Current OTX pulse data reveals a multi-faceted threat landscape combining widespread social engineering loaders, sophisticated APT operations, and targeted sector extortion.
The most active campaign involves "ClickFix" (BackgroundFix), a social engineering lure that tricks users into copying malicious commands to their clipboard. This campaign uniquely abuses finger.exe to retrieve payloads, ultimately delivering the CastleLoader, which drops NetSupport RAT and CastleStealer.
Simultaneously, UAT-8302, a China-nexus APT group, is aggressively targeting government and telecommunications sectors in Japan, Russia, and Eastern Europe. This actor employs a vast malware arsenal including NetDraft and CloudSorcerer v3, utilizing CVE-2025-0994 and other exploits for initial access.
Finally, the aerospace and defense supply chain remains under siege from data extortion groups like LockBit, Cl0p, and nation-state actors (Refined Kitten, Fancy Bear), who are exploiting the interconnected nature of airport IT platforms and third-party dependencies.
Threat Actor / Malware Profile
ClickFix / CastleLoader
- Distribution Method: Fake image-editing tools (BackgroundFix) masquerading as legitimate utilities. Users are prompted to "verify they are human" by copying PowerShell or CMD commands.
- Payload Behavior: The copied commands invoke
finger.exeto reach out to C2 infrastructure and download the CastleLoader. CastleLoader acts as a reflective loader to decrypt and execute NetSupport RAT (remote access) and CastleStealer (.NET credential stealer). - Persistence: Utilizes standard NetSupport RAT persistence mechanisms, often via registry run keys or scheduled tasks.
UAT-8302
- Attribution: China-nexus APT active since late 2024.
- Malware Families: Deploys over 10 distinct families including NetDraft (a .NET backdoor), CloudSorcerer v3, VSHELL, and SNOWLIGHT.
- C2 Communication: Uses compromised infrastructure and specific IP ranges (e.g., 45.140.168.62) for command and control.
- Technique: Exploits specific CVEs (2025-0994, 2025-20333) for initial access followed by extensive credential harvesting and reconnaissance.
Data Extortion Groups (LockBit, Cl0p)
- Targeting: Aerospace, Transportation, Defense.
- Objective: Data extortion and ransomware deployment. Focus on shared IT platforms and supply chain vendors to maximize impact.
IOC Analysis
The provided IOCs offer immediate detection opportunities but require specific tooling for operationalization:
- Domains (ClickFix):
trindastal.com,poronto.com,brionter.com. SOC teams should block these at the firewall/DNS level. - IPv4 Addresses:
38.146.28.30(ClickFix C2)103.27.108.55,156.238.224.82,45.140.168.62(UAT-8302 infrastructure)
- File Hashes: A mix of SHA256, SHA1, and MD5 hashes corresponding to loaders, ransomware payloads, and backdoors. These should be imported into EDR alerting rules.
- CVEs:
CVE-2025-0994,CVE-2025-20333,CVE-2025-20362. Vulnerability management must prioritize patching these specific vulnerabilities.
Detection Engineering
YAML
---
title: Suspicious Finger.exe Execution - ClickFix Indicator
id: 8f3d4b5a-1c6e-4f8d-9a2b-3c5d6e7f8a9b
description: Detects the use of finger.exe to retrieve payloads, a specific technique observed in ClickFix campaigns involving BackgroundFix.
status: experimental
author: Security Arsenal
date: 2026/05/08
references:
- https://otx.alienvault.com/pulse/6635xxxx
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
CommandLine|contains: '@'
condition: selection
falsepositives:
- Legitimate use of finger.exe (rare in modern environments)
level: high
---
title: UAT-8302 C2 Infrastructure Connection
id: 1a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
description: Detects network connections to known UAT-8302 C2 infrastructure IPs associated with CloudSorcerer and NetDraft campaigns.
status: experimental
author: Security Arsenal
date: 2026/05/08
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '103.27.108.'
- '156.238.224.'
- '45.140.168.'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Malicious Hash Detection - ClickFix and UAT-8302
id: 9f8e7d6c-5b4a-3210-9876-543210fedcba
description: Detects the presence of specific file hashes associated with CastleLoader, NetSupport RAT, and UAT-8302 backdrops.
status: experimental
author: Security Arsenal
date: 2026/05/08
logsource:
category: file_event
product: windows
detection:
selection:
Hashes|contains:
- 'bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92'
- 'ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9'
- 'f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb'
- 'fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00'
- '071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6'
condition: selection
falsepositives:
- False positives are not expected for these specific hashes
level: critical
kql
// Hunt for network connections to ClickFix and UAT-8302 infrastructure
DeviceNetworkEvents
| where RemoteIP in ("38.146.28.30", "103.27.108.55", "156.238.224.82", "45.140.168.62")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc
powershell
# Hunt for ClickFix/CastleLoader and UAT-8302 file hashes on endpoints
$TargetHashes = @(
"bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
"ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
"f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
"fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00",
"071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c6"
)
Write-Host "Starting hunt for malicious file hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
Write-Host "Scanning $Drive..." -ForegroundColor Yellow
try {
Get-ChildItem -Path $Drive -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
$FilePath = $_.FullName
try {
$Hash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "MALICIOUS FILE DETECTED: $FilePath" -ForegroundColor Red
# Uncomment to remediate automatically
# Remove-Item -Path $FilePath -Force
}
} catch {
# Ignore errors for locked files or access denied
}
}
} catch {
Write-Host "Error scanning $Drive" -ForegroundColor Red
}
}
Write-Host "Hunt complete." -ForegroundColor Green
# Response Priorities
* **Immediate**:
* Block all domains and IPs listed in the IOC Analysis section at perimeter firewalls and proxies.
* Isolate any endpoints triggering the `finger.exe` Sigma rule.
* Scan environment for the specific file hashes provided in the Pulse data.
* **24h**:
* If ClickFix/NetSupport RAT is suspected, initiate forced password resets for privileged accounts on compromised hosts (CastleStealer behavior).
* Investigate logs for authentication attempts originating from the UAT-8302 IP ranges.
* **1 Week**:
* Patch CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362 immediately to prevent UAT-8302 initial access.
* Review and restrict the use of legacy utilities like `finger.exe` via Application Control policies.
* Conduct a supply chain risk assessment for vendors in the aerospace sector.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixuat-8302ransomwareaptsupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.