Back to Intelligence

ClickFix RATs & CL-STA-1132 PAN-OS Exploitation: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 9, 2026
5 min read

Intelligence from AlienVault OTX reveals a convergence of high-risk activity targeting both endpoint infrastructure and network perimeters. A significant surge in "ClickFix" social engineering campaigns has been observed, leveraging fake job recruitment (LinkedIn/Indeed) and macOS utility lures to deliver remote access trojans (CastleLoader) and infostealers (AMOS, Shub Stealer, PhantomPulse). These campaigns rely on browser-based fake CAPTCHAs to trick users into executing malicious Python or Bash commands via LOLBINs.

Simultaneously, OTX has tracked the active exploitation of a critical PAN-OS buffer overflow vulnerability (Captive Portal Zero-Day) by a likely state-sponsored threat cluster tracked as CL-STA-1132. This actor is utilizing EarthWorm and ReverseSocks5 tunneling tools to maintain persistence on compromised firewalls, facilitating unauthorized network access.

Collectively, these pulses indicate a multi-vector threat landscape where adversaries are bypassing traditional defenses through social engineering (ClickFix) and exploiting critical infrastructure flaws (PAN-OS) to deploy criminal tooling and RATs.

Threat Actor / Malware Profile

Adversary: CL-STA-1132

  • Motivation: Likely State-Sponsored / Espionage.
  • TTPs: Exploits unauthenticated buffer overflows in NGFWs (PAN-OS) to inject shellcode via nginx. Deploys tunneling suites (EarthWorm, ReverseSocks5) for lateral movement and C2 obfuscation.

Malware: CastleLoader

  • Type: Python-Based RAT / Loader.
  • Distribution: Typosquatted domains mimicking job platforms; Google Ads malvertising.
  • Execution: Uses legacy protocols (Finger) and Windows LOLBINs to execute portable Python (CPython/IronPython) without installation.

Malware: macOS Infostealers (AMOS, Shub Stealer, Macsync)

  • Type: Information Stealer.
  • Distribution: Fake macOS utility/troubleshooting blogs hosting malicious Terminal commands.
  • Behavior: AppleScript injection, silent download via curl/wget, exfiltration of keychains and browser data.

IOC Analysis

The provided intelligence includes 221 indicators comprising domains, file hashes, and CVE identifiers.

  • Domains (Typosquatting & C2): Indicators such as teamsvoicehub.com, jihiz.com, and kayeart.com are associated with the ClickFix infrastructure. These domains host the fake CAPTCHA pages and malicious payload repositories.
  • File Hash (SHA256): 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4 is linked to the CastleLoader payload.
  • CVEs: The PAN-OS pulse references critical vulnerabilities including CVE-2026-1340 and CVE-2026-1731, indicating an ongoing window of opportunity for CL-STA-1132.

Operational Guidance: SOC teams should immediately block the listed domains at the proxy/DNS layer. The CVE list should be cross-referenced with asset inventory to identify unpatched PA-Series firewalls.

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious Python Execution via LOLBINs (ClickFix Activity)
id: 8f8c8f8c-1234-5678-9101-112233445566
status: experimental
description: Detects execution of portable Python runtimes spawned by Windows LOLBINs (finger.exe, cmd.exe) characteristic of ClickFix campaigns delivering CastleLoader.
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\ipy.exe'
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
            - '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate developer usage of Python scripts from CLI
level: high
---
title: macOS Suspicious Terminal/AppleScript Execution (ClickFix)
id: 9f9d9f9d-2345-6789-0121-223344556677
status: experimental
description: Detects execution of commands via osascript or terminal that download and execute binaries, associated with ClickFix campaigns delivering AMOS or Shub Stealer.
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: macos
detection:
    selection_download:
        CommandLine|contains:
            - 'curl '
            - 'wget '
    selection_suspicious_flags:
        CommandLine|contains:
            - 'nohup'
            - '&>/dev/null'
            - '/bin/bash'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration scripts
level: medium
---
title: EarthWorm and ReverseSocks5 Tunneling Tool Execution
id: a0a0a0a0-3456-7890-1232-334455667788
status: experimental
description: Detects execution of known tunneling tools EarthWorm or ReverseSocks5 used by CL-STA-1132 for lateral movement after exploiting boundary devices.
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.command_and_control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\ew.exe'
        - CommandLine|contains: 'reversesocks5'
        - Image|endswith: '\ssocks.exe'
    condition: 1 of selection
falsepositives:
    - Rare legitimate usage of tunneling tools by admins
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix domains in network traffic
DeviceNetworkEvents
| where RemoteUrl in ("teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net", "novayastaruxa.com", "kevinnotanother.com", "jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend ThreatIntel = "ClickFix_Domain"

// Hunt for suspicious Python execution patterns
DeviceProcessEvents
| where (ProcessVersionInfoOriginalFileName in ("python.exe", "pythonw.exe") or ProcessCommandLine contains "python") 
and (InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "finger.exe") or InitiatingProcessCommandLine contains "google.com")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for CastleLoader and ClickFix artifacts.
.DESCRIPTION
    Checks for the presence of the specific CastleLoader SHA256 hash and suspicious scheduled tasks often associated with Python RAT persistence.
#>

$TargetHash = "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4"
$Drives = @("C:", "D:", "E:")

Write-Host "[+] Hunting for CastleLoader Hash..."
foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 0 } | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -eq $TargetHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for suspicious Python persistence..."
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*python*" -and $_.Author -eq "" } | Select-Object TaskName, TaskPath, Actions

Write-Host "[+] Checking recent network connections to ClickFix domains..."
$Domains = @("teamsvoicehub.com", "jihiz.com", "kayeart.com")
$DNSCache = Get-DnsClientCache | Where-Object { $Domains -contains $_.Entry }
if ($DNSCache) {
    Write-Host "[!] Suspicious DNS cache entries found:" -ForegroundColor Yellow
    $DNSCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "[-] No suspicious DNS cache entries found."
}


# Response Priorities

*   **Immediate:** Block all listed domains at the perimeter (DNS Proxy/SWG). Review firewall logs for indicators of PAN-OS Captive Portal exploitation. Apply emergency patches for CVE-2026-1340 and CVE-2026-1731.
*   **24h:** Conduct a credential audit for users who may have interacted with the ClickFix job scams. Scan endpoints for the CastleLoader SHA256 hash.
*   **1 week:** Update security awareness training to include "fake browser update/captcha" and "job scam" lures. Review network segmentation policies to limit lateral movement from compromised perimeter devices.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareclickfixcastleloaderearthwormpan-os-rcecl-sta-1132

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action