Back to Intelligence

ClickFix, GachiLoader, and KYCShadow: Multi-Vector Credential Theft Campaigns - OTX Pulse Analysis

SA
Security Arsenal Team
April 29, 2026
6 min read

Recent OTX pulse data reveals a coordinated surge in credential theft operations utilizing diverse and sophisticated initial access vectors. Adversaries are pivoting away from traditional bulk phishing in favor of highly technical social engineering campaigns, specifically "ClickFix" attacks targeting Windows/macOS, and novel AI-themed lures (GachiLoader) distributing the Rhadamanthys infostealer. Additionally, a mobile-specific threat (KYCShadow) is targeting banking customers in India via WhatsApp, while a supply-chain attack (GlassWorm) focuses on developers via compromised repositories. The collective objective of these campaigns is the systematic exfiltration of financial credentials, cryptocurrency wallet keys, and session tokens.

Threat Actor / Malware Profile

Lumma Stealer & HijackLoader (ClickFix Campaign)

  • Distribution: "ClickFix" social engineering, where users are tricked into running "fix" commands via PowerShell to resolve fake browser errors or software issues.
  • Payload Behavior: Utilizes a multi-stage infection chain. Initial access via obfuscated PowerShell downloads a malicious MSI package. The MSI then employs DLL sideloading using renamed legitimate binaries to execute HijackLoader, which ultimately deploys Lumma Stealer.
  • C2 Communication: HTTP/HTTPS communication to distinct C2 domains (e.g., robinhuds.com).
  • Persistence: Scheduled tasks or registry run keys established by the loader component.

GachiLoader / Rhadamanthys (AI Skill Lure)

  • Distribution: Malicious payloads disguised as "AI Agent Skills" (specifically OpenClaw) hosted on fake GitHub infrastructure. Relies on pure social engineering to trick users into downloading Windows binaries.
  • Payload Behavior: Uses an Electron dropper or Node.js SEA (Single Executable Application) for execution. Performs fileless injection techniques to load Rhadamanthys into memory.
  • C2 Communication: Leverages blockchain-based C2 infrastructure for obfuscation and resilience.

KYCShadow (Android Banking Trojan)

  • Distribution: Disseminated via WhatsApp masquerading as legitimate bank KYC (Know Your Customer) verification applications.
  • Payload Behavior: Multi-stage dropper that establishes persistence. Uses WebView-based phishing overlays to harvest credentials and performs SMS interception to steal OTPs.
  • C2 Communication: Uses Firebase for remote configuration and command execution, coupled with VPN-based traffic manipulation to bypass detection.

GlassWorm (Supply Chain)

  • Distribution: Compromise of code repositories and package managers targeting developers.
  • Payload Behavior: Steals cryptocurrency wallets and dev credentials. Fetches payloads via the Solana blockchain.

IOC Analysis

The provided IOCs span multiple categories requiring distinct handling:

  • Domains (e.g., ustazazharidrus.com, serv.biz): These serve as landing pages for ClickFix scams and C2 infrastructure for Android malware. SOC teams should immediately block these at the perimeter (DNS sinkhole) and inspect historical logs for any resolution attempts.
  • IPs (e.g., 85.11.161.198): Used for hosting malicious payloads (MSI files). Firewalls should block outbound connections to these IPs.
  • File Hashes (SHA256/MD5): Include payloads for GachiLoader, HijackLoader, and the KYCShadow APK. EDR solutions should be configured to quarantine processes matching these hashes. Specific focus should be placed on the MSI hash f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc associated with the ClickFix PowerShell attack.
  • Tooling: IOCs can be operationalized via SIEM correlation rules (looking up hashes in EDR alerts), network firewalls (IP/Domain blocks), and threat intelligence platforms (TI feeds) for automated blocking.

Detection Engineering

YAML
---
title: Potential ClickFix PowerShell MSI Download
id: 5836b1c2-8f2a-45a7-9c1e-5522d4e6f8a9
status: experimental
description: Detects PowerShell commands downloading MSI files, a technique observed in ClickFix campaigns leading to HijackLoader.
references:
    - https://otx.alienvault.com/pulse/64xxxxx (ClickFix Pulse)
author: Security Arsenal Research
date: 2026/04/29
tags:
    - attack.execution
    - attack.t1059.001
    - attack.initial_access
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_download:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IWR'
            - 'DownloadFile'
    selection_msi:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation scripts
level: high
---
title: Suspicious DLL Sideloading via Renamed Binaries
id: 9a2b4c8d-1e3f-4a5b-8e6d-7c9f0a1b2c3d
status: experimental
description: Detects processes loading DLLs from suspicious paths or using renamed binaries typical of HijackLoader and GachiLoader.
references:
    - https://otx.alienvault.com/pulse/64xxxxx (ClickFix PowerShell Pulse)
author: Security Arsenal Research
date: 2026/04/29
tags:
    - attack.defense_evasion
    - attack.t1574.001
    - attack.t1574.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith:
            - '.exe'
        ImageLoaded|contains:
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
        ImageLoaded|endswith:
            - '.dll'
    filter_legit:
        Signed: true
    condition: selection and not filter_legit
falsepositives:
    - Unsigned legitimate software
level: medium
---
title: GlassWorm/GachiLoader Blockchain C2 Connection
id: 7d3e8f1a-2b5c-4d6e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects outbound connections to known Solana RPC endpoints or high-entropy domains associated with blockchain-based C2.
references:
    - https://otx.alienvault.com/pulse/64xxxxx (GlassWorm Pulse)
    - https://otx.alienvault.com/pulse/64xxxxx (GachiLoader Pulse)
author: Security Arsenal Research
date: 2026/04/29
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    category: network_connection
detection:
    selection_solanaports:
        DestinationPort:
            - 8899
            - 8900
            - 9900
    selection_hostnames:
        DestinationHostname|contains:
            - 'solana'
            - 'rpc'
    condition: 1 of selection_*
falsepositives:
    - Legitimate Web3 or crypto applications
level: low


kql
// Hunt for ClickFix PowerShell activity and C2 connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "robinhuds.com", "serv.biz", "serv.xyz", "api.biz")
| extend IOCNature = "ClickFix/GachiLoader Domain"
| union DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains ".msi" and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh")
| extend IOCNature = "ClickFix PowerShell MSI Download"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteUrl, IOCNature


powershell
# IOC Hunt Script for Lumma/GachiLoader/KYCShadow Artifacts
# Run with administrative privileges

$IOC_Domains = @(
    "ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
    "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
    "serv.biz", "serv.xyz", "api.biz"
)

$IOC_IPs = @("85.11.161.198")

$IOC_Hashes_SHA256 = @(
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728",
    "818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c",
    "1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb",
    "34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2"
)

Write-Host "[+] Checking DNS Cache for malicious domains..."
$DNSEntries = Get-DnsClientCache | Where-Object { $IOC_Domains -contains $_.Entry }
if ($DNSEntries) {
    Write-Host "[!] WARNING: Found cached entries for malicious domains:" -ForegroundColor Red
    $DNSEntries | Format-Table Entry, Data, Type
} else {
    Write-Host "[-] No malicious domains found in DNS cache."
}

Write-Host "[+] Scanning for specific file hashes in common download locations..."
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($IOC_Hashes_SHA256 -contains $Hash) {
                Write-Host "[!] CRITICAL: Malicious file found at $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking active network connections for known C2 IPs..."
$TCPConnections = Get-NetTCPConnection -State Established | Where-Object { $IOC_IPs -contains $_.RemoteAddress }
if ($TCPConnections) {
    Write-Host "[!] WARNING: Active connection to malicious IP detected:" -ForegroundColor Red
    $TCPConnections | Format-Table LocalPort, RemoteAddress, RemotePort, OwningProcess
} else {
    Write-Host "[-] No connections to malicious IPs detected."
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the firewall and proxy level.
    • Quarantine endpoints matching the provided file hashes.
    • Hunt for and kill any PowerShell processes spawning MSIexec or downloading files from the listed IPs.

  • 24 Hours:

    • Conduct credential audits for users who may have interacted with "ClickFix" prompts or fake KYC apps.
    • Reset passwords and invalidate session tokens for impacted accounts, particularly those with access to financial systems or code repositories.
    • Review mobile device management (MDM) logs for Android devices that may have installed the KYCShadow APK (MD5: 3da35272ad6d280d3388d57bdbf61b9c).

  • 1 Week:

    • Implement strict application allowlisting (AppLocker) to prevent the execution of unsigned binaries and scripts in user directories.
    • Harden browser policies to block unauthorized extensions and restrict native tool execution (e.g., restricting PowerShell access for standard users).
    • Deploy DNS filtering to prevent resolution of domains generated by GachiLoader and GlassWorm infrastructure.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsclickfixlumma-stealergachiloaderkycshadowinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action