Back to Intelligence

ClickFix Loaders, UAT-8302 APT Operations, and TDS Malware Ecosystems: OTX Pulse Analysis

SA
Security Arsenal Team
June 4, 2026
5 min read

Current OTX Pulse data reveals a complex threat landscape characterized by the convergence of social engineering, supply chain impersonation, and nation-state espionage. Security teams must contend with three distinct but high-impact campaigns:

  1. ClickFix Operations: A sophisticated social engineering campaign masquerading as the "BackgroundFix" image tool. It hijacks user clipboards to force the execution of finger.exe, which retrieves payloads leading to CastleLoader, NetSupport RAT, and CastleStealer infections.
  2. TDS Malware Distribution: A Traffic Distribution System (TDS) is actively impersonating popular open-source tools like Ghidra and dnSpy. This campaign leverages CloudFront to hijack clicks and distribute stealers (RemusStealer) and clippers (AnimateClipper) globally, with significant focus on Europe and Brazil.
  3. UAT-8302 APT Campaign: A China-nexus threat group is aggressively targeting government and telecommunications entities (specifically in Japan and Russia). UAT-8302 is exploiting critical vulnerabilities (CVE-2025-0994, CVE-2025-20333) to deploy a vast arsenal of custom malware, including NetDraft, CloudSorcerer v3, and VSHELL.

Threat Actor / Malware Profile

ClickFix / CastleLoader

  • Distribution Method: Fake utility sites (e.g., BackgroundFix) prompting users to copy-paste commands into the terminal.
  • Payload Behavior: Uses finger.exe as an unconventional download cradle to fetch CastleLoader.
  • C2 & Persistence: Drops NetSupport RAT for remote access and CastleStealer for data exfiltration. Persistence is typically achieved via scheduled tasks or registry run keys established by the loader.

Traffic Distribution System (TDS) Operators

  • Distribution Method: SEO poisoning of legitimate software keywords (Ghidra, dnSpy). Sites host malicious JavaScript on CloudFront to redirect users to the TDS gateway.
  • Payload Behavior: Enforces strict gating (anti-bot, first-visit checks) before handing off payloads like RemusStealer (session/data theft) and AnimateClipper (cryptocurrency clipboard replacement).

UAT-8302 (China-nexus APT)

  • Distribution Method: Exploitation of web-facing vulnerabilities (CVE-2025-0994, CVE-2025-20333).
  • Payload Behavior: Deploys a "box full of malware" including NetDraft (a .NET backdoor), CloudSorcerer (cloud service compromise), and VSHELL (proxy). The actor performs extensive reconnaissance and credential dumping.
  • Anti-Analysis: Uses custom, obfuscated malware families not commonly detected by standard signatures.

IOC Analysis

The provided indicators cover the full attack chain:

  • Network Infrastructure: Domains like trindastal.com, poronto.com, and IPs such as 194.150.220.218 serve as C2 and delivery nodes. Notably, non-standard ports (:688, :48261) are used to bypass standard egress filtering.
  • File Artifacts: SHA256 hashes for CastleLoader, RemusStealer, and UAT-8302 payloads (e.g., fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00) allow for exact file matching on endpoints.
  • CVE Identifiers: CVE-2025-0994 and CVE-2025-20333 are critical for detecting the initial access vectors of the UAT-8302 campaign.

Operational Guidance:

  • Block all listed domains and IPs at the perimeter firewall and proxy.
  • Upload file hashes to EDR "blocklist" configurations immediately.
  • Configure SIEM alerts for CVE-2025-0994 exploitation attempts.

Detection Engineering

YAML
title: Potential ClickFix Activity via Finger.EXE
id: 4a8f9b12-3c4d-4f8e-9a1b-2c3d4e5f6789
description: Detects the suspicious use of finger.exe making network connections, a technique observed in ClickFix campaigns to retrieve payloads like CastleLoader.
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6675b3d1b1d0c4169b8a4f5c
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\finger.exe'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate administration usage (rare)
level: high
---
title: Fake DevTools Execution - Ghidra or dnSpy Impersonation
id: 5b9g0c23-4d5e-5g9f-0b2c-3d4e5f6g7890
description: Detects execution of processes mimicking Ghidra or dnSpy from suspicious paths or lacking valid signatures, associated with TDS malware distribution.
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6675b3d1b1d0c4169b8a4f5d
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|contains:
            - 'ghidra'
            - 'dnSpy'
    filter_legit:
        Signed: 'true'
        Publisher|contains:
            - 'Ghidra'
            - 'dnSpy'
    condition: selection_img and not filter_legit
falsepositives:
    - Unsigned development builds of these tools
level: high
---
title: UAT-8302 Malware Process Creation
id: 6c0h1d34-5e6f-6h0g-1c3d-4e5f6g7h8901
description: Detects the creation of known UAT-8302 malware processes including NetDraft, CloudSorcerer, and VSHELL.
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6675b3d1b1d0c4169b8a4f5e
tags:
    - attack.persistence
    - attack.t1543
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'netdraft'
            - 'cloudsorcerer'
            - 'vshell'
            - 'deedrat'
            - 'snappybee'
    condition: selection
falsepositives:
    - None (rare malware names)
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix C2 infrastructure and non-standard ports
DeviceNetworkEvents
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "brionter.com", "forestoaker.com", "guiformat.com", "baxe.pics") 
   or RemotePort in (688, 48261)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend TailSign = iff(RemotePort in (688, 48261), "Suspicious High Port", "Standard")
// Correlate with process creation for UAT-8302 indicators
| join kind=inner (DeviceProcessEvents 
    | where InitiatingProcessSHA256 in ("bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886")
    ) on DeviceName

PowerShell IOC Hunt Script

PowerShell
# UAT-8302 and ClickFix IOC Hunter
$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
)

$Domains = @("trindastal.com", "poronto.com", "brionter.com", "forestoaker.com", "guiformat.com")

Write-Host "[*] Scanning for malicious file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 | Where-Object { $MaliciousHashes -contains $_.Hash } | Select-Object Path, Hash

Write-Host "[*] Checking Hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    Select-String -Path $HostsPath -Pattern ($Domains -join '|') | Select-Object Path, LineNumber, Line
}

Write-Host "[*] Checking for active network connections to C2..." -ForegroundColor Cyan
Get-NetTCPConnection | Where-Object { 
    $_.RemoteAddress -in $Domains -or 
    $_.RemotePort -eq 688 -or 
    $_.RemotePort -eq 48261 
} | Select-Object OwningProcess, RemoteAddress, RemotePort, State


# Response Priorities

*   **Immediate**:
    *   Block all IOCs (Domains, IPs, Hashes) at the perimeter and endpoint level.
    *   Hunt for processes named `finger.exe` initiating outbound connections.
    *   Isolate devices exhibiting signs of NetSupport RAT or RemusStealer (High CPU, unauthorized clipboard access).

*   **24 Hours**:
    *   Credential reset for accounts active on hosts infected with CastleStealer or RemusStealer.
    *   Patch vulnerable systems against CVE-2025-0994 and CVE-2025-20333 (UAT-8302 entry points).
    *   Review logs for successful authentication to cloud services (CloudSorcerer target).

*   **1 Week**:
    *   Implement strict allow-listing for software download sites to prevent TDS redirection.
    *   Conduct a review of "image editing" tools installed in the environment to identify BackgroundFix variants.
    *   Enhance DNS filtering to block newly registered domains hosting impersonator content.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixuat-8302remusstealercastleloaderapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action