Back to Intelligence

ClickFix, GlassWorm & EtherRAT: Cross-Platform Stealers and Blockchain C2 Tactics — OTX Analysis

SA
Security Arsenal Team
April 25, 2026
5 min read

Recent OTX pulses indicate a surge in sophisticated, multi-vector threats targeting enterprises, specifically focusing on financial sectors and software developers. Three distinct campaigns—ClickFix, GlassWorm, and EtherRAT—demonstrate a shift toward abusing legitimate blockchain infrastructure and social engineering to deliver stealers and Remote Access Trojans (RATs).

  • ClickFix Campaigns: Unknown actors are using broad social engineering lures (fake QuickBooks/Booking.com support) to trick users into manually executing malicious commands (Living off the Land), resulting in infections by Vidar, Lumma, Redline Stealers, and NetSupport RAT.
  • GlassWorm: A supply-chain adversary targeting developers. It compromises package managers/repositories to deliver a payload that fetches instructions via the Solana blockchain and persists via fake browser extensions.
  • EtherRAT: A Node.js backdoor attributed to a North Korean APT group. It uses "EtherHiding" to store C2 addresses in Ethereum smart contracts, making takedowns ineffective. It targets retail and finance via IT support scams.

Threat Actor / Malware Profile

NameTypeDistributionBehavior & C2Objective
ClickFix ClusterStealer / LoaderSocial Engineering (Fake Support/Updates)Triggers victims to paste/execute commands in PowerShell/Bash. Delivers Vidar, Lumma Stealer, Odyssey, Redline, NetSupport RAT.Credential theft, Initial Access.
GlassWormInfostealer / RATSupply Chain (Compromised Repos/Code)Fingerprinting, payload fetch via Solana blockchain, installs fake browser extension for surveillance.Crypto wallet theft, Dev credential theft.
EtherRATBackdoorIT Support ScamsNode.js based. Uses sys_info module for fingerprinting. C2 stored on Ethereum smart contracts (EtherHiding). CDN-like beaconing.Espionage, Asset theft, Persistence.

IOC Analysis

The provided IOCs are predominantly Domains and Hostnames, with a distinct lack of file hashes (likely due to obfuscation or dynamic generation in the case of the Pulse 2 restricted data).

  • ClickFix Domains: ustazazharidrus.com, account-help.info, quiptly.com, elive123go.com
  • EtherRAT Infrastructure: o-parana.com, rpc.payload.de, jariosos.com, hayesmed.com

Operational Guidance: SOC teams should immediately block these domains at the perimeter and proxy levels. Given the reliance on "Living-off-the-Land" (LotL) binaries and Node.js processes, signature-based detection is less effective than behavioral hunting for unexpected PowerShell execution or unsigned Node.js processes making network connections.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix PowerShell Execution Pattern
id: 4e2b3a0c-7b5c-4d9e-8c1f-1a2b3c4d5e6f
description: Detects PowerShell commands often used in ClickFix campaigns where users are coerced into pasting commands, specifically looking for base64 or obfuscation common in these payloads.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6600000000000000
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'CopyTo-Clipboard'
            - 'iex'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high

---
title: EtherRAT or GlassWorm Node.js Backdoor Activity
id: 5f3c4b1d-8c6e-5f0a-9d2e-2b3c4d5e6f7a
description: Detects Node.js processes initiating network connections, suspicious for EtherRAT (Node.js backdoor) or GlassWorm activity on endpoints where Node.js is not a standard user application.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6600000000000001
tags:
    - attack.command_and_control
    - attack.t1071.001
    - detection.emerging_threats
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        Initiated: 'true'
    filter_legit_dev:
        User|contains:
            - 'Administrator'
            - 'SYSTEM'
    condition: selection and not filter_legit_dev
falsepositives:
    - Developers running legitimate node servers
level: medium

---
title: Suspicious Browser Extension Modification (GlassWorm)
id: 6a4d5c2e-9f7f-6a1b-0e3f-3c4d5e6f7a8b
description: Detects modifications to browser extension directories or registry keys indicative of GlassWorm installing a fake surveillance extension.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6600000000000002
tags:
    - attack.persistence
    - attack.t1547.001
    - detection.emerging_threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Google\Chrome\Extensions'
            - '\Software\Microsoft\Edge\Extensions'
            - '\Software\Mozilla\Firefox\Extensions'
        Details|contains: 'update_url'
    filter:
        Details|contains: 'https://clients2.google.com/service'
    condition: selection and not filter
falsepositives:
    - Legitimate software installing extensions
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and EtherRAT Network Indicators
let IoCDomains = dynamic(['ustazazharidrus.com', 'account-help.info', 'quiptly.com', 'elive123go.com', 'visitbundala.com', 'nhacaired88.com', 'subsgod.com', 'ariciversontile.com', 'o-parana.com', 'rpc.payload.de', 'jariosos.com', 'hayesmed.com', 'regancontrols.com', 'salinasrent.com', 'justtalken.com', 'mebeliotmasiv.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (IoCDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')

PowerShell Hunt Script

PowerShell
# IOC Hunter for ClickFix and EtherRAT
$MaliciousDomains = @(
    'ustazazharidrus.com', 'account-help.info', 'quiptly.com', 'elive123go.com',
    'visitbundala.com', 'nhacaired88.com', 'subsgod.com', 'ariciversontile.com',
    'o-parana.com', 'rpc.payload.de', 'jariosos.com', 'hayesmed.com',
    'regancontrols.com', 'salinasrent.com', 'justtalken.com', 'mebeliotmasiv.com'
)

Write-Host "[+] Checking Active Network Connections for Malicious Domains..."

# Get TCP connections (requires Admin privileges)
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($conn in $connections) {
    try {
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        $remoteAddress = $conn.RemoteAddress
        
        # Resolve IP to Hostname to check against IOC list
        $hostEntry = [System.Net.Dns]::GetHostEntry($remoteAddress)
        $hostname = $hostEntry.HostName

        if ($MaliciousDomains -contains $hostname) {
            Write-Host "[!] THREAT DETECTED: Connection to $hostname ($remoteAddress)" -ForegroundColor Red
            Write-Host "    - Process: $($process.ProcessName) (PID: $($conn.OwningProcess))"
            Write-Host "    - Path: $($process.Path)"
        }
    } catch {
        # Ignore resolution errors or access denied
    }
}

Write-Host "[+] Checking for suspicious Node.js processes..."
$nodeProcs = Get-Process -Name node -ErrorAction SilentlyContinue
if ($nodeProcs) {
    foreach ($proc in $nodeProcs) {
        # Check if Node is running from a non-standard user profile path (suspicious for malware)
        if ($proc.Path -notlike "*Program Files*" -and $proc.Path -notlike "*AppData*\Roaming*npm*") {
             Write-Host "[!] SUSPICIOUS NODE PROCESS: $($proc.Path)" -ForegroundColor Yellow
        }
    }
}
Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all listed domains and hostnames at the web proxy and firewall. Initiate a hunt for node.exe processes on endpoints outside of approved developer workstations.
  • 24 Hours: If stealers (Lumma, Vidar) are suspected in the environment based on ClickFix activity, force a password reset for high-privilege accounts and rotate session tokens. Audit browser extensions on developer machines for GlassWorm.
  • 1 Week: Implement Application Control (AppLocker) to restrict PowerShell execution to signed scripts and specific administrative users. Review policies for browser extension installation to enforce allow-listing only.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixetherratglasswormsupply-chainstealers

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action