Threat Summary
Current OTX pulses indicate a dual-vector threat landscape involving sophisticated social engineering and critical infrastructure exploitation. A widespread "ClickFix" campaign is actively targeting job seekers (Windows) and users searching for macOS utilities, delivering remote access trojans (CastleLoader) and info-stealers (AMOS, Shub Stealer). These attacks leverage typosquatting, fake CAPTCHA pages, and legacy LOLBINs (like the Finger protocol) to evade detection. Simultaneously, a likely state-sponsored threat cluster (CL-STA-1132) is exploiting a buffer overflow vulnerability in PAN-OS (CVE-2023-33538, CVE-2025-55182, and others) to deploy tunneling tools (EarthWorm, ReverseSocks5) on firewalls, enabling unauthenticated remote code execution with root privileges.
Threat Actor / Malware Profile
ClickFix Campaign (Windows)
- Distribution: Typosquatted domains impersonating LinkedIn and Indeed (e.g.,
teamsvoicehub.com), distributed via Google Ads. - Attack Chain: Fake CAPTCHA pages -> Triggers legacy Windows
fingercommand -> Downloads portable Python runtime. - Payload: CastleLoader (Python-based RAT). It establishes a C2 channel to download subsequent payloads.
- LOLBINs: Uses
finger.exeand native Windows utilities for fileless execution initiation.
ClickFix Campaign (macOS)
- Distribution: Fake system utility lures hosted on blog platforms.
- Attack Chain: Social engineering tricking users into running malicious Terminal commands.
- Payload: Macsync, Shub Stealer, AMOS, PhantomPulse. These infostealers exfiltrate browser data, keychains, and cryptocurrency wallet information.
- Technique: Execution of bash scripts via Terminal, often obfuscated.
CL-STA-1132 (Infrastructure Threat)
- Adversary: Likely state-sponsored cluster targeting network edge devices.
- Objective: Persistence and pivoting within corporate networks.
- Payload: EarthWorm and ReverseSocks5. These tools create SOCKS5 proxies and tunnels to route malicious traffic through compromised firewalls.
- Exploitation: Buffer overflow in PAN-OS User-ID Authentication Portal; shellcode injection into
nginxprocesses.
IOC Analysis
The provided indicators consist primarily of domains and file hashes.
- Domains: A mix of typosquatted recruitment sites and generic-sounding infrastructure domains (e.g.,
ai-like.net,jihiz.com). SOC teams should immediately block these at the DNS layer and alert on any historical DNS resolution attempts. - FileHash-SHA256: Specific hashes for the CastleLoader Python payloads (e.g.,
08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4). EDR tools should be configured to quarantine files matching these signatures. - CVEs: A cluster of 8 CVEs affecting PAN-OS. While not file IOCs, these must be treated as critical block indicators for vulnerability scanning.
Detection Engineering
YAML
title: Potential ClickFix Activity - Windows Finger Protocol Execution
id: 48253084-20b4-48a2-8c1d-c41c2a974c3e
description: Detects the use of the legacy finger client, often abused in ClickFix campaigns to initiate download chains.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3c352c4f
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\finger.exe'
- '\finger.com'
condition: selection
falsepositives:
- Legitimate administration (rare in modern environments)
level: high
tags:
- attack.execution
- attack.t1059.001
- clickfix
---
title: macOS ClickFix - Suspicious Terminal Pipe Execution
id: 550d8e21-9b1a-4a5f-b6e2-88f5c31a0e8a
description: Detects macOS Terminal commands piping curl output into osascript or bash, a common pattern in fake utility ClickFix attacks.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3c352c4f
logsource:
category: process_creation
product: macos
detection:
selection_pipe:
CommandLine|contains: '|'
selection_tools:
CommandLine|contains:
- 'curl '
- 'wget '
selection_execution:
CommandLine|contains:
- 'osascript'
- 'bash'
- 'sh'
condition: all of selection_*
falsepositives:
- Legitimate developer scripts
level: medium
tags:
- attack.execution
- attack.t1059.004
- clickfix
---
title: Suspicious Portable Python Execution (CastleLoader Vector)
id: 110c9f3a-7e4d-4c8a-9d0f-123456789abc
description: Detects execution of Python binaries from user profile directories or temp paths, indicative of portable Python payloads like CastleLoader.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3c352c4f
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- 'python.exe'
- 'python3.exe'
- 'pythonw.exe'
selection_path:
Image|contains:
- '\AppData\Local\Temp\'
- '\Downloads\'
- 'Desktop'
condition: all of selection_*
falsepositives:
- Developer environments
level: high
tags:
- attack.execution
- attack.t1059.006
- castleloader
kql
// Hunt for ClickFix related network connections to suspicious domains
let IoCDomains = pack_array("teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net", "novayastaruxa.com", "kevinnotanother.com", "jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com");
DeviceNetworkEvents
| where RemoteUrl in (IoCDomains) or Url in (IoCDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend ThreatContext = "ClickFix C2 or Lure Domain"
;
// Hunt for usage of Finger protocol (Windows)
DeviceProcessEvents
| where FileName =~ "finger.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend ThreatContext = "Potential ClickFix LOLBIN usage"
;
// Hunt for macOS suspicious script execution
DeviceProcessEvents
| where DeviceType == "Mac"
| where ProcessCommandLine has "curl" and (ProcessCommandLine has "|" and (ProcessCommandLine has "osascript" or ProcessCommandLine has "bash"))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| extend ThreatContext = "Potential macOS ClickFix execution"
powershell
# Hunt script for CastleLoader Indicators
# Checks for specific SHA256 hashes in running processes
$TargetHash = "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4"
Write-Host "[+] Scanning running processes for CastleLoader hash..."
$Processes = Get-Process -IncludeUserName
foreach ($Proc in $Processes) {
try {
$FilePath = $Proc.Path
if ($FilePath -and (Test-Path $FilePath)) {
$FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash
if ($FileHash -eq $TargetHash) {
Write-Host "[!] ALERT: Malicious process detected!" -ForegroundColor Red
Write-Host " PID: $($Proc.Id)"
Write-Host " Name: $($Proc.ProcessName)"
Write-Host " Path: $FilePath"
Write-Host " User: $($Proc.UserName)"
}
}
} catch {
# Access denied or system process
continue
}
}
Write-Host "[+] Scan complete."
Response Priorities
-
Immediate:
- Block all listed domains at the DNS Proxy and Firewall level.
- Patch all PA-Series and VM-Series firewalls for the listed CVEs (CVE-2023-33538, CVE-2025-55182, CVE-2025-66478, CVE-2025-14847, CVE-2026-1281, CVE-2026-1340, CVE-2026-1731, CVE-2025-0921) immediately.
- Quarantine endpoints matching the CastleLoader file hash.
-
24h:
- Initiate credential reset for users who may have interacted with the macOS infostealers or LinkedIn/Indeed phishing lures.
- Review firewall logs for signs of EarthWorm or ReverseSocks5 activity (e.g., unexpected high-bandwidth tunneling or proxy traffic).
-
1 week:
- Disable the legacy Finger protocol on all Windows endpoints via GPO.
- Conduct security awareness training focused on "fake browser update" and "fake CAPTCHA" social engineering tactics.
- Implement application control policies to block unsigned Python executables from user directories.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareclickfixcastleloaderpan-osearthworminfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.