review findings above." -ForegroundColor Green

Response Priorities

Immediate (Within 4 Hours)

  • Block all domain IOCs at DNS and web proxy level
  • Load file hash IOCs into EDR for automated quarantine
  • Hunt for PowerShell execution with encoded commands on all endpoints
  • Isolate systems with confirmed indicators

24 Hours

  • Initiate credential rotation for users with potential exposure (especially banking and crypto accounts)
  • Review and quarantine suspicious email attachments from last 30 days
  • Analyze network logs for connections to identified C2 infrastructure
  • Run PowerShell IOC hunter script across all endpoints

1 Week

  • Implement AI-generated content detection for email and web filtering
  • Deploy strict URL filtering for typosquatting patterns
  • Review and harden cloud infrastructure against NadMesh exploitation vectors
  • Conduct user awareness training focused on fake CAPTCHA and ClickFix techniques

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssmartratremcos-ratclickfixokobotcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.