Recent OTX pulses indicate a convergence of sophisticated attack vectors targeting enterprise sectors including Finance, Technology, and Retail. A "ClickFix" campaign is leveraging living-off-the-land (LotL) techniques to distribute info-stealers (Lumma, Vidar, Redline) and RATs (NetSupport) via social engineering. Simultaneously, the GlassWorm malware is targeting developers through supply chain compromises, utilizing the Solana blockchain for payload delivery to install malicious browser extensions.
In parallel, a North Korean APT group is deploying EtherRAT, a Node.js-based backdoor that employs "EtherHiding"—storing Command and Control (C2) addresses within Ethereum smart contracts to ensure infrastructure resilience. These actors collectively demonstrate a shift toward abusing legitimate system tools, blockchain infrastructure, and trusted developer workflows to evade traditional perimeter defenses.
Threat Actor / Malware Profile
ClickFix Clusters
- Distribution: Social engineering campaigns impersonating Intuit QuickBooks and Booking.com. Manipulates victims into executing malicious commands via native system tools (e.g., PowerShell, CMD) to bypass security controls.
- Payload Behavior: Delivers a cocktail of stealers (Lumma Stealer, Vidar, Redline, Odyssey) and Remote Access Trojans (NetSupport).
- C2 Communication: HTTP/HTTPS connections to specific domain infrastructure.
- Persistence: Likely established via scheduled tasks or startup folder modifications common to info-stealers.
- Anti-Analysis: Heavy obfuscation and reliance on native binaries (LotL) to blend in with administrative activity.
GlassWorm
- Targeting: Developers and software supply chains.
- Distribution: Compromised code repositories and package managers.
- Payload Behavior: Multi-stage infection fingerprinting the machine, fetching payloads via the Solana blockchain, installing a fake browser extension for surveillance, and deploying a RAT.
- C2 Communication: Uses blockchain transactions to retrieve C2 addresses, making takedowns difficult.
EtherRAT (North Korean APT)
- Distribution: IT support scams and phishing.
- Payload Behavior: Node.js-based backdoor capable of arbitrary command execution, system information gathering (sys_info module), and asset theft.
- C2 Communication: "EtherHiding" technique; C2 domains are retrieved from Ethereum smart contracts. Uses CDN-like beaconing to blend in with normal web traffic.
IOC Analysis
The provided indicators consist primarily of domains and hostnames associated with the ClickFix and EtherRAT campaigns. There are no file hashes provided in this data set, requiring a network-focused hunting approach.
- Types: Domains (e.g.,
ustazazharidrus.com,o-parana.com). - Operationalization: SOC teams should immediately block these domains at the DNS layer and perimeter firewall. EDR solutions should be configured to alert on processes attempting to resolve or connect to these endpoints.
- Tooling: SIEM solutions (e.g., Splunk, Sentinel) can ingest these lists for correlation. Threat Intelligence Platforms (TIP) can automate the blocking of these IOCs on network security devices.
Detection Engineering
YAML
title: Potential ClickFix Browser-Spwned Execution
description: Detects potential ClickFix activity where a browser process spawns a shell or script interpreter to execute malicious commands.
id: 8a7f6c2e-1b3d-4f5e-9a6b-7c8d9e0f1a2b
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64abcd123-efg456
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
filter_legit:
CommandLine|contains:
- 'print'
- 'pdf'
- 'save'
condition: selection and not filter_legit
falsepositives:
- Legitimate web applications launching local helpers
level: high
---
title: Suspicious Node.js Outbound Connection (EtherRAT)
description: Detects Node.js processes initiating network connections, potentially indicative of EtherRAT or other Node.js backdoors.
id: 9b8g7h3j-2k4l-5m6n-8o9p-0q1r2s3t4u5v
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/65xyz789-abc012
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\node.exe'
Initiated: 'true'
filter_local:
DestinationIp|startswith:
- '10.'
- '192.168.'
- '127.'
- '172.16.'
- '172.17.'
- '172.18.'
- '172.19.'
- '172.20.'
- '172.21.'
- '172.22.'
- '172.23.'
- '172.24.'
- '172.25.'
- '172.26.'
- '172.27.'
- '172.28.'
- '172.29.'
- '172.30.'
- '172.31.'
condition: selection and not filter_local
falsepositives:
- Developers running local node servers connecting to external APIs
level: medium
---
title: Potential Ethereum Smart Contract C2 Interaction
description: Detects processes attempting to interact with known Ethereum RPC endpoints or blockchain infrastructure, potentially related to EtherHiding or GlassWorm.
id: 1c2d3e4f-5g6h-7i8j-9k0l-1m2n3o4p5q6r
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/65xyz789-abc012
logsource:
category: network_connection
product: windows
detection:
selection_keywords:
DestinationHostname|contains:
- '.eth'
- 'rpc.payload.de'
- 'infura'
- 'alchemy'
- 'cloudflare-eth'
selection_ports:
DestinationPort:
- 80
- 443
- 8545
condition: all of selection_*
falsepositives:
- Legitimate Web3 applications or crypto-wallet software
level: high
kql
// Hunt for ClickFix and EtherRAT Network Activity
// Look for connections to suspicious domains associated with the pulses
let IoCs = pack_array("ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com", "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IoCs) or DNSDomainName has_any (IoCs)
| extend Info = pack("Action", "Network Connection to Malicious Domain", "Device", "DeviceName")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, Info
powershell
<#
.SYNOPSIS
IOC Hunt Script for ClickFix and EtherRAT Domains
.DESCRIPTION
Checks DNS Cache and Active TCP Connections for domains identified in OTX pulses.
#>
$SuspiciousDomains = @(
"ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
"visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
"o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
"regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)
Write-Host "Checking DNS Cache for Suspicious Domains..." -ForegroundColor Yellow
$DnsCache = Get-DnsClientCache
foreach ($domain in $SuspiciousDomains) {
$Matches = $DnsCache | Where-Object { $_.Entry -like "*$domain*" }
if ($Matches) {
Write-Host "[!] ALERT: Found DNS Cache entry for $domain" -ForegroundColor Red
$Matches | Format-List
}
}
Write-Host "Checking Active TCP Connections for Suspicious Domains..." -ForegroundColor Yellow
$TcpConnections = Get-NetTCPConnection -State Established
$Processes = Get-Process
foreach ($domain in $SuspiciousDomains) {
# Resolve IPs associated with the domain to check active connections
try {
$ResolvedIPs = [System.Net.Dns]::GetHostAddresses($domain) | Select-Object -ExpandProperty IPAddressToString
foreach ($ip in $ResolvedIPs) {
$MatchingConnections = $TcpConnections | Where-Object { $_.RemoteAddress -eq $ip }
if ($MatchingConnections) {
foreach ($conn in $MatchingConnections) {
$proc = $Processes | Where-Object { $_.Id -eq $conn.OwningProcess }
Write-Host "[!] ALERT: Active connection to $domain ($ip)" -ForegroundColor Red
Write-Host " PID: $($conn.OwningProcess) | Process: $($proc.ProcessName) | Path: $($proc.Path)"
}
}
}
} catch {
# Ignore resolution failures for offline hunting
}
}
Write-Host "Hunt Complete." -ForegroundColor Green
# Response Priorities
* **Immediate:** Block all listed domains and hostnames at the perimeter (DNS Proxy, Firewall, Secure Web Gateway). Initiate hunts for the domains in DNS logs and EDR network events.
* **24 Hours:** If info-stealing malware (Lumma, Vidar) or GlassWorm is suspected, enforce credential resets for development accounts and cryptocurrency wallets. Review browser extensions on developer endpoints for unauthorized additions.
* **1 Week:** Harden developer environments by restricting the use of public npm/PyPI repositories to verified internal proxies. Implement stricter application control policies to block Node.js execution endpoints where unnecessary, or restrict its network access to known good APIs only.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixetherratglasswormliving-off-the-landblockchain-c2
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.