Back to Intelligence

ClickFix macOS Campaigns, Remus Browser Bypass, and Gamaredon GammaSteel Espionage: OTX Pulse Intelligence

SA
Security Arsenal Team
June 8, 2026
6 min read

Excerpt

Active macOS ClickFix infostealers, Remus browser encryption bypass, and Gamaredon GammaSteel targeting Ukraine analyzed via OTX pulses.

Threat Summary

Recent OTX pulses highlight a surge in sophisticated criminal and state-sponsored cyber activity. On the criminal front, a "ClickFix" campaign is actively targeting macOS users via social engineering, distributing infostealers like Macsync, AMOS, and Shub Stealer through fake utility lures. Concurrently, the "Remus" malware family has emerged as an advanced evolution of Lumma Stealer, capable of bypassing browser Application-Bound Encryption (ABE) to harvest sensitive data. Finally, the Gamaredon group (UAC-0010) continues its persistent cyberespionage against Ukrainian entities with GammaSteel, a memory-resident infostealer utilizing the Windows registry for persistence.

Threat Actor / Malware Profile

ClickFix & macOS Infostealers

  • Malware Families: Macsync, Shub Stealer, AMOS, PhantomPulse.
  • Distribution: Fake blog posts and content platforms hosting malicious Terminal commands disguised as macOS troubleshooting steps.
  • Behavior: Execution of bash/terminal commands to download and launch infostealers.
  • Objective: Exfiltration of system data and credentials from macOS endpoints.

Remus Stealer

  • Threat Actor: Successor to Lumma Stealer operations (doxxed in late 2025).
  • Capabilities: 64-bit architecture, bypasses Application-Bound Encryption (ABE) in modern browsers, injects malicious code.
  • Objective: Theft of browser credentials, cryptocurrency wallets, and sensitive session cookies.
  • C2/Infrastructure: Utilizes Ethereum blockchain for C2 (EtherHiding) and traditional resolver channels.

Gamaredon Group (UAC-0010)

  • Threat Actor: FSB-linked APT group targeting Ukrainian government and defense.
  • Malware: GammaSteel (also uses GammaLoad, GammaPhish).
  • Persistence: Stores 71 payload functions in HKCU\Printers\Printers\ registry keys.
  • Behavior: Operates almost entirely from memory using Windows DPAPI encryption. Propagates via USB (GammaWorm) and includes wiping capabilities (GammaWipe).
  • Objective: Espionage, data exfiltration, and sabotage of critical infrastructure.

IOC Analysis

  • Domains: Several domains associated with the ClickFix campaign (e.g., jihiz.com, kayeart.com, bintail.com) and Gamaredon C2 (justsstop.ru) have been identified.
  • IP Addresses: Gamaredon infrastructure observed at 165.22.170.129.
  • Registry Artifacts: GammaSteel distinctively uses the HKCU\Printers hive for payload storage.
  • Operationalization: SOC teams should block listed domains and IPs at the perimeter. For GammaSteel, queries should focus on unusual registry writes to HKCU\Printers. Note that specific IOCs for Remus were restricted in the source pulse; detection must rely heavily on behavioral analysis of process memory and browser security violations.

Detection Engineering

YAML
---
title: Potential GammaSteel Persistence via Printers Registry
id: 0e8f1c12-1234-5678-9101-abcdef123456
description: Detects suspicious modifications or creation of keys/values under HKCU\Printers often associated with Gamaredon GammaSteel malware persistence.
status: experimental
author: Security Arsenal
date: 2026/06/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.persistence
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Printers'
        Details|contains: 'powershell' # Generic heuristic for payload content
    condition: selection
falsepositives:
    - Legitimate printer driver installations (rare in HKCU)
level: high
---
title: Remus Stealer Browser Credential Access Attempt
id: 1b9g2d23-2345-6789-0123-bcdefg234567
description: Detects behavior indicative of information stealers attempting to access browser data or bypass application-bound encryption.
status: experimental
author: Security Arsenal
date: 2026/06/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.credential_access
    - attack.collection
    - attack.t1005
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\\Local State'
            - '\\Login Data'
            - '\\Cookies'
    filter:
        Image|contains: '\\Program Files\\'
    condition: selection and not filter
falsepositives:
    - Legitimate browser backup or debugging tools
level: medium
---
title: ClickFix macOS Terminal Download Pattern
id: 2c0h3e34-3456-7890-1234-cdefgh345678
description: Detects the execution of suspicious curl/chmod commands often seen in ClickFix campaigns targeting macOS.
status: experimental
author: Security Arsenal
date: 2026/06/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.004
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/bin/bash'
        CommandLine|contains: 'curl'
        CommandLine|contains: 'chmod +x'
    condition: selection
falsepositives:
    - System administration scripts
level: high


kql
// Hunt for Gamaredon GammaSteel Registry Persistence
DeviceRegistryEvents
| where RegistryKey contains @"HKEY_CURRENT_USER\Printers"
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

// Hunt for network connections to known ClickFix or Gamaredon IOCs
DeviceNetworkEvents
| where RemoteUrl in~ ("jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com", "justsstop.ru") or RemoteIP == "165.22.170.129"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName

// Hunt for suspicious process execution patterns (Remus/Generic Stealer)
DeviceProcessEvents
| where ProcessCommandLine has "Local State" or ProcessCommandLine has "Login Data"
| where FileName in~ ("powershell.exe", "cmd.exe", "cscript.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName


powershell
# PowerShell Hunt Script for GammaSteel Registry Artifacts
# Checks HKCU\Printers for unexpected keys or values containing suspicious content

$ErrorActionPreference = "SilentlyContinue"
$Results = @()

# Check Printers hive
$Path = "HKCU:\Printers"
if (Test-Path $Path) {
    $Keys = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue
    foreach ($Key in $Keys) {
        # GammaSteel often stores payloads here
        if ($Key.Name -like "*Printers*") {
            $Values = Get-ItemProperty -Path $Key.PSPath -ErrorAction SilentlyContinue
            foreach ($Prop in $Values.PSObject.Properties) {
                if ($Prop.Name -ne "PSPath" -and $Prop.Name -ne "PSParentPath" -and $Prop.Name -ne "PSChildName") {
                    $ValueData = $Prop.Value
                    # Heuristic: Look for Base64 or executable-like strings in registry data
                    if ($ValueData -match "[a-zA-Z0-9+/]{50,}={0,2}" -or $ValueData -match "MZ") {
                        $Results += [PSCustomObject]@{
                            Timestamp = Get-Date
                            Hostname  = $env:COMPUTERNAME
                            Path      = $Key.Name
                            Name      = $Prop.Name
                            Data      = $ValueData.Substring(0, [Math]::Min(100, $ValueData.Length)) + "..."
                            Risk      = "High"
                        }
                    }
                }
            }
        }
    }
}

if ($Results) {
    $Results | Format-Table -AutoSize
    Write-Host "Potential GammaSteel artifacts found. Investigate registry keys immediately." -ForegroundColor Red
} else {
    Write-Host "No obvious GammaSteel persistence artifacts found in HKCU\Printers." -ForegroundColor Green
}

Response Priorities

  • Immediate:
    • Block all listed domains (ClickFix) and IPs (Gamaredon) on network perimeter devices (firewalls, proxies).
    • Scan endpoints for the presence of files associated with Macsync/AMOS (on macOS) and Registry modifications in HKCU\Printers (on Windows).
  • 24h:
    • Initiate credential resets for accounts active on devices showing signs of infestealer infection (Remus/ClickFix).
    • Investigate logs for connections to justsstop.ru or the ClickFix domains.
  • 1 week:
    • Review and harden macOS policies to restrict execution of unsigned binaries and Terminal commands from non-corporate sources.
    • Update browser isolation policies to defend against Application-Bound Encryption bypasses (Remus).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareremus-stealergammasteelclickfixinfostealergamaredon

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action