Back to Intelligence

Fox Tempest MSaaS, UAT-8616 SD-WAN Attacks, & macOS ClickFix: Enterprise Detection Pack

SA
Security Arsenal Team
May 20, 2026
6 min read

Current OTX pulse data highlights a convergence of sophisticated infrastructure exploitation and criminal "as-a-service" operations enabling widespread attacks.

  • Infrastructure Targeting (UAT-8616): The threat actor UAT-8616 is actively exploiting CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Manager. Successful exploitation allows for the deployment of webshells (Godzilla, Behinder) and cryptominers (XMRig), granting actors persistent control over network traffic.
  • Malware-Signing-as-a-Service (Fox Tempest): The Fox Tempest operation is abusing Microsoft Artifact Signing to generate fraudulent code-signing certificates. This "trust Abuse" allows malware families like Rhysida, Akira, Lumma Stealer, and BlackByte to bypass security controls reliant on signature trust.
  • Cross-Platform Social Engineering (ClickFix): A new campaign targeting macOS uses fake CAPTCHA pages ("ClickFix") to trick users into running malicious AppleScript. This infostealer harvests credentials from 12 browsers and 16 crypto wallets, bypassing new macOS Terminal protections.

Threat Actor / Malware Profile

UAT-8616 (APT/State-Sponsored)

  • Objective: Persistence within network infrastructure and financial gain via cryptomining.
  • Distribution: Direct exploitation of internet-facing Cisco SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133).
  • Payload Behavior: Deploys XenShell, Godzilla, and Behinder webshells for remote access. Uses Sliver and AdaptixC2 for command and control. Installs XMRig for resource hijacking.

Fox Tempest (Cybercrime Enabler)

  • Objective: Financial profit by selling signed malware to other threat actors.
  • Distribution: Malware-Signing-as-a-Service (MSaaS). Provides fraudulent certificates for ransomware and stealers.
  • Payload Behavior: Facilitates the distribution of Rhysida, Akira, Qilin, BlackByte (ransomware), and Lumma Stealer/Vidar (infostealers). The signatures allow these payloads to appear trusted to operating systems and security tools.

ClickFix Campaign (Unknown)

  • Objective: Credential harvesting and session hijacking.
  • Distribution: Social engineering via fake browser CAPTCHA verification pages.
  • Payload Behavior: Malicious AppleScript on macOS that exfiltrates Keychain databases, browser cookies (Chrome, Edge, Safari, etc.), and cryptocurrency wallet seeds.

IOC Analysis

The provided indicators reveal a multi-faceted C2 infrastructure:

  • File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes are associated with the webshells (Godzilla/Behinder), miners (XMRig), and signed malware payloads. These should be blocklisted in EDR solutions immediately.
  • Network Infrastructure:
    • 172.94.9.250 (Voxility LLP): Used in the ClickFix campaign.
    • 176.65.139.31: Associated with UAT-8616 exploitation activity.
  • Domains:
    • bull-run.fun / spot-wave.fun: ClickFix landing pages.
    • signspace.cloud: Domain associated with Fox Tempest's signing operation.
  • CVEs: CVE-2026-20182 is the primary vector for the SD-WAN attacks. Patching is the primary mitigation.

SOC teams should operationalize these by pushing hashes to EDR, blocking IPs/Domains on the perimeter firewall, and configuring SIEM rules to alert on outbound connections to the listed IPs.

Detection Engineering

YAML
title: macOS ClickFix - Suspicious Osascript Network Connection
id: 509c3e8e-0ee4-4585-9776-9b6c7b4c9f21
description: Detects macOS processes spawned by osascript making network connections, indicative of the ClickFix campaign infostealer behavior.
status: experimental
date: 2026/05/21
author: Security Arsenal
logsource:
  category: network_connection
  product: macos
detection:
  selection:
    InitiatorProcessName|endswith: 'osascript'
    DestinationPortRange:
      - 80
      - 443
  condition: selection
falsepositives:
  - Legitimate administrative scripts
level: high
tags:
  - attack.execution
  - attack.t1059.002
---
title: UAT-8616 - SD-WAN Webshell Activity via Java Process
id: 7b8a1c2d-3e4f-4a5b-8c9d-1e2f3a4b5c6d
description: Detects suspicious child processes (cmd.exe, powershell.exe, bash) spawned by the Java/Tomcat service often running Cisco SD-WAN Manager, indicative of webshell exploitation.
status: experimental
date: 2026/05/21
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: 
      - 'java.exe'
      - 'javaw.exe'
  selection_child:
    Image|endswith:
      - 'cmd.exe'
      - 'powershell.exe'
      - 'pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative tasks by IT
level: critical
tags:
  - attack.initial_access
  - attack.t1190
---
title: Fox Tempest - Signed XMRig Execution
id: 9c0d1e2f-3a4b-4c5d-6e7f-8a9b0c1d2e3f
description: Detects the execution of XMRig or similar miners, potentially signed or utilized by UAT-8616 after exploiting network devices.
status: experimental
date: 2026/05/21
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains: 'xmrig'
  condition: selection
falsepositives:
  - Authorized testing or legitimate mining operations
level: high
tags:
  - attack.impact
  - attack.t1496


kql// Hunt for ClickFix and UAT-8616 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("176.65.139.31", "172.94.9.250") 
   or RemoteUrl has_any ("bull-run.fun", "spot-wave.fun", "signspace.cloud")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend ThreatActivity = case(
    RemoteIP == "176.65.139.31", "UAT-8616 SD-WAN C2",
    RemoteIP == "172.94.9.250" or RemoteUrl has_any ("bull-run", "spot-wave"), "ClickFix Campaign",
    RemoteUrl has "signspace", "Fox Tempest Infrastructure",
    "Unknown Threat Traffic")


powershell# IOC Hunter for UAT-8616 and Fox Tempest Payloads
# Checks system for specific file hashes mentioned in OTX pulses

$targetHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", # XenShell/Webshell
    "e12285f507c847b986233991b86b22e3", # macOS ClickFix Component
    "7e6d9dac619c04ae1b3c8c0906123e752ed66d63", # Fox Tempest Signed Malware
    "11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326"  # Signed Payload
)

Write-Host "[+] Scanning for UAT-8616 and Fox Tempest IOCs..." -ForegroundColor Cyan

$searchPaths = @("C:\", "C:\ProgramData", "C:\Users")

foreach ($path in $searchPaths) {
    if (Test-Path $path) {
        Write-Host "[+] Scanning $path..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { !$_.PSIsContainer } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $hash"
            }
        }
    }
}

# Check Network Connections for Known C2 IPs
$targetIPs = @("176.65.139.31", "172.94.9.250")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($ip in $targetIPs) {
    $match = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($match) {
        Write-Host "[!] ACTIVE C2 CONNECTION DETECTED to $ip on PID: $($match.OwningProcess)" -ForegroundColor Red
        Get-Process -Id $match.OwningProcess | Select-Object ProcessName, Path
    }
}

Response Priorities

  • Immediate:

    • Block all IOCs (IPs, Domains) listed above at the perimeter firewall and proxy.
    • Apply patches for CVE-2026-20182 and CVE-2026-20133 to all Cisco Catalyst SD-WAN infrastructure immediately.
    • Scan endpoint fleets for the file hashes provided in the "IOC Analysis" section.

  • 24 Hours:

    • Investigate any systems identified with XMRig or webshell connections (176.65.139.31) for lateral movement.
    • Force reset of credentials and tokens for users who may have interacted with "CAPTCHA" pages recently (macOS users specifically).
    • Revoke trust for any code-signing certificates associated with the Fox Tempest operation (check signspace.cloud artifacts).

  • 1 Week:

    • Review segmentation controls to prevent SD-WAN managers from reaching the internet directly if not required.
    • Implement application control (AppLocker) to block osascript execution for standard users on macOS endpoints.
    • Audit all code-signing certificates issued by the internal CA to ensure no fraudulent issuance has occurred.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptfox-tempestuat-8616clickfixsd-wancode-signing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action