Back to Intelligence

ClickFix, Supply Chain Poisoning, and Trigona Exfiltration: Multi-Vector Credential Theft Analysis

SA
Security Arsenal Team
April 26, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a convergence of high-risk initial access vectors culminating in credential theft and ransomware operations. Threat actors are operationalizing a "blended threat" model that simultaneously exploits human psychology (ClickFix), trust in developer ecosystems (Checkmarx KICS Docker/VS Code compromise), and traffic redirection services (Keitaro TDS).

The primary objective across these campaigns is the theft of sensitive credentials—ranging from cryptocurrency wallets and developer keys to corporate banking access. These credentials likely serve as a precursor to the Trigona ransomware operations observed by the Rhantus group, which has recently adopted a custom exfiltration tool, uploader_client.exe, to streamline data theft before encryption.

Threat Actor / Malware Profile

1. ClickFix Campaigns & Stealers (Lumma, Vidar, RedLine)

  • Distribution: Social engineering campaigns impersonating Intuit QuickBooks and Booking.com. Victims are manipulated into executing malicious commands via "Copy-Paste" into native system tools (PowerShell/Terminal).
  • Behavior: Living-off-the-Land (LotL) execution to bypass security controls. Upon execution, payloads drop information stealers.
  • Persistence: Stealers often establish persistence via scheduled tasks or registry run keys, maintaining access for secondary payload delivery.

2. GlassWorm & TeamPCP (Supply Chain)

  • Distribution: Compromised Docker Hub images (Checkmarx KICS) and malicious VS Code extensions (mcpAddon.js). Targeting developers and CI/CD pipelines.
  • Behavior: GlassWorm utilizes the Solana blockchain for C2 communication and payload fetching, making network detection difficult. TeamPCP leverages NPM propagation.
  • Persistence: Malicious browser extensions and compromised build environments ensure long-term access to development infrastructure.

3. Trigona Ransomware (Rhantus)

  • Distribution: Likely accessed via purchased initial access from stealer operators or direct exploitation.
  • Behavior: Uses custom tooling like uploader_client.exe for parallel data exfiltration and connection rotation. Employs kernel drivers (DumpGuard, StpProcessMonitorByovd) to terminate security processes (PCHunter).

IOC Analysis

  • Domains: A significant volume of domains relates to the Keitaro TDS abuse and ClickFix campaigns (e.g., ustazazharidrus.com, ucaboodle.com, account-help.info). These serve as redirectors or landing pages for social engineering.
  • File Hashes: Specific MD5, SHA1, and SHA256 hashes have been identified for the compromised KICS binaries and Trigona support tools.
  • Operationalization: SOC teams should immediately load the domains into DNS firewall/BloxOne lists. The file hashes should be blocklisted in EDR solutions. The Trigona hashes (uploader_client.exe) are critical for detecting the active exfiltration phase.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Social Engineering Execution
id: 8f79e3a8-1b2c-4d5e-9f6a-1b2c3d4e5f6a
description: Detects PowerShell execution patterns often associated with ClickFix campaigns where users are tricked into running obfuscated commands via copy-paste.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a1b1c5d4e5e6e6b1c2d3e
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: 
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'CopyTo-Clipboard'
            - 'iex'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Trigona Ransomware Custom Exfiltration Tool
id: a1b2c3d4-e5f6-4a5b-8c9d-1e2f3a4b5c6d
description: Detects the execution of uploader_client.exe, a custom tool used by Trigona affiliates to steal data before encryption.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a1b1c5d4e5e6e6b1c2d4f
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\uploader_client.exe'
    condition: selection
falsepositives:
    - Unknown (Legitimate usage unlikely)
level: critical
---
title: Suspicious VS Code Extension Child Process
id: b2c3d4e5-f6a7-4b5c-9d0e-2f3a4b5c6d7e
description: Detects suspicious child processes spawned by VS Code host, potentially indicating malicious extensions like GlassWorm or mcpAddon.js.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662a1b1c5d4e5e6e6b1c2d4e
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|contains: '\Code.exe'
    selection_child:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'extension'
            - 'http'
    condition: all of selection_*
falsepositives:
    - Legitimate extension development activity
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Keitaro related domains in network connections
let IoCs = dynamic(["ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "ucaboodle.com", "someotherbox.com", "your-link.online"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IoCs) or InitiatingProcessFileName has_any ("powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine
| extend IoC_Hit = iff(RemoteUrl has_any (IoCs), "Domain_Match", "Suspicious_Process")

PowerShell Hunt Script

PowerShell
# Check for Trigona artifacts and malicious VS Code extensions
Write-Host "[!] Hunting for Trigona and GlassWorm artifacts..." -ForegroundColor Cyan

# Check for uploader_client.exe (Trigona Exfil)
$trigonaPath = "C:\Windows\Temp\uploader_client.exe"
if (Test-Path $trigonaPath) {
    Write-Host "[ALERT] Trigona exfiltration tool found at $trigonaPath" -ForegroundColor Red
}

# Check for common persistence mechanisms used by stealers
$regPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)
$malwareKeys = @("Lumma", "Vidar", "RedLine", "Rusty")

foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-Item -Path $path | Select-Object -ExpandProperty Property | ForEach-Object {
            if ($_ -match ($malwareKeys -join '|')) {
                Write-Host "[ALERT] Suspicious persistence key found in $path : $_" -ForegroundColor Red
            }
        }
    }
}

# Scan for VS Code extensions with suspicious content
$vsCodeExtensions = "$env:USERPROFILE\.vscode\extensions"
if (Test-Path $vsCodeExtensions) {
    Write-Host "[*] Scanning VS Code extensions for suspicious scripts (GlassWorm/TeamPCP)..." -ForegroundColor Yellow
    Get-ChildItem -Path $vsCodeExtensions -Recurse -Filter "*.js" | Select-String -Pattern "eval\(|base64decode|http:\/\/.*\.onion" | Select-Object Path, Pattern | Out-String | Write-Host
}

Response Priorities

Immediate (0-24 hours)

  • Block IOCs: Implement blocks for all listed ClickFix and Keitaro domains at the DNS/Web Proxy level.
  • Quarantine: Identify and quarantine systems matching the Trigona file hashes (uploader_client.exe, kernel drivers).
  • Hunt: Execute the provided PowerShell script across the environment to identify active infections.

24 Hours

  • Credential Reset: Force password resets for accounts identified in the Keitaro/ClickFix targeting scope (Finance, Accounting, Development teams).
  • Container Audit: Audit all running Docker containers against the compromised Checkmarx KICS hashes; terminate and rebuild instances using clean images.

1 Week

  • Architecture Review: Review and restrict the use of native system tools (PowerShell) for end-users via Application Allowlisting.
  • Supply Chain Policy: Implement strict validation for Docker Hub images and VS Code extensions (e.g., require signed extensions).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstrigona-ransomwareclickfixsupply-chain-attackinfostealerkeitaro-tds

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action