Back to Intelligence

ClickFix, GlassWorm & EtherRAT: OTX Pulse Analysis — Social Engineering & Blockchain C2 Campaigns

SA
Security Arsenal Team
April 27, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated social engineering and blockchain-resilient C2 infrastructure targeting multiple sectors. Three distinct threat clusters have been identified:

  1. ClickFix Campaigns: A surge in "living-off-the-land" (LotL) initial access vectors impersonating brands like Intuit QuickBooks and Booking.com. These campaigns manipulate users into executing malicious commands in native tools (PowerShell/Bash), leading to infections by Lumma Stealer, Vidar, Odyssey Stealer, and Redline Stealer.
  2. GlassWorm: A supply-chain attack specifically targeting developers. It utilizes compromised package managers and code repositories to deploy a RAT and infostealer that communicates via the Solana blockchain to evade takedowns.
  3. EtherRAT (North Korean APT): A Node.js-based backdoor detected in retail environments using "EtherHiding"—storing C2 addresses within Ethereum smart contracts. It employs CDN-like beaconing to blend in with normal web traffic.

Collectively, these campaigns highlight a shift toward abusing legitimate blockchain infrastructure for C2 resilience and utilizing social engineering to bypass traditional endpoint controls.

Threat Actor / Malware Profile

ClickFix (Unknown Adversary)

  • Distribution: Social engineering via fake browser error pages (e.g., "Fix Chrome") and fake support portals for travel/finance software.
  • Payload Behavior: Victims are tricked into running obfuscated PowerShell or Bash commands. This leads to the download of info-stealers (Lumma, Vidar).
  • C2 Communication: Standard HTTP/HTTPS to compromised domains; distinct for using high-reputation or newly registered domains to host payloads.
  • Objective: Initial access leading to credential harvesting and financial theft.

GlassWorm

  • Distribution: Supply chain compromise via developer code repositories and package managers.
  • Payload Behavior: Multi-stage execution. Initial footprinting leads to payload retrieval from the Solana blockchain. Installs a fake browser extension for surveillance and a Remote Access Trojan (RAT).
  • Persistence: Browser extension injection and likely developer environment configuration modification.
  • Objective: Long-term surveillance of developers, theft of cryptocurrency keys, and source code exfiltration.

EtherRAT (North Korean APT)

  • Distribution: IT support scams and phishing.
  • Payload Behavior: Node.js based backdoor. Uses a SYS_INFO module for host fingerprinting.
  • C2 Communication (EtherHiding): C2 infrastructure is resilient; addresses are retrieved from Ethereum smart contract transaction data. Uses CDN-like beaconing (mimicking legitimate web traffic).
  • Objective: Arbitrary command execution, asset theft, and espionage within retail and software sectors.

IOC Analysis

The provided pulses offer a mix of network infrastructure indicators critical for detection and blocking.

  • Types: Primarily domains and hostnames. No file hashes were provided in the restricted samples, requiring behavioral detection for the payloads.
  • Operationalization:
    • DNS Firewall: Immediately block the listed domains (e.g., ustazazharidrus.com, o-parana.com).
    • EDR/Network Monitoring: Hunt for node.exe processes (EtherRAT) and PowerShell commands spawned by browsers (ClickFix).
    • Blockchain Traffic: While not an IOC in the traditional sense, unexpected traffic to Solana or Ethereum RPC endpoints from non-crypto employee workstations should be investigated.
  • Tooling: Use curl or dig to check the resolution status of these domains within your environment to ensure DNS sinks are working.

Detection Engineering

YAML
title: Potential ClickFix Social Engineering Activity
id: 8c5b3c1d-7a2f-4e9d-b1c0-2f9e5a1b4c3d
description: Detects suspicious PowerShell execution spawned by browsers, a common indicator of ClickFix campaigns where users are tricked into pasting commands.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6601a2f1e7683e4e4b4b4b4b/
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    filter_legit:
        CommandLine|contains: 'OneDrive'  # Common legitimate sync cmd
    condition: selection and not filter_legit
falsepositives:
    - Legitimate admin tasks launched via browser downloads
level: high
---
title: EtherRAT Node.js Backdoor Network Activity
id: 9d6e4f2a-8b3c-4d0e-a1b2-c3d4e5f6a7b8
description: Detects Node.js processes initiating network connections, characteristic of the EtherRAT backdoor and other JS-based malware.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6601a2f1e7683e4e4b4b4b4c/
tags:
    - attack.c2
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate development server traffic
level: medium
---
title: GlassWorm Suspicious Developer Toolchain Execution
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects execution of package managers (npm, pip) immediately followed by a shell or unusual child process, indicative of supply chain attacks like GlassWorm.
status: experimental
date: 2026/04/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6601a2f1e7683e4e4b4b4b4a/
tags:
    - attack.initial_access
    - attack.supply_chain
    - attack.t1195
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|contains:
            - '\npm.cmd'
            - '\node.exe'
            - '\python.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate developer build scripts
level: high


kql
// Hunt for ClickFix and EtherRAT Network IOCs
// Check for connections to known malicious domains and Node.js anomalies
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where (RemoteUrl in~ ("ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com", "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com")) 
   or (InitiatingProcessFileName == "node.exe" and RemotePort in (80, 443, 8080))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc


powershell
<#
.SYNOPSIS
    IOC Hunt Script for ClickFix, GlassWorm, and EtherRAT Activity.
.DESCRIPTION
    Checks for DNS resolution of malicious domains and scans for suspicious Node.js processes.
#>

$MaliciousDomains = @(
    "ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
    "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
    "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
    "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)

Write-Host "[*] Checking DNS resolution for IOCs..."
$ResolvedHosts = @()
foreach ($domain in $MaliciousDomains) {
    try {
        $result = Resolve-DnsName -Name $domain -ErrorAction Stop
        if ($result) {
            Write-Host "[!] ALERT: Resolved $domain - $(($result.IPAddress -join ', '))" -ForegroundColor Red
            $ResolvedHosts += $domain
        }
    } catch {
        # Expected for blocked/non-existent domains
    }
}

if ($ResolvedHosts.Count -eq 0) {
    Write-Host "[+] No malicious domains resolved." -ForegroundColor Green
}

Write-Host "`n[*] Checking for suspicious Node.js processes (EtherRAT)..."
$NodeProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "node.exe" }
if ($NodeProcesses) {
    Write-Host "[!] Found Node.js processes running. Investigating network connections..." -ForegroundColor Yellow
    foreach ($proc in $NodeProcesses) {
        Write-Host "PID: $($proc.ProcessId), CommandLine: $($proc.CommandLine)"
    }
} else {
    Write-Host "[+] No Node.js processes found." -ForegroundColor Green
}


# Response Priorities

*   **Immediate**:
    *   Block all listed domains and hostnames at the DNS Firewall and Proxy level.
    *   Kill any instances of `node.exe` running on non-developer workstations immediately.
    *   Isolate devices that triggered the "Browser spawning PowerShell" detection.

*   **24 Hours**:
    *   Conduct credential resets for users who may have interacted with "ClickFix" prompts (look for browser history related to "booking.com", "quickbooks", or "captcha fix").
    *   Scan developer workstations for unauthorized browser extensions (GlassWorm indicators).

*   **1 Week**:
    *   Implement strict allow-listing for `node.exe` and PowerShell execution paths.
    *   Harden build pipelines and package manager configurations to mitigate supply chain injection (GlassWorm).
    *   Review outbound firewall rules to restrict access to public blockchain RPC nodes (Ethereum/Solana) to authorized devices only.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixglasswormetherratstealersblockchain-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action