Back to Intelligence

ClickFix Surge: Potemkin, TELEPUZ, and OkoBot Credential Theft Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
July 16, 2026
6 min read

Recent OTX pulses reveal a significant convergence in adversary tactics, specifically the widespread adoption of "ClickFix" social engineering. This technique leverages fake browser error messages or update dialogs to trick users into executing malicious payloads. The observed infection chains involve the Potemkin Loader delivering the RMMProject RAT, the modular TELEPUZ MaaS spreading via Vidar, and the OkoBot framework targeting cryptocurrency assets. These campaigns are unified by their objective: credential theft, browser session hijacking, and financial compromise. Concurrently, the CylindricalCanine subgroup (linked to GoldenEyeDog) continues to target the APAC finance sector using signed binaries to deliver Gh0st RAT variants, bypassing standard security controls.

Threat Actor / Malware Profile

Potemkin Loader & RMMProject

  • Distribution: ClickFix attacks (HTA payloads).
  • Behavior: The HTA file silently installs an MSI package containing Potemkin. Potemkin is a custom loader featuring a deterministic Domain Generation Algorithm (DGA) to evade network blocking.
  • Payload: Delivers RMMProject, a 4.4 MB Lua-scriptable RAT capable of credential theft from browsers, including those using App-Bound Encryption.

TELEPUZ (MaaS)

  • Distribution: CLICKFIX-VIDAR infection chains.
  • Behavior: A lightweight, modular malware family employing advanced evasion techniques such as indirect syscalls, NTDLL unhooking, and anti-VM checks.
  • C2: Communicates via WebSockets to blend in with legitimate web traffic.
  • Persistence: Establishes persistence through service installation.

CylindricalCanine (GoldenEyeDog Subgroup)

  • Distribution: Phishing campaigns targeting APAC finance.
  • Behavior: Active since 2015, this group leverages code-signing certificates to bypass Windows SmartScreen.
  • Payload: Golden Gh0st Loader and Golden Gh0st RAT (modified Gh0st RAT), primarily for espionage and data theft.

OkoBot Framework

  • Distribution: Fake software on GitHub or ClickFix attacks via TookPS PowerShell scripts.
  • Behavior: Targets cryptocurrency users. Deploys an automated SSH bot and over 20 malicious modules, including HDUtil and Rilide (browser extension injector).

IOC Analysis

The provided indicators include a mix of network and file-based artifacts:

  • Domains & URLs: Several domains exhibit DGA characteristics (e.g., eutialyson.com) or are hosted on suspicious TLDs. URLs point to HTA and MSI payloads (hte.hta, inst24.msi). C2 infrastructure for Golden Gh0st RAT is observed on non-standard ports (5188, 5198).
  • File Hashes: A high volume of SHA256 and MD5 hashes are provided for the loaders and payloads (Potemkin, TELEPUZ, Gh0st variants). These should be immediately blocked in EDR solutions.
  • Operationalization: SOC teams should ingest these hashes into endpoint detection systems and the domains into DNS firewall/Proxy solutions. The non-standard ports used by CylindricalCanine suggest specific network inspection rules are required to detect the C2 traffic.

Detection Engineering

Sigma Rules

YAML
title: Potential Potemkin Loader ClickFix Activity
description: Detects execution of HTA files spawning MSI processes, a pattern observed in Potemkin Loader campaigns via ClickFix.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
    - https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\msiexec.exe'
    condition: selection
falsepositives:
    - Legitimate software installations triggered via HTML help
level: high
---
title: TELEPUZ MaaS Process Creation Patterns
description: Detects suspicious PowerShell execution patterns associated with TELEPUZ or OkoBot ClickFix infection chains.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
    - https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'downloadstring'
            - 'iex'
    selection_suspicious:
        CommandLine|contains:
            - 'ClickFix'
            - 'chrome_update'
            - 'edge_fix'
    condition: all of selection_*
falsepositives:
    - Administrative scripts
level: medium
---
title: Golden Gh0st RAT C2 Traffic
Description: Detects network connections to known Golden Gh0st RAT C2 ports associated with CylindricalCanine activity.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
    - https://expel.com/blog/introducing-cylindricalcanine/
tags:
    - attack.c2
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 5188
            - 5198
        Initiated: 'true'
    filter:
        DestinationIp:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter
falsepositives:
    - Legitimate applications using these high ports (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Potemkin and ClickFix related process activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (InitiatingProcessFileName == "mshta.exe" and FileName == "msiexec.exe") 
   or (FileName == "powershell.exe" and CommandLine has "downloadstring" and ProcessCommandLine matches regex @"(chrome|edge|browser).*update")
| extend FullProcess = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, FullProcess
| order by Timestamp desc

// Hunt for network connections to suspicious domains or Golden Gh0st ports
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (5188, 5198) or RemoteUrl has_any ("eutialyson.com", "distritovagas.com", "goldeyeuu.io", "keensie.com")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt for Potemkin, TELEPUZ, OkoBot, and Golden Gh0st Indicators
$IOC_Hashes = @(
    "79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b",
    "03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746",
    "1abffe97aafe9916b366da5745858a78338598cab9742c2d9e03e4ad0ba11f29bf",
    "13ac78f8f2ed76a03c85f0cdef07e5463aa64458303c0949090fcd81868ba8ca"
)

$IOC_Domains = @(
    "resumeacceptable.com",
    "sonra.eutialyson.com",
    "cl.distritovagas.com",
    "uu.goldeyeuu.io",
    "api.keensie.com",
    "coffeesaloon.online"
)

Write-Host "[*] Checking for malicious file hashes..."
foreach ($hash in $IOC_Hashes) {
    $paths = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { (Get-FileHash $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash -eq $hash }
    if ($paths) {
        Write-Host "[!] MALICIOUS FILE FOUND: " $paths.FullName -ForegroundColor Red
    }
}

Write-Host "[*] Checking DNS Cache for C2 domains..."
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $IOC_Domains) {
    if ($dnsCache | Where-Object { $_.Entry -like "*$domain*" }) {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND FOR: $domain" -ForegroundColor Yellow
    }
}

Write-Host "[*] Checking for RMMProject/Gh0st suspicious persistence..."
$services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -like "*lua*" -or $_.Name -like "*gh0st*" }
if ($services) {
    Write-Host "[!] SUSPICIOUS SERVICE FOUND: " $services.Name -ForegroundColor Red
}

Response Priorities

  • Immediate:

    • Block all listed IOCs (Domains, Hashes, IPs) at the firewall, proxy, and EDR levels.
    • Isolate endpoints where the mshta.exe -> msiexec.exe execution chain is detected.
    • Terminate processes matching the TELEPUZ or OkoBot PowerShell execution patterns.
  • 24 Hours:

    • Conduct credential audits for users on affected hosts, prioritizing browser-stored credentials (Chrome/Edge) and cryptocurrency wallets.
    • Scan for the specific file hashes provided across the enterprise.
    • Investigate network traffic to ports 5188 and 5198 for potential Golden Gh0st RAT beaconing.
  • 1 Week:

    • Review and hardening RDP/Terminal Server configurations (reference Pulse 5 "The Devil" stager activity).
    • Implement application signing policies to block the execution of unsigned MSI/HTA files.
    • Conduct security awareness training specifically highlighting "ClickFix" (fake browser update) social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsclickfixcredential-thefttelepuzpotemkin-loadergolden-gh0st

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.