Back to Intelligence

ClickFix RAT, Malware TDS, & Operation GriefLure: OTX Pulse Analysis

SA
Security Arsenal Team
June 6, 2026
6 min read

Recent OTX pulses highlight a convergence of sophisticated social engineering and technical evasion techniques across three distinct threat clusters.

  1. ClickFix Campaign (CastleLoader): A mass-exploitation campaign leveraging typosquatted job recruitment domains (LinkedIn/Indeed) and Google Ads to distribute a "ClickFix" payload. This attack chain uniquely abuses the legacy Windows finger utility to retrieve commands, ultimately deploying a portable Python-based RAT (CastleLoader).

  2. Malware Distribution Ecosystem (SessionGate/RemusStealer): A professional Traffic Distribution System (TDS) is being used to hijack search traffic for legitimate tools (Ghidra, dnSpy). The operation utilizes CloudFront-hosted JavaScript for click hijacking, distributing infostealers (RemusStealer) and clippers (AnimateClipper) globally, with significant presence in Europe and Brazil.

  3. Operation GriefLure: A targeted APT campaign focusing on high-value entities in Vietnam (Viettel Military Telecom) and the Philippines (St. Luke's Medical Center). The actors employ spear-phishing with weaponized legal documents and "living-off-the-land" binaries (LOLBins) to deliver payloads identified as sfsvc.exe and 360.dll.

Collectively, these pulses indicate a shift toward abusing legacy protocols (finger) and legitimate infrastructure (CloudFront, TDS) to obfuscate malicious activity ranging from wide-net credential theft to nation-state espionage.

Threat Actor / Malware Profile

CastleLoader / Python RAT

  • Distribution: SEO poisoning via Google Ads, typosquatting domains (e.g., teamsvoicehub.com), and fake CAPTCHA/"ClickFix" pages.
  • Execution: Uses social engineering to trick users into running a PowerShell command. The command calls the legacy finger.exe utility to fetch remote instructions, which subsequently downloads and executes a portable Python interpreter (CPython/IronPython) to run the RAT payload filelessly or via a dropped script.
  • Capabilities: Remote Access Trojan (RAT) capabilities allowing full control over the victim's machine.

SessionGate, RemusStealer, AnimateClipper

  • Distribution: Impersonation of open-source software sites. A sophisticated TDS filters victims based on geo-location, bot status, and "first-visit" states before redirecting to payload servers.
  • Execution: CloudFront JavaScript hijacks download buttons. The final payloads include SessionGate (session hijacking), RemusStealer (information theft), and AnimateClipper (cryptocurrency wallet replacement).

Operation GriefLure (APT)

  • Distribution: Spear-phishing emails containing malicious attachments masquerading as authentic legal documents related to data breach disputes.
  • Execution: Leverages DLL side-loading or LOLBin execution to load malicious payloads (sfsvc.exe, 360.dll), potentially bypassing application whitelisting.

IOC Analysis

The provided intelligence contains a mix of network and file-based indicators crucial for detection:

  • Domains (Typosquatting & C2): Domains like teamsvoicehub.com, guiformat.com, and whatsappcenter.com serve as initial infection vectors or C2 channels. SOC teams should immediately block these at the perimeter and DNS layer.
  • IP Addresses: IPs such as 194.150.220.218 and 217.156.122.75 are linked to the TDS infrastructure hosting RTF and payload files.
  • File Hashes: Multiple SHA256 hashes (e.g., 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4) correspond to Python scripts, malicious loaders, and weaponized documents.
  • URLs: Direct download links to RTF files hosted on suspicious IPs indicate the delivery mechanism for the TDS campaign.

Operationalization: Feed these IOCs into EDR correlation engines and SIEMs. High-priority should be given to the domains, as they represent the entry point for the social engineering campaigns.

Detection Engineering

YAML
title: Suspicious Finger Utility Usage (ClickFix)
id: b4b3c0d1-55e9-4b2a-8c9d-1e2f3a4b5c6d
description: Detects the execution of finger.exe, which is abused in ClickFix campaigns to fetch remote commands for Python RAT delivery.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67891011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administration usage (rare)
level: high
tags:
    - attack.command_and_control
    - attack.t1105
---
title: Portable Python Execution by Web Browser
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects web browsers spawning python.exe or pythonw.exe, indicative of web-downloaded malware like CastleLoader.
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
    condition: selection
falsepositives:
    - Developer environments
level: high
tags:
    - attack.execution
    - attack.t1059.006
---
title: GriefLure APT Spearphishing Pattern
id: c3d4e5f6-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects Microsoft Office applications spawning suspicious child processes like regsvr32 or powershell with specific arguments often used in GriefLure document payloads.
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.EXE'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate macro usage
level: medium
tags:
    - attack.initial_access
    - attack.t1566.001


kql
// Hunt for ClickFix C2 Domains and TDS Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("teamsvoicehub.com", "dapala.net", "ai-like.net", "guiformat.com", "whatsappcenter.com") 
       or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCCategory = iff(RemoteUrl contains "whatsappcenter", "GriefLure C2", "ClickFix/TDS Infrastructure")


powershell
# Hunt for ClickFix artifacts and Python RAT processes
# Check for running Finger process (highly suspicious in modern envs)
$fingerProcess = Get-Process -Name finger -ErrorAction SilentlyContinue
if ($fingerProcess) {
    Write-Host "[ALERT] Finger.exe process detected (PID: $($fingerProcess.Id)). Possible ClickFix infection." -ForegroundColor Red
}

# Check for Portable Python in common user directories or temp
$pythonPaths = @("$env:TEMP\python*", "$env:APPDATA\python*")
foreach ($path in $pythonPaths) {
    if (Test-Path $path) {
        Write-Host "[SUSPICIOUS] Portable Python found at: $path" -ForegroundColor Yellow
        Get-ChildItem $path -Recurse -Filter *.exe | Select-Object FullName, CreationTime
    }
}

# Check for GriefLure IOCs on disk
$hashes = @(
    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6"
)

$drives = Get-PSDrive -PSProvider FileSystem
foreach ($drive in $drives) {
    Write-Host "Scanning drive $($drive.Root) for malicious file hashes..."
    Get-ChildItem -Path $drive.Root -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hashes -contains $hash) {
            Write-Host "[MALWARE] Found malicious file: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the firewall and proxy level.
    • Isolate endpoints exhibiting finger.exe process execution.
    • Scan endpoints for the listed file hashes (SHA256).

  • 24 Hours:

    • Initiate credential resets for users who may have interacted with the "ClickFix" job scams or downloaded the impersonated software, as RemusStealer targets session data.
    • Review email logs for senders distributing "legal documents" or "whistleblower complaints" (Operation GriefLure indicators).

  • 1 Week:

    • Update endpoint protection policies to flag unsigned portable Python executables and legacy utilities like finger.exe.
    • Conduct security awareness training focused on verifying job recruitment URLs and the risks of downloading software from third-party repositories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixpython-ratgriefluresessiongateapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action