Back to Intelligence

ClickFix, Argamal, CloudZ, and UAT-8302: OTX Pulse Analysis — Multi-Vector Credential Theft & APT Detection Pack

SA
Security Arsenal Team
June 4, 2026
7 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated credential theft operations and state-sponsored espionage. Threat actors are leveraging diverse initial access vectors including social engineering lures (ClickFix's "BackgroundFix"), niche supply chain compromise (adult games infected with Argamal), and advanced Traffic Distribution Systems (TDS) impersonating legitimate open-source tools.

Notably, the emergence of the CloudZ RAT exploiting Microsoft Phone Link to intercept OTPs, combined with the aggressive targeting of government entities by the China-nexus APT group UAT-8302, signals a shift towards bypassing MFA and accessing high-value targets. The collective objective of these campaigns is persistent system compromise, data exfiltration, and financial theft via infostealers and clippers.

Threat Actor / Malware Profile

1. ClickFix (CastleLoader / NetSupport RAT)

  • Distribution: Fake image-editing websites mimicking "BackgroundFix". Uses "ClickFix" social engineering to trick users into copying malicious commands to their clipboard.
  • Behavior: Executes finger.exe to retrieve payloads. Drops CastleLoader, which further deploys NetSupport RAT (C2) and CastleStealer (.NET credential harvester).
  • Persistence: Standard RAT persistence mechanisms; reflective loading techniques to evade detection.

2. Argamal / Termixia

  • Distribution: Bundled within adult-themed (hentai) games, targeting users in Russia, Brazil, and Germany.
  • Behavior: Dwell time of several days before downloading a secondary RAT payload.
  • Persistence: Uses COM hijacking by modifying the InprocServer32 registry entry for the Windows Color System Calibration Loader (mscms.dll).

3. TDS Ecosystem (SessionGate / RemusStealer / AnimateClipper)

  • Distribution: SEO poisoning and impersonation of tools like Ghidra, dnSpy, and SpiderFoot. Uses CloudFront-hosted JavaScript to hijack download buttons.
  • Behavior: Directs victims to a Traffic Distribution System (TDS) that filters traffic based on bot checks and geolocation before delivering malware.
  • Payloads: SessionGate (session theft), RemusStealer (browser data), AnimateClipper (cryptocurrency clipper).

4. CloudZ RAT + Pheno Plugin

  • Distribution: Active since Jan 2026; specific initial vector undisclosed in this pulse, likely phishing or exploit.
  • Behavior: Utilizes the "Pheno" plugin to exploit the Microsoft Phone Link application. It intercepts synchronized mobile data, allowing theft of SMS messages and OTPs without infecting the phone directly.
  • Evasion: Dynamic memory execution to avoid disk-based signatures.

5. UAT-8302 (China-nexus APT)

  • Target: Government, Telecommunications, and Technology sectors in Japan and Russia (and previously South America/Eastern Europe).
  • Malware: Deploys custom malware families: NetDraft, CloudSorcerer v3, FringePorch, and VSHELL.
  • Techniques: Exploits CVE-2025-0994 and other CVEs (CVE-2025-20333, CVE-2025-20362). Focuses on reconnaissance and credential harvesting.

IOC Analysis

The provided IOCs offer immediate blocking capability and hunting opportunities:

  • Domains & URLs: Indicator list includes C2 domains (trindastal.com, poronto.com) and TDS gateways (guiformat.com, forestoaker.com). SOC teams should block these at the perimeter and DNS layer.
  • File Hashes (SHA1/SHA256/MD5): A significant number of hashes are provided for payloads like Argamal, CloudZ, and UAT-8302 tools. These should be uploaded to EDR exclusion lists (for blocking) and scanned in SIEM logs for execution matches.
  • CVEs: UAT-8302 activity involves specific CVEs (CVE-2025-0994, CVE-2025-20333). Vulnerability scanners must be updated to detect these specific flaws.
  • IP Addresses: Specific IPs (e.g., 194.150.220.218) serve as C2 or TDS infrastructure. These require immediate firewall blacklisting.

Detection Engineering

Sigma Rules

YAML
title: Suspicious finger.exe Execution (ClickFix Loader)
id: 7d8c9f2a-1b3c-4d5e-8f9a-1b2c3d4e5f6a
description: Detects the execution of finger.exe, which is abused by ClickFix campaigns to retrieve malicious payloads. Status: Experimental.
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/663d8f1b5e7e8b0c4a1b2c3d
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    filter_legit:
        ParentImage|contains: 
            - '\System32\'
            - '\SysWOW64\'
    condition: selection and not filter_legit
falsepositives:
    - Rare legitimate use of finger client
level: high
---
title: Argamal COM Hijacking Persistence via WCS
description: Detects registry modifications associated with Argamal malware persistence via Windows Color System (mscms.dll) COM hijacking.
id: 9e0f1g2h-3i4j-5k6l-7m8n-9o0p1q2r3s4t
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/663d8f1b5e7e8b0c4a1b2c4e
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\CLSID\'
        TargetObject|contains: '\InprocServer32'
        TargetObject|contains: 'mscms.dll'
        Details|contains: 
            - '%APPDATA%'
            - '%TEMP%'
    condition: selection
falsepositives:
    - Unlikely, rare legitimate COM hijacking for this DLL
level: critical
---
title: UAT-8302 CloudSorcerer Exploit Attempt
description: Detects potential exploitation of CVE-2025-0994 or similar vulnerabilities associated with UAT-8302 CloudSorcerer activity.
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/663d8f1b5e7e8b0c4a1b2c5f
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        IpAddress|startswith:
            - '194.150.220.'
            - '217.156.122.'
    condition: selection
falsepositives:
    - Legitimate traffic from these specific IPs if whitelisted
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix finger.exe execution and Argamal Persistence
// Check for Process Creation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("finger.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("finger", "castle", "argamal", "termixia") 
   or InitiatingProcessFileName has_any ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for Network connections to known IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("trindastal.com", "poronto.com", "guiformat.com", "forestoaker.com", "giovettiadv.com")
   or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort

// Check for specific File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", 
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00"
)
| project Timestamp, DeviceName, FolderPath, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Argamal and ClickFix Artifacts
# Requires Admin Privileges

Write-Host "[*] Hunting for Argamal COM Hijack Persistence..." -ForegroundColor Cyan

# Argamal Persistence Check (Registry)
$clsidPath = "HKCU:\Software\Classes\CLSID"
if (Test-Path $clsidPath) {
    $guids = Get-ChildItem $clsidPath
    foreach ($guid in $guids) {
        $inprocPath = Join-Path $guid.PSPath "InprocServer32"
        if (Test-Path $inprocPath) {
            $defaultVal = (Get-ItemProperty $inprocPath -ErrorAction SilentlyContinue)."(default)"
            if ($defaultVal -match "mscms.dll") {
                # Check if the default value points outside system32 (suspicious)
                if ($defaultVal -notmatch "C:\\Windows\\System32") {
                    Write-Host "[!] Suspicious COM Hijack found for GUID: $($guid.PSChildName)" -ForegroundColor Red
                    Write-Host "    Path: $defaultVal" -ForegroundColor Yellow
                }
            }
        }
    }
}

Write-Host "[*] Checking for ClickFix related process execution (finger.exe)..." -ForegroundColor Cyan
$process = Get-Process finger -ErrorAction SilentlyContinue
if ($process) {
    Write-Host "[!] finger.exe process is currently running (Potential ClickFix Activity)." -ForegroundColor Red
    $process | Select-Object Id, ProcessName, Path, StartTime
} else {
    Write-Host "[-] No suspicious finger.exe process found." -ForegroundColor Green
}

Write-Host "[*] Scanning for specific CloudZ/UAT-8302 File Hashes..." -ForegroundColor Cyan
$targetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00"
)

# Quick scan of user profile directories and temp
$pathsToScan = @("$env:USERPROFILE", "$env:TEMP")
foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            if ($_.Length -gt 0 -and $_.Extension -ne ".tmp") {
                $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($hash -in $targetHashes) {
                    Write-Host "[!] Malicious file found: $($_.FullName)" -ForegroundColor Red
                    Write-Host "    Hash: $hash" -ForegroundColor Yellow
                }
            }
        }
    }
}

Response Priorities

  • Immediate: Block all domains and IPs listed in the IOCs at the firewall and proxy. Isolate any endpoints showing finger.exe execution not initiated by a system administrator.
  • 24h: Conduct credential resets for accounts active on machines where Argamal or CloudZ indicators are found. Revoke MFA sessions and tokens due to the OTP theft capabilities of CloudZ.
  • 1 Week: Apply patches for CVEs associated with UAT-8302 (CVE-2025-0994). Implement application allowlisting to prevent the execution of unsigned software often distributed via the TDS ecosystem (fake Ghidra/dnSpy).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsclickfixargamalcloudz-ratuat-8302infostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action