Recent OTX pulse data reveals a convergence of sophisticated initial access vectors and resilient command-and-control (C2) infrastructure actively targeting enterprise sectors. The intelligence highlights three distinct but operationally advanced campaigns:
- ClickFix Campaigns: A large-scale social engineering operation targeting Windows and macOS users, specifically within Finance, Government, and Tech. Adversaries impersonate services like QuickBooks and Booking.com to trick users into executing malicious commands via native system tools (LotL). This campaign serves as a downloader for major information stealers (Vidar, Lumma, Redline) and RATs (NetSupport).
- GlassWorm: A targeted supply chain attack focusing on developers. By compromising code repositories and package managers, the actors deliver a stealthy malware that fingerprints the machine and fetches payloads via the Solana blockchain. It installs a fake browser extension for surveillance and persistence.
- EtherRAT (North Korean APT): A Node.js-based backdoor linked to a North Korean threat group targeting Retail and Software sectors. It utilizes "EtherHiding," storing C2 addresses within Ethereum smart contracts to resist takedowns, and employs CDN-like beaconing to blend in with legitimate traffic.
Collectively, these threats demonstrate a shift towards abusing legitimate blockchain infrastructure for resilience and using social engineering to bypass traditional email filtering.
Threat Actor / Malware Profile
ClickFix Campaign Cluster
- Adversary: Unknown (Financially motivated).
- Distribution: Social Engineering (Fake browser alerts/updates, fake support pages), SEO poisoning.
- Payload Behavior: Acts as a loader for secondary payloads. Manipulates victims into running shell commands (PowerShell/Bash) that download and execute malware.
- Malware Families: Vidar Stealer, Lumma Stealer, Redline Stealer, Odyssey Stealer, NetSupport RAT.
- Persistence: Scheduled tasks, Startup folder modifications (dependent on the specific loader payload).
GlassWorm
- Adversary: GlassWorm (Targeting Developers).
- Distribution: Supply chain compromise (malicious packages/repos).
- Payload Behavior: Staged execution. Initial fingerprinting followed by payload retrieval from the Solana blockchain. Steals crypto wallets and dev credentials.
- C2 Communication: Solana blockchain interactions; Remote Access Trojan (RAT) capabilities.
- Persistence: Installation of fake/rogue browser extensions.
EtherRAT
- Adversary: North Korean APT (State-sponsored).
- Distribution: IT Support scams, phishing, or exploitation (exact vector unspecified, but suggests social engineering given the target profile).
- Payload Behavior: Node.js based backdoor. Capable of arbitrary command execution, system info gathering (via
sys_infomodule), and asset theft. - C2 Communication: "EtherHiding" – C2 addresses stored in Ethereum smart contracts. Uses CDN-like beaconing (mimicking Cloudflare/Akamai traffic patterns).
- Persistence: Registry run keys or service installation (standard for Node.js malware).
IOC Analysis
- Indicator Types: The provided pulses predominantly list Domains and Hostnames. No file hashes or IPs were explicitly listed in the sanitized snippets provided, though the source pulses contain them.
- Operationalization:
- Network Firewall / Proxy: Block the listed domains immediately. These are C2 domains or hosting infrastructure for the initial payloads.
- SIEM: Correlate outbound connections to these domains with process creation events (e.g., PowerShell, Node.js, Browser).
- DNS Monitoring: Monitor for DNS queries resolving to the listed domains (e.g.,
ustazazharidrus.com,rpc.payload.de,o-parana.com).
Detection Engineering
YAML
title: Potential ClickFix Social Engineering Activity
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects potential ClickFix activity where a browser spawns a shell (PowerShell/CMD) often used in fake browser update scams.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate admin tasks initiated from browser downloads
level: high
tags:
- attack.initial_access
- attack.execution
- attack.t1204
---
title: Suspicious Node.js Process Network Connection
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects Node.js processes making network connections, potentially indicating EtherRAT or similar malware.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\node.exe'
filter_legit:
Initiated: 'true'
condition: selection and not filter_legit
falsepositives:
- Legitimate Node.js development servers
level: medium
tags:
- attack.command_and_control
- attack.t1071
---
title: GlassWorm Browser Extension Persistence
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects the creation of files in browser extension directories which may indicate GlassWorm or other extension-based malware.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
logsource:
category: file_create
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Extensions'
- '\Microsoft\Edge\User Data\Default\Extensions'
- '\Mozilla\Firefox\Profiles\extensions'
condition: selection
falsepositives:
- Legitimate software installing extensions
level: low
tags:
- attack.persistence
- attack.t1176
kql
// Hunt for connections to known ClickFix and EtherRAT IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
"visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
"o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
"regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend FullThreatInfo = strcat("Suspicious Connection detected to known malicious domain: ", RemoteUrl)
powershell
# IOC Hunt Script for ClickFix/GlassWorm/EtherRAT Artifacts
# Requires Administrative Privileges
Write-Host "[+] Hunting for ClickFix/GlassWorm/EtherRAT Indicators..." -ForegroundColor Cyan
# 1. Check DNS Cache for Malicious Domains
$maliciousDomains = @(
"ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com",
"visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com",
"o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com",
"regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)
$dnsCache = Get-DnsClientCache | Where-Object { $maliciousDomains -contains $_.Entry }
if ($dnsCache) {
Write-Host "[!] ALERT: Found malicious entries in DNS Cache:" -ForegroundColor Red
$dnsCache | Format-Table Entry, Data, Status -AutoSize
} else {
Write-Host "[-] No malicious DNS cache entries found." -ForegroundColor Green
}
# 2. Scan for Suspicious Browser Extensions (GlassWorm Indication)
$chromeExtPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
$edgeExtPath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
$firefoxExtPath = "$env:APPDATA\Mozilla\Firefox\Profiles"
$pathsToCheck = @($chromeExtPath, $edgeExtPath)
foreach ($path in $pathsToCheck) {
if (Test-Path $path) {
# Look for recently modified extensions (last 7 days)
$recentExts = Get-ChildItem -Path $path -Recurse -Directory | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
if ($recentExts) {
Write-Host "[!] WARNING: Recently modified browser extensions found at $path (Potential GlassWorm):" -ForegroundColor Yellow
$recentExts | Select-Object FullName, LastWriteTime
}
}
}
# 3. Check for Suspicious Node.js Processes (EtherRAT)
$nodeProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "node.exe" }
if ($nodeProcesses) {
Write-Host "[*] Found Node.js processes running. Investigate command line:" -ForegroundColor Yellow
$nodeProcesses | Select-Object ProcessId, CommandLine, ParentProcessId
}
# Response Priorities
**Immediate (0-24h):**
* **Block IOCs:** Immediately block all listed domains and hostnames at the network perimeter, proxy, and DNS layers.
* **Hunt for Artifacts:** Run the provided PowerShell script across endpoints to identify DNS cache hits or recent browser extension modifications.
* **Isolate:** Isolate any endpoints with confirmed hits or running suspicious Node.js processes with network connectivity to unknown IPs.
**24h:**
* **Credential Reset:** If Lumma Stealer, Vidar, or Redline are suspected (based on ClickFix patterns), force a password reset for compromised accounts and invalidate session tokens.
* **Developer Audit:** Audit developer workstations for signs of GlassWorm (unusual Solana blockchain interactions, unknown browser extensions).
**1 Week:**
* **Architecture Hardening:** Implement strict allow-listing for PowerShell and CMD to prevent "ClickFix" style execution. Review browser extension management policies to force whitelisting.
* **Supply Chain Vetting:** Review and enforce controls for third-party code repositories and package managers used by development teams.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixglasswormetherratstealersapt
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.