Back to Intelligence

ClickFix RAT, Malware TDS, and Gamaredon's GammaSteel: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 5, 2026
5 min read

Intelligence Status: Live | Source: OTX Pulses (2026-06-05) | TLP: WHITE

Excerpt

Active ClickFix campaigns delivering Python RATs, TDS ecosystems spreading stealers via SEO poisoning, and Gamaredon targeting Ukraine with GammaSteel.

Threat Summary

Recent OTX pulses reveal a multifaceted threat landscape spanning financially motivated infostealing operations and persistent state-sponsored cyberespionage. A sophisticated "ClickFix" campaign is actively impersonating job platforms (LinkedIn/Indeed) via typosquatted domains to deliver CastleLoader, a Python-based RAT, using fake CAPTCHA pages and legacy Windows utilities like the Finger protocol.

Simultaneously, a Malware Distribution Ecosystem leveraging Traffic Distribution Systems (TDS) is abusing SEO poisoning to impersonate open-source tools (Ghidra, dnSpy), delivering SessionGate, RemusStealer, and AnimateClipper. In the APT sector, Gamaredon (UAC-0010) continues aggressive operations against Ukrainian government and defense sectors, deploying GammaSteel, a memory-resident infostealer utilizing registry persistence within HKCU\Printers.

Threat Actor / Malware Profile

1. Gamaredon Group (UAC-0010 / Armageddon)

  • Objective: Cyberespionage and data destruction against Ukraine.
  • Malware: GammaSteel, GammaLoad, GammaPhish, GammaWorm, GammaWipe.
  • TTPs: GammaSteel operates primarily in memory, storing 71 payload functions in the HKCU\Printers registry key encrypted via Windows DPAPI. Propagation occurs via removable media (USB).

2. ClickFix Operators (Unknown)

  • Objective: Initial access and remote control via RAT.
  • Malware: CastleLoader.
  • TTPs: Social engineering (fake job ads) -> Google Ads -> Fake CAPTCHA -> Command execution via finger.exe -> Deployment of portable Python (CPython/IronPython).

3. TDS Ecosystem Operators (Unknown)

  • Objective: Information theft (Cryptocurrency, Sessions).
  • Malware: SessionGate, RemusStealer, AnimateClipper.
  • TTPs: Click hijacking, CloudFront-hosted JavaScript, SEO poisoning of developer tools, strict anti-bot checks before payload delivery.

IOC Analysis

The provided IOCs consist of typosquatted domains (e.g., teamsvoicehub.com, dapala.net), hard-coded IP addresses (e.g., 194.150.220.218, 165.22.170.129), and SHA256 file hashes.

  • Operationalization: Domains should be added to DNS sinkholes and web proxy blocklists. The IP 165.22.170.129 is associated with Gamaredon C2 (justsstop.ru).
  • Decoding: The SHA256 hash 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4 corresponds to a CastleLoader payload.

Detection Engineering

Sigma Rules

YAML
title: Gamaredon Registry Persistence via Printers
id: 4b1c3a7d-8e9f-4a1b-9c2d-3e5f6a7b8c9d
description: Detects modification of the HKCU\Printers registry key, a known persistence mechanism used by Gamaredon Group (GammaSteel).
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64283...
tags:
    - attack.persistence
    - attack.t1112
logsource:
    product: windows
    registry:
        - add
        - modify
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Printers'
    condition: selection
falsepositives:
    - Legitimate printer driver installations
level: high
---
title: Potential ClickFix LOLBin Execution (Finger to Python)
id: 5d2e4b8c-9f0a-1b2d-3c4e-5f6a7b8c9d0e
description: Detects the execution of finger.exe spawning a python process, indicative of ClickFix campaigns delivering Python RATs.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64282...
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
detection:
    selection_parent:
        Image|endswith: '\finger.exe'
    selection_child:
        Image|contains:
            - '\python.exe'
            - '\pythonw.exe'
    condition: all of selection_*
falsepositives:
    - Rare legacy administrative tasks
level: critical
---
title: Connection to Gamaredon C2 Infrastructure
id: 6e3f5c9d-0a1b-2c3d-4e5f-6a7b8c9d0e1f
description: Detects network connections to known Gamaredon IP infrastructure observed in OTX pulses.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64284...
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection_ip:
        DestinationIp|contains:
            - '165.22.170.129'
            - '194.150.220.218'
    selection_domain:
        DestinationHostname|contains:
            - 'justsstop.ru'
            - 'forestoaker.com'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to IOCs from Pulse Data
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("165.22.170.129", "194.150.220.218", "217.156.122.75")
    or RemoteUrl has_any ("justsstop.ru", "teamsvoicehub.com", "dapala.net", "forestoaker.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend IOCSrc = "OTX_Pulse_20260605"

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Gamaredon persistence and ClickFix IOCs.
.DESCRIPTION
    Checks HKCU\Printers for unexpected values and DNS cache for malicious domains.
#>

# Check for Gamaredon Persistence (GammaSteel)
Write-Host "Checking HKCU\Printers for Gamaredon Persistence..."
$RegPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Printers"
if (Test-Path $RegPath) {
    $Values = Get-ItemProperty -Path $RegPath
    if ($Values -and ($Values.PSObject.Properties.Count -gt 0)) {
        Write-Host "[ALERT] Values found in Printers key. Investigate:" -ForegroundColor Red
        $Values | Format-List *
    } else {
        Write-Host "No values found."
    }
}

# Check DNS Cache for Malicious Domains
$MaliciousDomains = @("teamsvoicehub.com", "dapala.net", "justsstop.ru", "forestoaker.com")
Write-Host "Checking DNS Cache..."
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | ForEach-Object {
    Write-Host "[ALERT] Malicious domain found in DNS Cache: $($_.Entry) - Data: $($_.Data)" -ForegroundColor Red
}

Response Priorities

Immediate

  1. Block IOCs: Immediately block all listed domains and IPs on perimeter firewalls, proxies, and EDRs.
  2. Hunt for GammaSteel: Scan the HKCU\Printers registry key on all endpoints for non-standard values.
  3. Isolate Infections: Isolate hosts with confirmed finger.exe followed by python.exe execution chains.

24 Hours

  1. Credential Audit: If SessionGate or RemusStealer is suspected, force password resets for accounts used on compromised endpoints, focusing on cryptocurrency wallets and email accounts.
  2. Review Access Logs: Analyze proxy logs for access to teamsvoicehub.com or other typosquatted job-platform domains.

1 Week

  1. Architecture Hardening: Restrict the usage of the Finger protocol (finger.exe) and portable Python interpreters in user environments via AppLocker or SRP.
  2. User Awareness: Conduct security awareness training regarding LinkedIn/Indeed scams and "fake CAPTCHA" verification prompts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptcastleloadergammasteelsessiongateclickfixgamaredon

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action