Threat Summary
Analysis of the latest OTX pulses reveals a disturbing convergence of social engineering, supply chain compromise, and blockchain-enabled C2 infrastructure. We are observing three distinct but sophisticated clusters:
- ClickFix Campaigns: A broad operational campaign utilizing "Living-off-the-Land" (LotL) techniques to deceive users into executing malicious commands via native system tools. This campaign targets critical sectors including Finance, Government, and Technology.
- GlassWorm: A highly specialized threat targeting developers through compromised code repositories. It utilizes the Solana blockchain for payload staging, ensuring resilience against traditional takedowns.
- EtherRAT: A Node.js-based backdoor attributed to a North Korean APT group. It employs "EtherHiding"—storing C2 addresses within Ethereum smart contracts—and uses CDN-like beaconing to blend into normal web traffic.
Collective Objective: Initial access via deception (ClickFix) or compromise (GlassWorm), followed by credential theft, asset pilferage (crypto wallets), and long-term persistence via resilient infrastructure (Blockchain C2).
Threat Actor / Malware Profile
ClickFix
- Distribution: Social engineering (fake browser errors, updates) masquerading as Intuit QuickBooks or Booking.com support.
- Payload Behavior: Initial Access via manipulation of victims into running commands in
cmd.exeorPowerShell. Drops payloads like Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer, and NetSupport RAT. - C2 Communication: Standard HTTP/HTTPS to compromised domains.
GlassWorm
- Distribution: Supply chain attack via compromised package managers/code repositories.
- Payload Behavior: Machine fingerprinting followed by payload retrieval from the Solana blockchain. Installs a fake browser extension for surveillance and a Remote Access Trojan (RAT).
- Persistence: Browser extension modifications.
- Techniques: Anti-analysis via blockchain obfuscation.
EtherRAT (North Korean APT)
- Distribution: Likely phishing or supply chain (IT support scams).
- Payload Behavior: Node.js based backdoor. Executes arbitrary commands, gathers system info (via
sys_infomodule), and steals assets. - C2 Communication: EtherHiding (retrieves C2 address from Ethereum smart contract). Uses CDN-like beaconing (mimicking Cloudflare/Akamai traffic patterns).
IOC Analysis
The provided IOCs are primarily domains and hostnames, indicating reliance on HTTP/HTTPS for communication and payload staging.
- Domains (ClickFix):
ustazazharidrus.com,account-help.info,quiptly.com,elive123go.com,visitbundala.com,nhacaired88.com,subsgod.com,ariciversontile.com. - Domains (EtherRAT):
o-parana.com,rpc.payload.de,jariosos.com,hayesmed.com,regancontrols.com,salinasrent.com,justtalken.com,mebeliotmasiv.com.
Operational Guidance:
SOC teams should immediately block these domains at the DNS Firewall and Proxy level. Since GlassWorm and EtherRAT use blockchain infrastructure, network traffic to known public RPC nodes (e.g., mainnet-beta.solana.io, Ethereum endpoints) from non-developer workstations should be flagged as anomalous.
Detection Engineering
Sigma Rules
YAML
title: Potential ClickFix Browser Spawning Shell
id: 8c7b3c1d-5e6f-4a2b-9c1d-8e7f6a5b4c3d
description: Detects potential ClickFix activity where a browser process spawns a shell (cmd/ps) often used to trick users into fixing fake browser errors.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64273d7f8e4c4
tags:
- attack.initial_access
- attack.user_execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate developer tools launching shells
level: high
---
title: Suspicious Node.js Process with Network Connection
id: 9d8e4f2a-6f7g-5b3c-0d2e-1f9g8h7i6j5k
description: Detects Node.js processes (used by EtherRAT) initiating network connections, potentially to C2 or RPC endpoints.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64273d8f9e5c5
tags:
- attack.execution
- attack.c2
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\node.exe'
Initiated: 'true'
filter_legit_rpc:
DestinationPort:
- 8545 # Ethereum JSON-RPC
- 8900 # Solana RPC
condition: selection and not filter_legit_rpc
falsepositives:
- Legitimate Node.js applications
level: medium
---
title: GlassWorm Suspicious Browser Extension Registry Modification
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects modifications to browser extension registry keys indicative of GlassWorm installing a malicious extension.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/64273d9f0e6c6
tags:
- attack.persistence
- attack.t1543
logsource:
category: registry_set
product: windows
detection:
selection_chrome:
TargetObject|contains: 'Software\Google\Chrome\Extensions'
selection_edge:
TargetObject|contains: 'Software\Microsoft\Edge\Extensions'
condition: 1 of selection*
falsepositives:
- Admin installing legitimate extensions
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for connections to ClickFix and EtherRAT IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
'ustazazharidrus.com', 'account-help.info', 'quiptly.com', 'elive123go.com',
'visitbundala.com', 'nhacaired88.com', 'subsgod.com', 'ariciversontile.com',
'o-parana.com', 'rpc.payload.de', 'jariosos.com', 'hayesmed.com',
'regancontrols.com', 'salinasrent.com', 'justtalken.com', 'mebeliotmasiv.com'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
PowerShell Hunt Script
PowerShell
# Hunt for ClickFix & EtherRAT artifacts
$IOC_Domains = @(
"ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
"visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
"o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
"regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)
Write-Host "[+] Checking DNS Cache for malicious domains..."
$DNS_Cache = Get-DnsClientCache | Where-Object { $IOC_Domains -contains $_.Data }
if ($DNS_Cache) {
Write-Host "[!] ALERT: Found malicious domain entries in DNS Cache:" -ForegroundColor Red
$DNS_Cache | Format-Table Entry, Data, TimeToLive
} else {
Write-Host "[-] No malicious domains found in local DNS cache."
}
Write-Host "[+] Checking for suspicious Node.js processes (EtherRAT/GlassWorm)..."
$NodeProcesses = Get-Process -Name node -ErrorAction SilentlyContinue
if ($NodeProcesses) {
Write-Host "[!] WARNING: Node.exe processes found. Verify if legitimate." -ForegroundColor Yellow
foreach ($proc in $NodeProcesses) {
Write-Host "PID: $($proc.Id), Path: $($proc.Path)"
# Check for network connections
Get-NetTCPConnection -OwningProcess $proc.Id -ErrorAction SilentlyContinue | Select-Object LocalAddress, RemoteAddress, State
}
}
Response Priorities
- Immediate: Block all listed domains (ClickFix and EtherRAT IOCs) at the perimeter firewall and DNS sinkhole. Hunt for
node.exeor PowerShell processes spawned by browsers on user workstations. - 24h: Conduct identity verification for developers and finance staff if credential stealers (Lumma/Vidar) are suspected. Scan developer workstations for unauthorized browser extensions (GlassWorm).
- 1 Week: Implement strict egress filtering for blockchain RPC nodes (Ethereum/Solana) to non-approved developer stations. Review package manager security (npm/pip) for supply chain integrity.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixetherratglasswormliving-off-the-landsupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.