ClickFix, Remus, and CloudZ: Multi-Vector Credential Theft Campaigns — OTX Pulse Analysis | Security Arsenal

Recent OTX pulses indicate a convergence of sophisticated credential theft tactics targeting enterprise environments. Threat actors are leveraging social engineering lures (ClickFix), abusing the trust in generative AI tools (malicious browser extensions), and deploying advanced information stealers (Remus/Lumma) capable of bypassing browser application-bound encryption. Additionally, the CloudZ RAT with the Pheno plugin demonstrates an evolution in OTP theft by exploiting the Microsoft Phone Link application, allowing interception of SMS codes without direct device compromise. The collective objective is credential harvesting, session hijacking, and bypassing MFA controls to facilitate initial access and persistence.

Threat Actor / Malware Profile

ClickFix & CastleLoader

Distribution: Disguised as "BackgroundFix" image-editing tools via social engineering prompts.
Behavior: Uses finger.exe as a LOLBin to retrieve payloads. Delivers NetSupport RAT and CastleStealer.
Technique: Clipboard hijacking to execute malicious commands.

Remus Stealer (Lumma Successor)

Distribution: Evolution of Lumma Stealer following doxxing of original developers.
Behavior: 64-bit infostealer targeting cryptocurrency wallets and browser data.
Technique: Bypasses Application-Bound Encryption (ABE); utilizes "Etherhiding" for C2 communication via the Ethereum blockchain.

CloudZ RAT & Pheno Plugin

Distribution: Delivered via standard intrusion vectors, active since Jan 2026.
Behavior: Remote Access Trojan (RAT) utilizing the undocumented "Pheno" plugin.
Technique: Exploits Microsoft Phone Link to intercept synchronized SMS/OTP messages from connected mobile devices.

Malicious AI Browser Extensions

Distribution: Masquerading as productivity tools (e.g., "Chat AI for Chrome", "Huiyi").
Behavior: API interception, passive DOM observation, traffic proxying.
Technique: Man-in-the-middle (MitM) attacks on browser sessions to steal prompts and credentials.

IOC Analysis

The provided indicators consist of network infrastructure (IPv4, Domains) and payload identifiers (FileHashes).

Network IOCs: Key IPs include 38.146.28.30 (ClickFix C2), 185.196.10.136 (CloudZ), and the 217.156.122.x subnet (Remus). Domains like trindastal.com and dropras.xyz serve as payload distribution points. SOC teams should block these at the perimeter and DNS layer immediately.
File IOCs: A mix of MD5, SHA1, and SHA256 hashes are provided for loaders (CastleLoader), RATs (Remcos), and stealers (Remus, CloudZ). These should be loaded into EDR threat feeds to quarantine malicious files on endpoints.
Operationalization: Use SIEM correlators to match network connections to the listed IPs/Domains. EDR solutions should be configured to look for the specific file hashes and process names associated with finger.exe making outbound connections.

Detection Engineering

Sigma Rules

YAML

title: Suspicious Finger.exe Network Connection (ClickFix)
id: 4b2d8f1a-9c3e-4f1d-8b2a-1c3d4e5f6a7b
description: Detects ClickFix activity where finger.exe is used to retrieve payloads from the internet.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665555555555
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate use of finger client (rare in modern environments)
level: critical
---
title: PowerShell Downloading MSI File (OpenClaw/Remcos Vector)
id: 5c3e9g2h-0d4e-5g2h-9c3b-2d4e5f6g7h8i
description: Detects PowerShell commands downloading MSI packages, a technique used in the OpenClaw/Remcos campaign.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666666666666
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_cmd:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'wget'
            - 'curl'
            - 'DownloadFile'
    selection_ext:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - Software installation scripts
level: high
---
title: Potential Stealer Accessing Browser Credential Files
definition: TH-2026-05-07-001
description: Detects processes accessing browser credential files (Local State, Login Data), indicative of stealer activity like Remus or CastleStealer.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667777777777
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Local State'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Microsoft\Edge\User Data\Local State'
            - '\Microsoft\Edge\User Data\Default\Login Data'
    filter:
        Image|contains:
            - '\chrome.exe'
            - '\msedge.exe'
    condition: selection and not filter
falsepositives:
    - Browser updates or backup software
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix network activity and associated IOCs
let IOCs = dynamic(["38.146.28.30", "185.196.10.136", "217.156.122.57", "217.156.122.75", "217.156.122.12", "trindastal.com", "dropras.xyz", "trackpipe.dev"]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| union (
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "finger.exe" or ProcessVersionInfoOriginalFileName =~ "finger.exe"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc

PowerShell Hunt Script

PowerShell

# Check for connections to known malicious IPs from OTX Pulses
$MaliciousIPs = @("38.146.28.30","185.196.10.136","217.156.122.57","217.156.122.75","217.156.122.12","45.151.106.110")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

Foreach ($IP in $MaliciousIPs) {
    $Match = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    If ($Match) {
        $Process = Get-Process -Id $Match.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[ALERT] Connection to malicious IP $IP found by PID $($Match.OwningProcess) - Process: $($Process.ProcessName)" -ForegroundColor Red
    }
}

# Check for finger.exe process anomalies
$FingerProc = Get-Process -Name finger -ErrorAction SilentlyContinue
If ($FingerProc) {
    Write-Host "[ALERT] finger.exe process detected (Potential ClickFix activity). PID: $($FingerProc.Id)" -ForegroundColor Yellow
}

Response Priorities

Immediate (0-4 hours):

Block all listed IPs and domains at the firewall and proxy level.
Isolate endpoints showing finger.exe network activity or connections to CloudZ/Remus infrastructure.
Quarantine files matching the provided SHA256/MD5 hashes.

24 Hours:

Initiate credential resets for accounts identified on compromised endpoints (priority for users with browser session cookies stolen by Remus/CastleStealer).
Investigate Microsoft Phone Link usage on corporate assets; disable if not business critical given the CloudZ/Pheno threat.

1 Week:

Review and restrict browser extension installations; enforce an allow-list policy for GenAI extensions.
Implement application controls to prevent the abuse of finger.exe for network communication.
Harden browser configurations to disable or strictly control Application-Bound Encryption where feasible.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, Remus, and CloudZ: Multi-Vector Credential Theft Campaigns — OTX Pulse Analysis