Back to Intelligence

ClickFix RAT, SEO Poisoning TDS & GriefLure APT: Multi-Vector Threat Landscape

SA
Security Arsenal Team
June 6, 2026
6 min read

Current OTX Pulse data reveals a convergence of high-volume social engineering, sophisticated traffic distribution systems (TDS), and targeted APT operations. Over the last 72 hours, three distinct vectors have been identified:

  1. ClickFix Campaign (CastleLoader): A large-scale operation leveraging typosquatted domains mimicking job platforms (LinkedIn, Indeed) and fake CAPTCHA pages distributed via Google Ads. This campaign abuses the legacy Windows Finger protocol and deploys portable Python runtimes (CPython/IronPython) to execute fileless malware.
  2. Malware Distribution Ecosystem (SessionGate/RemusStealer): An SEO poisoning campaign impersonating open-source tools (Ghidra, dnSpy). It utilizes a CloudFront-hosted JavaScript loader to hijack clicks and funnel victims through a strict Traffic Distribution System (TDS) before delivering infostealers and cryptocurrency clippers.
  3. Operation GriefLure (APT): A targeted spear-phishing campaign against Vietnam's military telecommunications (Viettel) and Philippine healthcare sectors. Attackers weaponize authentic legal documents to deploy custom payloads (sfsvc.exe, 360.dll), indicating state-aligned or highly sophisticated criminal intent.

Collectively, these pulses indicate a trend toward ** "trust hijacking"**, where adversaries compromise the supply chain of search results, job applications, and legal documents to bypass traditional perimeter defenses.

Threat Actor / Malware Profile

CastleLoader (ClickFix Campaign)

  • Distribution: Malicious Google Ads leading to typosquatted job search domains (e.g., teamsvoicehub.com).
  • Execution: Fake CAPTCHA "ClickFix" pages trick users into copying and executing PowerShell/Bash commands. Deploys portable Python interpreters.
  • Payload: Python-based Remote Access Trojan (RAT).
  • LOLBins: Abuses Windows Finger utility (finger.exe) and native PowerShell for initial C2 check-in.

SessionGate, RemusStealer, AnimateClipper (SEO/TDS Campaign)

  • Distribution: Search engine optimization (SEO) poisoning for popular developer tools. Sites host malicious JavaScript on CloudFront to intercept download button clicks.
  • Mechanism: Traffic Distribution System (TDS) enforces anti-bot checks and geographic gating before handing off to payload servers.
  • Payload: SessionGate (session cookie theft), RemusStealer (information theft), AnimateClipper (cryptocurrency wallet replacement).
  • Infrastructure: High-risk IPs (e.g., 194.150.220.218) hosting RTF exploits and payload loaders.

Operation GriefLure Actor

  • Targeting: Highly selective targeting of Military Telecom (Vietnam) and Healthcare (Philippines).
  • Lures: Weaponized legitimate legal documents regarding data breach disputes.
  • Payload: Custom compiled executables (sfsvc.exe) and DLLs (360.dll), likely utilizing living-off-the-land (LotL) techniques for persistence.

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Typosquatted & Fraudulent Domains: High volume of domains impersonating job boards and software repositories (e.g., guiformat.com, dapala.net). These should be immediately sinkholed or blocked at the DNS layer.
  • IPv4 Addresses: Specific IPs (194.150.220.218, 217.156.122.75) act as TDS nodes and direct payload hosts. These are critical for firewall blocklists.
  • File Hashes (SHA256/MD5): Unique hashes for the Python loaders, RTF exploits, and GriefLure payloads. These should be loaded into EDR solutions for immediate quarantining.
  • URLs: Direct download links often utilizing non-standard ports (e.g., :48261) or embedded paths to exploit files.

Operational Guidance: SOC teams should prioritize the domain list for DNS blocking and the IP list for egress filtering. File hashes must be uploaded to CrowdStrike Strike, SentinelOne, or Microsoft Defender for automated threat prevention.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix Fake CAPTCHA Activity
id: 8f3a2b1c-6d4e-4f9a-8b1c-2d3e4f5a6b7c
description: Detects suspicious command execution often associated with ClickFix fake CAPTCHA pages, specifically the invocation of Python or Finger protocol from a browser parent process.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6661c9a5e9c03e4c9b8c9c5c
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
    condition: selection
falsepositives:
    - Legitimate developer tools triggering scripts from browser downloads
level: high
---
title: Suspicious Non-Standard Port Network Connection
id: 7c2a1b0c-5e3d-3e8a-7a0c-1c2d3e4a5b6c
description: Detects processes connecting to non-standard high ports often used by TDS (Traffic Distribution Systems) and malware C2, such as port 48261.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6661c9a5e9c03e4c9b8c9c5c
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort|greaterthan: 1024
        DestinationPort|lessThan: 65535
        DestinationPort|contains: '48261'
    filter:
        Image|endswith:
            - '\svchost.exe'
            - '\explorer.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate business applications using custom ports
level: medium
---
title: GriefLure APT Suspicious Process Execution
id: 6a1b0c9b-4d2c-2d7a-6a0b-0b1c2d3a4b5c
description: Detects the execution of specific filenames associated with Operation GriefLure or spawned by Office applications in a suspicious context.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6661c9a5e9c03e4c9b8c9c5c
tags:
    - attack.execution
    - attack.t1204
definitions:
    target_exe:
        - 'sfsvc.exe'
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\sfsvc.exe'
    selection_parent:
        ParentImage|endswith:
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
    condition: 1 of selection*
falsepositives:
    - Rare legitimate binaries matching the name (unlikely)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and TDS Network Activity
let SuspiciousDomains = dynamic(["teamsvoicehub.com", "dapala.net", "guiformat.com", "forestoaker.com"]);
let SuspiciousIPs = dynamic(["194.150.220.218", "217.156.122.75"]);
let MaliciousHashes = dynamic(["08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"]);
// Network Connections
DeviceNetworkEvents
| where (RemoteUrl has_any (SuspiciousDomains) or RemoteIP has_any (SuspiciousIPs)) or 
(InitiatingProcessFileName in ("python.exe", "pythonw.exe", "finger.exe"))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCMatch = "Network Domain/IP"
| union (
    DeviceProcessEvents
    | where SHA256 in (MaliciousHashes) or ProcessCommandLine contains_any ("finger", "python -c") or FileName =~ "sfsvc.exe"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256
    | extend IOCMatch = "Process/File Hash"
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunter for ClickFix, SessionGate, and GriefLure Campaigns
.DESCRIPTION
    Scans the file system for known malicious file hashes and checks for specific process execution patterns.
#>

$MaliciousSHA256 = @(
    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886",
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
    "61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f",
    "7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
    "91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067"
)

Write-Host "[+] Initiating File System Scan for known Malware Hashes..." -ForegroundColor Cyan

$DrivesToScan = @("C:\", "D:\")

foreach ($Drive in $DrivesToScan) {
    if (Test-Path $Drive) {
        Write-Host "[+] Scanning $Drive (This may take time)..." -ForegroundColor Yellow
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $filePath = $_.FullName
            try {
                $fileHash = (Get-FileHash -Path $filePath -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($MaliciousSHA256 -contains $fileHash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $filePath (Hash: $fileHash)" -ForegroundColor Red
                }
            } catch {
                # Ignore locked files or permission errors
            }
        }
    }
}

Write-Host "[+] Checking for GriefLure Process Artifacts..." -ForegroundColor Cyan
$griefLureProcess = Get-Process -Name "sfsvc" -ErrorAction SilentlyContinue
if ($griefLureProcess) {
    Write-Host "[!] SUSPICIOUS PROCESS 'sfsvc' IS RUNNING! PID: $($griefLureProcess.Id)" -ForegroundColor Red
    Write-Host "[!] Path: $($griefLureProcess.Path)" -ForegroundColor Red
} else {
    Write-Host "[-] No 'sfsvc' process detected." -ForegroundColor Green
}


# Response Priorities

*   **Immediate:**
    *   **Block IOCs:** Enforce blocklists on all firewalls and secure web gateways (SWG) for the listed domains (especially `teamsvoicehub.com` and `guiformat.com`) and IPs (`194.150.220.218`).
    *   **Hunt for Python:** Scan endpoints for unauthorized execution of `python.exe` or `pythonw.exe` spawned by web browsers.
*   **24 Hours:**
    *   **Credential Audit:** Since `SessionGate` and `RemusStealer` are active, force a password reset for accounts that may have accessed the impersonated open-source sites (e.g., developer accounts).
    *   **Session Termination:** Kill any active sessions associated with the targeted regions in the GriefLure campaign (Vietnam/Philippines) if IP anomalies are detected.
*   **1 Week:**
    *   **Browser Hardening:** Implement stricter browser policies to block unauthorized script execution and warn against typosquatting.
    *   **Awareness Training:** Update security awareness training to include "Fake CAPTCHA" (ClickFix) and SEO poisoning techniques.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixcastleloadersessiongategrieflureapt-campaign

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action