ClickFix, GlassWorm & EtherRAT Campaigns: Social Engineering + Blockchain C2 Tactics

Recent OTX pulses indicate a surge in sophisticated campaigns utilizing living-off-the-land (LotL) techniques and blockchain infrastructure for resilience. Threat actors are deploying the ClickFix social engineering tactic to distribute stealers like Vidar and Lumma by tricking users into running native system commands. Simultaneously, the GlassWorm malware is actively targeting developers via compromised repositories, using the Solana blockchain for payload staging. Most critically, a North Korean APT group has been observed deploying EtherRAT, a Node.js backdoor that employs "EtherHiding" (storing C2 addresses in Ethereum smart contracts) and CDN-like beaconing to blend in with normal web traffic.

Threat Actor / Malware Profile

ClickFix Campaigns (Unknown Actor)

Distribution: Social engineering impersonating Intuit QuickBooks, Booking.com, etc.
Payload Behavior: Uses fake browser error prompts to trick users into copying and pasting malicious commands into PowerShell/CMD.
Malware Families: Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer, NetSupport RAT.
Objective: Initial access and credential harvesting.

GlassWorm

Distribution: Supply chain attack via compromised code repositories and package managers.
Payload Behavior: Multi-stage execution; fingerprints the host, fetches payloads via Solana blockchain, installs a fake browser extension.
Capabilities: Surveillance, remote access (RAT), cryptocurrency wallet theft, development credential theft.

EtherRAT (North Korean APT)

Distribution: Likely phishing or supply chain (contextual from pulse data).
Environment: Node.js based.
C2 Communication: Uses "EtherHiding" to retrieve C2 infrastructure from Ethereum smart contracts; uses CDN-like beaconing for evasion.
Capabilities: Arbitrary command execution, system info gathering (SYS_INFO module), asset theft.

IOC Analysis

The provided pulses contain primarily network indicators (domains and hostnames).

ClickFix Domains: ustazazharidrus.com, quiptly.com, account-help.info.
EtherRAT Domains: o-parana.com, rpc.payload.de, jariosos.com.

SOC teams should immediately import these into firewall blocklists, EDR detection policies, and Threat Intelligence Platforms (TIPs). Due to the use of domain generation algorithms (DGAs) and blockchain-based C2 (EtherRAT), reliance solely on static IOCs is insufficient; behavioral heuristic detection is required.

Detection Engineering

Sigma Rules

YAML

---
title: Potential ClickFix Social Engineering Activity
id: 4b0d1e2e-7c1a-4a5e-9f8a-1b2c3d4e5f6a
description: Detects suspicious PowerShell or CMD execution often associated with ClickFix campaigns where users are tricked into pasting commands.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'copy-item'
      - 'iex'
      - 'invoke-expression'
  condition: selection
falsepositives:
  - Legitimate administration tasks performed by IT staff
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
  - clickfix
level: high
---
title: Suspicious Node.js Network Connection (EtherRAT)
id: 5c1e2f3f-8d2b-5b6f-0a9b-2c3d4e5f6a7b
description: Detects Node.js processes establishing network connections, indicative of EtherRAT or other Node-based backdoors in non-dev environments.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
    Initiated: 'true'
  filter:
    DestinationPort|startswith:
      - '80'
      - '443'
  condition: selection and not filter
falsepositives:
  - Legitimate Node.js development servers
tags:
  - attack.command_and_control
  - attack.c2
  - etherrat
level: medium
---
title: Ethereum RPC Interaction via Non-Standard Client
id: 6d2f3g4g-9e3c-6c7g-1b2c-3d4e5f6a7b8c
description: Detects processes connecting to Ethereum RPC endpoints or ports, associated with GlassWorm or EtherHiding C2 mechanisms.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 8545
      - 8546
      - 30303
    DestinationHostname|contains:
      - '.eth.'
      - 'rpc.'
  condition: selection
falsepositives:
  - Legitimate Web3 applications or developer tools
tags:
  - attack.command_and_control
  - glassworm
  - etherrat
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix domains and Node.js C2 activity
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("ustazazharidrus.com", "account-help.info", "o-parana.com", "rpc.payload.de") 
   or InitiatingProcessFileName == "node.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatType = iif(InitiatingProcessFileName == "node.exe", "Potential EtherRAT Node Activity", "Known Malicious C2 Domain")

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt Script for ClickFix and EtherRAT Campaigns
.DESCRIPTION
    Checks local DNS cache and Hosts file for indicators associated with ClickFix and EtherRAT.
#>

$MaliciousDomains = @(
    "ustazazharidrus.com", "account-help.info", "quiptly.com", 
    "o-parana.com", "rpc.payload.de", "jariosos.com"
)

# Check DNS Cache
Write-Host "Checking DNS Cache for Malicious Domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }
if ($DnsCache) {
    Write-Host "[ALERT] Malicious entries found in DNS Cache:" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, Type
} else {
    Write-Host "No malicious entries found in DNS Cache." -ForegroundColor Green
}

# Check Hosts File
Write-Host "Checking Hosts File..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    $Matches = @()
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            $Matches += $Domain
        }
    }
    if ($Matches) {
        Write-Host "[ALERT] Malicious entries found in Hosts File: $Matches" -ForegroundColor Red
    } else {
        Write-Host "No malicious entries found in Hosts File." -ForegroundColor Green
    }
}

Response Priorities

Immediate

Block IOC Types: Implement blocks on all listed domains (ustazazharidrus.com, o-parana.com, etc.) at the perimeter firewall and proxy.
Hunt Artifacts: Execute the provided PowerShell script across endpoints to check for DNS cache poisoning or hosts file modifications.

24h

Identity Verification: Given the prevalence of infostealers (Lumma, Vidar, GlassWorm) targeting credentials and crypto wallets, force password resets and MFA re-verification for developers and finance staff.
Node.js Audit: Identify all corporate endpoints running node.exe and verify if the execution is sanctioned development work or potential EtherRAT activity.

1 Week

Architecture Hardening: Restrict the ability of browsers to spawn shell processes (PowerShell/CMD) via AppLocker or GPO to mitigate ClickFix techniques.
Network Segmentation: Isolate development environments to prevent supply chain propagation (GlassWorm) from reaching core production networks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub