Back to Intelligence

ClickFix, GlassWorm, and EtherRAT: APT Campaigns Leveraging Blockchain Evasion and Infostealers

SA
Security Arsenal Team
April 28, 2026
6 min read

Recent OTX pulses indicate a convergence of advanced evasion techniques and social engineering in ongoing APT campaigns. We observe three distinct clusters: ClickFix campaigns distributing commodity infostealers (Vidar, Lumma) via social engineering; GlassWorm, a supply-chain attack targeting developers using Solana blockchain for C2; and EtherRAT, a North Korean APT-linked Node.js backdoor utilizing "EtherHiding" on Ethereum smart contracts for resilient infrastructure.

Collectively, these threats demonstrate a shift toward living-off-the-land (LotL) initial access and blockchain-abuse for infrastructure resilience, specifically targeting sectors handling high-value financial and intellectual property assets.

Threat Actor / Malware Profile

1. ClickFix Campaigns (Unknown Actor)

  • Objective: Initial access leading to credential theft and financial fraud.
  • Distribution: Social engineering (SEO poisoning) impersonating Intuit QuickBooks, Booking.com, and other services.
  • Technique (ClickFix): Manipulates victims into executing malicious commands via native system tools (e.g., PowerShell, CMD) to bypass detections.
  • Payloads: Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer, NetSupport RAT.
  • Evasion: Living-off-the-land binaries (LOLBins) and obfuscation.

2. GlassWorm (Supply Chain Actor)

  • Objective: Long-term surveillance and cryptocurrency theft from developers.
  • Target: Software developers via compromised code repositories/package managers.
  • Behavior: Multi-stage infection. Performs machine fingerprinting and fetches payloads via the Solana blockchain to hide C2 traffic.
  • Payload: Installs a Remote Access Trojan (RAT) and infostealer targeting crypto wallets and dev credentials.

3. EtherRAT (North Korean APT)

  • Objective: Cyber espionage and asset theft within Retail, Finance, and Business Services.
  • Infrastructure: Uses EtherHiding—storing C2 addresses inside Ethereum smart contracts. This renders takedowns ineffective as the domain is hosted on-chain.
  • Malware: Node.js-based backdoor with a SYS_INFO module.
  • Communication: "CDN-like beaconing" to blend in with legitimate web traffic.

IOC Analysis

The pulses provide 150+ indicators, predominantly domains used in the ClickFix and EtherRAT campaigns. GlassWorm indicators were restricted, suggesting high sensitivity or ongoing operations.

  • Indicator Types:

    • Domains: Used for initial infection vectors (ClickFix) and callback infrastructure (EtherRAT).
    • Hostnames: Observed in EtherRAT C2 chains (e.g., rpc.payload.de).

  • Operational Guidance:

    • Firewalls & Proxies: Immediately block the listed domains at the perimeter.
    • DNS Monitoring: Hunt for DNS queries resolving to the specific domains listed below. Note that EtherRAT may involve domains resolving to IPs hosted on Ethereum, but the initial listed domains (e.g., o-parana.com) are actionable.
    • Tooling: SOC teams should ingest these into SIEM correlation engines (Splunk, Sentinel, Elastic) to match against DeviceNetworkEvents and DnsEvents.

Detection Engineering

The following detection logic targets the specific behaviors of ClickFix (browser-to-shell), EtherRAT (Node.js C2), and GlassWorm (Dev environment abuse).

YAML
title: Potential ClickFix Social Engineering Activity
id: 6a83e2a4-9b12-4c18-8b88-8f1c8f1c8f1c
description: Detects browsers spawning shell processes (PowerShell or CMD), indicative of ClickFix campaigns where users are manipulated into copying/pasting malicious commands.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6a83e2a4
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Legitimate IT support tools
level: high
tags:
    - attack.initial_access
    - attack.t1566.001
---
title: Suspicious Node.js Process with Network Connection (EtherRAT)
id: 7b94f3b5-0c23-5d29-9c99-9g2d9g2d9g2d
description: Detects Node.js processes initiating network connections, a hallmark of the EtherRAT backdoor and other Node-based malware.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7b94f3b5
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        Initiated: 'true'
    filter_legit:
        DestinationPort:
            - 80
            - 443
            - 8080
    condition: selection and not filter_legit
falsepositives:
    - Local development servers
level: medium
tags:
    - attack.command_and_control
    - attack.t1071
---
title: Developer Tool Spawning Shell (GlassWorm Indicator)
id: 8c05g4c6-1d34-6e30-0d00-0h3e0h3e0h3e
description: Detects package managers or IDEs spawning shell processes, potentially indicating supply chain compromise like GlassWorm.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8c05g4c6
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - '\npm.exe'
            - '\node.exe'
            - '\code.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate build scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001


kql
// Hunt for ClickFix and EtherRAT Network Activity
// Look for browsers triggering shells and Node.exe connections to suspicious domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'ustazazharidrus.com', 'account-help.info', 'quiptly.com', 'elive123go.com', 
    'visitbundala.com', 'nhacaired88.com', 'subsgod.com', 'ariciversontile.com',
    'o-parana.com', 'jariosos.com', 'hayesmed.com', 'regancontrols.com', 
    'salinasrent.com', 'justtalken.com', 'mebeliotmasiv.com'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessParentFileName, RemoteUrl, RemoteIP
| extend HuntContext = iif(InitiatingProcessFileName in ('chrome.exe', 'msedge.exe', 'firefox.exe'), "Potential ClickFix Referral", 
             iif(InitiatingProcessFileName == 'node.exe', "Potential EtherRAT/GlassWorm C2", "Other Network Activity"))


powershell
# IOC Hunt Script - ClickFix and EtherRAT Domains
# Checks DNS Cache and Recent Network Connections for OTX Indicators

$TargetDomains = @(
    "ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
    "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
    "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
    "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache | Where-Object { $TargetDomains -contains $_.Entry }
if ($DnsCache) {
    Write-Host "[!] ALERT: Found malicious domain entries in DNS Cache:" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, Type -AutoSize
} else {
    Write-Host "[-] No suspicious entries in local DNS cache." -ForegroundColor Green
}

Write-Host "\n[+] Checking for active Node.js processes (EtherRAT/GlassWorm) ..." -ForegroundColor Cyan
$NodeProcesses = Get-Process -Name "node" -ErrorAction SilentlyContinue
if ($NodeProcesses) {
    Write-Host "[!] WARNING: Node.js processes running. Verify legitimacy." -ForegroundColor Yellow
    $NodeProcesses | Format-Table Id, ProcessName, Path -AutoSize
} else {
    Write-Host "[-] No Node.js processes detected." -ForegroundColor Green
}


# Response Priorities

*   **Immediate (0-24h):**
    *   Block all listed domains at the DNS sinkhole and Proxy level.
    *   Scan endpoints for the presence of `node.exe` processes outside of approved development environments.
    *   Hunt for `powershell.exe` or `cmd.exe` processes with parent images matching browsers (Chrome, Edge, Firefox).

*   **24 - 48 Hours:**
    *   **Identity Verification:** If Lumma, Vidar, or Redline Stealer are suspected, force a password reset and enable MFA for all accounts accessed from infected endpoints.
    *   **Developer Audit:** For GlassWorm targetting, audit package dependencies (`package.`) for obfuscated or recently added modules.

*   **1 Week:**
    *   **Architecture Hardening:** Implement Application Control (AppLocker) to prevent browsers from spawning shell processes.
    *   **Network Segmentation:** Restrict developer workstation access to the public internet, specifically blocking access to known blockchain RPC endpoints unless business-justified.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixetherratglasswormaptinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action