Back to Intelligence

ClickFix, Argamal, and UAT-8302: A Surge in Infostealers, RATs, and APT Tooling — OTX Pulse Analysis

SA
Security Arsenal Team
June 4, 2026
9 min read

Threat Summary

Recent telemetry from AlienVault OTX indicates a significant and diverse set of threat activities converging on credential theft and remote access. Analysis of five distinct pulses reveals a complex threat landscape where commodity infostealers like ClickFix/CastleStealer and Argamal operate alongside sophisticated, nation-state-linked toolsets from the UAT-8302 threat actor. These campaigns employ varied initial access vectors—from social engineering lures disguised as image-editing tools (BackgroundFix) to compromised adult games and maliciously impersonated freeware download sites. The common objective across these disparate actors is the establishment of persistent footholds, theft of sensitive credentials and authentication tokens, and the deployment of Remote Access Trojans (RATs) for full system compromise, often leading to secondary stages of espionage or data exfiltration.

Threat Actor / Malware Profile

Threat Actor/MalwareDistribution MethodPayload BehaviorC2 CommunicationPersistence MechanismAnti-Analysis Techniques
ClickFix / CastleLoader / CastleStealerSocial engineering via a fake image-editing tool (BackgroundFix) that prompts users to copy and paste malicious commands.Uses finger.exe to retrieve an initial payload. The loader drops NetSupport RAT (for remote control) and a custom .NET stealer, CastleStealer.Communicates with C2 servers over HTTP on non-standard ports (e.g., 688).Uses a reflective loader, suggesting an in-memory execution model to avoid disk-based signatures.Uses a reflective loader for in-memory execution, making static analysis difficult.
ArgamalBundled with adult-themed ("hentai") games, distributed via compromised or malicious file-sharing sites.A dormant implant that downloads and executes a RAT after a multi-day delay. Targets and steals credentials.Communicates with C2 over standard protocols, details often obfuscated.Uses COM hijacking for persistence, specifically replacing the InprocServer32 entry for the Windows Color System Calibration Loader DLL.Delayed execution to evade immediate sandbox detection.
UAT-8302 (China-nexus APT)Spear-phishing and exploitation of vulnerabilities (e.g., CVE-2025-0994, CVE-2025-20333) against government and telecom targets.Deploys a "box full of malware" including NetDraft, FringePorch, CloudSorcerer v3, VSHELL, SNOWLIGHT, and others for extensive reconnaissance and credential theft.Custom, likely encrypted C2 channels. Implies high sophistication.Multiple mechanisms, likely including scheduled tasks and service registration. Specifics for the newer families are still being analyzed.Uses custom malware families with no public signatures, making signature-based detection largely ineffective. Employs dynamic memory evasion.
CloudZ RAT / Pheno PluginInitial infection vector unknown; leverages the Microsoft Phone Link application feature.CloudZ RAT provides remote access. The Pheno plugin is designed to steal credentials and one-time passwords (OTPs) by intercepting synced mobile data from the linked phone.C2 communication over a custom protocol.Persists by exploiting legitimate application functionality (Phone Link), making it difficult to flag as malicious on its own.Uses dynamic memory allocation and undocumented plugin functionality to evade standard behavioral analysis.
SessionGate, RemusStealer, AnimateClipperImpersonates open-source/freeware projects (e.g., Ghidra, dnSpy) to poison search results. Clicks are routed through a Traffic Distribution System (TDS).The TDS acts as a gatekeeper. Successful handoffs deliver payloads like SessionGate (initial access/broker), RemusStealer (credential theft), and AnimateClipper (cryptocurrency clipper).Communicates with TDS and C2 servers, often using CloudFront-hosted JavaScript for obfuscation.Persistence mechanisms are likely standard for the delivered payloads (e.g., scheduled tasks).Uses a professional TDS with anti-bot checks, first-visit state enforcement, and CloudFront to distribute payloads and evade security controls.

IOC Analysis

The provided IOCs offer a comprehensive view of the attack infrastructure:

  • File Hashes (SHA1, SHA256, MD5): Numerous hashes for malware binaries and loaders across all campaigns. These are critical for Endpoint Detection and Response (EDR) solutions to identify malicious files on disk or in memory. SHA256 hashes (e.g., bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 for CastleLoader) are the most reliable.
  • Domains & URLs: A mix of C2 domains (e.g., trindastal.com, poronto.com) and malicious download URLs (e.g., http://giovettiadv.com:688). The UAT-8302 and freeware impersonation campaigns also include domains in their infrastructure (e.g., guiformat.com). These should be added to web proxy and DNS blocklists.
  • IP Addresses: Direct C2 IPs (e.g., 194.150.220.218, 217.156.122.75) can be blocked at the firewall level to disrupt command and control.
  • CVEs: UAT-8302's exploitation of specific vulnerabilities (CVE-2025-0994, CVE-2025-20333, CVE-2025-20362) provides a clear path for vulnerability management teams to prioritize patching.
  • Hostnames: Often used for dynamic DNS (e.g., asper1.freeddns.org, arch2.maxdatahost1.cyou), providing resilience for C2 infrastructure.

Operational Guidance: SOC teams should feed these IOCs into their SIEM, EDR, and firewall systems immediately. Hashes should be used for scanning endpoints. Domains and IPs should be blocked on network perimeter devices. The CVEs should be cross-referenced with internal asset inventories to identify and patch vulnerable systems.

Detection Engineering

title: Suspicious Execution via finger.exe id: b608327f-8f53-4c26-89b8-06a3d237052f description: Detects the execution of finger.exe, which is abused by ClickFix and other malware families for payload retrieval. The parent process is often a shell or a command invoked by a user script. status: experimental author: Security Arsenal date: 2026/06/05 references: - https://otx.alienvault.com/pulse/6675ea56e34659598a0c0400/ tags: - attack.execution - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\finger.exe' filter_main_legit: ParentImage|endswith: - '\explorer.exe' - '\cmd.exe' condition: selection and not filter_main_legit falsepositives: - Legitimate, rare use of the finger client. level: high

title: Persistence via Windows Color System Calibration COM Hijacking id: 2c71b0e6-458d-4a33-b47a-7b063f8c6852 description: Detects COM hijacking for persistence, a technique used by the Argamal malware. It targets the InprocServer32 value for the Windows Color System Calibration Loader. status: experimental author: Security Arsenal date: 2026/06/05 references: - https://otx.alienvault.com/pulse/667939cbe34659598a0c0532/ tags: - attack.persistence - attack.t1546.015 logsource: category: registry_set product: windows detection: selection: TargetObject|contains: 'CLSID\{5D6AA0BA-F3F0-4F8E-957D-7C3D19189228}\InprocServer32' condition: selection falsepositives: - Unlikely, as this is a non-standard path for the legitimate DLL. level: critical

title: Potential CloudZ RAT Pheno Plugin OTP Theft id: 8491dcf4-6a27-4986-8c1a-6a1f539b0512 description: Detects potential activity related to the CloudZ RAT's Pheno plugin, which may exploit the Microsoft Phone Link application. This rule looks for suspicious child processes spawned by the Phone Link executable or its associated components. status: experimental author: Security Arsenal date: 2026/06/05 references: - https://otx.alienvault.com/pulse/667a8640e34659598a0c0650/ tags: - attack.credential_access - attack.t1528 logsource: category: process_creation product: windows detection: selection_parent: ParentImage|contains: 'YourPhone' selection_child_suspicious: Image|endswith: - '\powershell.exe' - '\cmd.exe' - '\powershell_ise.exe' - '\wscript.exe' - '\cscript.exe' condition: selection_parent and selection_child_suspicious falsepositives: - Potential false positives if Phone Link legitimately launches these scripts for user automation, which is uncommon. level: high

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and similar malware execution chains
// Look for finger.exe spawning from an unusual parent, or a command line with copy/paste lures
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has 'finger.exe'
| extend ProcessCommandLine = iff(isnull(ProcessCommandLine), '', ProcessCommandLine)
| where not (ProcessCommandLine contains '' and ParentProcessFileName in ('explorer.exe', 'cmd.exe'))
| project Timestamp, DeviceName, AccountName, FileName, ParentProcessFileName, ProcessCommandLine, InitiatingProcessAccountName
| top 100 by Timestamp desc

// Hunt for Argamal COM Hijacking persistence
// Search for registry modifications to the targeted CLSID
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey contains 'CLSID\\{5D6AA0BA-F3F0-4F8E-957D-7C3D19189228}' and RegistryValueName == 'InprocServer32'
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName
| top 100 by Timestamp desc

// Hunt for network connections to known C2 infrastructure from ClickFix and Argamal
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ('trindastal.com', 'poronto.com', 'brionter.com', 'giovettiadv.com', 'asper1.freeddns.org') or RemoteIP in ('194.150.220.218', '217.156.122.75')
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessAccountName, InitiatingProcessFileName
| top 100 by Timestamp desc
powershell
# IOC Hunt Script for ClickFix, Argamal, and UAT-8302 Related Artifacts
# Requires Administrator privileges

# Check for Argamal COM Hijacking Persistence
Write-Host "Checking for Argamal COM Hijacking..."
$regPath = "HKCU:\Software\Classes\CLSID\{5D6AA0BA-F3F0-4F8E-957D-7C3D19189228}\InprocServer32"
if (Test-Path $regPath) {
    $inprocValue = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).'(default)'
    if ($inprocValue -ne $null -and $inprocValue -ne "%systemroot%\system32\mscms.dll") {
        Write-Host "[!] Potential Argamal COM Hijacking detected!" -ForegroundColor Red
        Write-Host "    Malicious DLL Path: $inprocValue"
    } else {
        Write-Host "[-] No COM hijacking detected on this path."
    }
} else {
    Write-Host "[-] Registry key not found."
}

# Check for ClickFix/CastleLoader file indicators on common user paths
Write-Host "`nChecking for known ClickFix/CastleLoader file hashes..."
$userPaths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "$env:TEMP")
$maliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb"
)

foreach ($path in $userPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $file = $_
            $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($maliciousHashes -contains $hash) {
                Write-Host "[!] Malicious file found: $($file.FullName)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[-] File scan complete."

# Check for suspicious network connections to known C2 IPs/Domains
Write-Host "`nChecking for active connections to known C2 infrastructure..."
$netstat = netstat -ano | Select-String -Pattern 'ESTABLISHED'
$maliciousEndpoints = @(
    "194.150.220.218",
    "217.156.122.75",
    "trindastal.com",
    "poronto.com"
)
foreach ($line in $netstat) {
    $parts = $line -split '\s+'
    if ($parts.Length -ge 5) {
        $localAddress = $parts[2]
        $remoteAddressParts = $parts[3] -split ':'
        $remoteAddress = $remoteAddressParts[0]
        $pid = $parts[5]
        if ($maliciousEndpoints -contains $remoteAddress) {
            $process = Get-Process -Id $pid -ErrorAction SilentlyContinue
            Write-Host "[!] Suspicious connection to $remoteAddress from PID $pid ($($process.ProcessName))" -ForegroundColor Red
        }
    }
}
Write-Host "[-] Network connection scan complete."

Response Priorities

  • Immediate:

    • Block IOCs: Immediately block all listed domains, URLs, and IP addresses at your web proxy, DNS, and firewall.
    • Hunt for Artifacts: Execute the provided PowerShell script on endpoints to scan for Argamal's COM hijacking and known ClickFix file hashes.
    • Detect: Deploy the provided Sigma rules to your SIEM/EDR to start alerting on suspicious finger.exe execution and the Argamal persistence mechanism.

  • Within 24 Hours:

    • Identity Verification: Given the prevalence of credential theft (CastleStealer, Argamal, UAT-8302), initiate a password audit and consider resetting credentials for accounts with suspicious activity or on potentially compromised systems. Enable MFA if not already in place.
    • Patch Critical CVEs: Prioritize patching systems vulnerable to CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362 to protect against UAT-8302 exploitation.

  • Within 1 Week:

    • Architecture Hardening:
      • Implement application allowlisting to prevent the execution of unsigned or unauthorized software, which would mitigate initial access via fake tools and games.
      • Conduct user awareness training focused on social engineering lures, especially those related to "fixes" or "free tools".
      • Review and restrict the use of the Microsoft Phone Link application on corporate devices to reduce the attack surface for CloudZ RAT.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixargamaluat-8302rat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action