Back to Intelligence

Fox Tempest, Vidar v1.5 & macOS ClickFix: Enterprise Credential Theft Campaign

SA
Security Arsenal Team
May 20, 2026
6 min read

Recent OTX pulses reveal a coordinated surge in credential theft campaigns orchestrated by sophisticated actors including Fox Tempest and utilizing updated malware families such as Vidar v1.5 and Gremlin Stealer. These campaigns leverage novel techniques including Go-compiled binaries to evade EDR, "Malware-Signing-as-a-Service" (MSaaS) to bypass trust controls, and social engineering "ClickFix" campaigns targeting macOS users to steal keychain data. Additionally, threat actors like UAT-8616 are actively exploiting edge infrastructure (Cisco SD-WAN) to gain initial access for webshell deployment and persistence.

Threat Actor & Malware Profile

Fox Tempest (MSaaS)

  • Role: Malware-Signing-as-a-Service provider and ransomware enabler.
  • Technique: Abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware (Rhysida, Lumma, Vidar) to appear signed and trusted.
  • Objective: Financially motivated ecosystem support for other cybercriminals.

Vidar v1.5 (Go Variant)

  • Evolution: Rebuilt in Go 1.25.4 (native PE) to evade traditional .NET/C++ signatures.
  • Capabilities: 12-category sandbox scoring, AV killing, and theft of browser data, Steam sessions, and crypto wallets.
  • C2 Infrastructure: Uses dead-drop resolvers via Telegram and Steam user profile pages.

Gremlin Stealer

  • Technique: Hides payloads within embedded resource files.
  • Obfuscation: Uses commercial packing utilities with instruction virtualization (custom bytecode VM) to reverse-engineer analysis.
  • Target: Payment card details, browser credentials, cryptocurrency wallets.

ClickFix (macOS)

  • Vector: Fake CAPTCHA pages tricking users into running PowerShell/Bash commands.
  • Payload: AppleScript-based infostealer.
  • Scope: Harvests data from 12 browsers, 200+ extensions, and 16 crypto wallets.

IOC Analysis

  • File Hashes: The pulses provide numerous SHA256 and MD5 hashes for Go-compiled Vidar samples and packed Gremlin variants. SOC teams should immediately block execution of these hashes on endpoints.
  • Network Indicators: C2 infrastructure includes IPs associated with Telegram (149.154.167.99), Steam-related endpoints, and specific Voxility-hosted infrastructure (172.94.9.250) used for ClickFix command and control.
  • Domains: Newly registered domains bull-run.fun and spot-wave.fun are associated with the macOS ClickFix campaign.
  • CVEs: Exploitation of CVE-2026-20182 and CVE-2026-20133 against Cisco Catalyst SD-WAN devices serves as a primary vector for initial access in network-centric attacks.

Detection Engineering

The following detection logic targets the specific behaviors, TTPs, and infrastructure detailed in the OTX pulses.

YAML
---
title: Potential Vidar Stealer v1.5 Execution - Go Binary Sandbox Checks
id: 8a4f2c1b-9e0d-4a5f-8b3c-2d1e0f9a8b7c
description: Detects execution characteristics of the new Go-based Vidar v1.5 stealer, specifically looking for high-entropy Go binaries performing network checks to Telegram or Steam APIs immediately after process start.
author: Security Arsenal
date: 2026/05/21
status: experimental
references:
    - https://otx.alienvault.com/pulse/6625c5b62423b45e3b6453de/
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '.exe'
        Hashes|contains:
            - '702ef1b4007f07887e9faaee0667b50b'
            - '2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105'
    selection_network:
        NetworkEvent|contains:
            - 'telegram'
            - 'steamcommunity.com'
            - 'steampowered.com'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Program Files (x86)\'
    condition: 1 of selection_* and not filter_legit
falsepositives:
    - Legitimate Steam or Telegram clients (unlikely to be unsigned Go binaries)
level: high
tags:
    - attack.credential_access
    - attack.command_and_control
---
title: macOS ClickFix Campaign - Fake CAPTCHA leading to osascript
id: b5f9e2d1-4c3a-2b1a-9f8e-7d6c5b4a3e2d
description: Detects the macOS ClickFix attack pattern where a fake browser CAPTCHA triggers the execution of osascript or bash commands via Terminal to deploy an infostealer.
author: Security Arsenal
date: 2026/05/21
status: experimental
references:
    - https://otx.alienvault.com/pulse/6647b8d72423b45e3b6457c9/
logsource:
    product: macos
    category: process_creation
detection:
    selection_parent:
        Image|contains:
            - 'Safari.app'
            - 'Google Chrome.app'
            - 'Firefox.app'
            - 'Microsoft Edge.app'
    selection_child:
        Image|contains: 'Terminal.app'
        CommandLine|contains:
            - 'osascript'
            - 'curl'
            - 'bash -c'
    condition: all of selection_*
falsepositives:
    - Admin users manually launching scripts from browser downloads
level: critical
tags:
    - attack.execution
    - attack.user_execution
    - attack.initial_access
---
title: Fox Tempest Signed Malware Execution - Suspicious Certificate Chain
id: c6e0f3d2-5b4a-3c2b-0a9f-8e7d6c5b4a3e
description: Detects processes signed with certificates associated with the Fox Tempest MSaaS operation, specifically targeting the abuse of Microsoft Artifact Signing or specific certificate serials linked to Rhysida/Lumma distribution.
author: Security Arsenal
date: 2026/05/21
status: experimental
references:
    - https://otx.alienvault.com/pulse/6658c9e82423b45e3b6458f0/
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Signed: 'true'
        SignatureStatus: 'Valid'
        Issuer|contains:
            - 'Microsoft Artifact Signing'
            - 'Microsoft Windows Production PCA 2011'
    filter_legit_ms:
        Image|contains:
            - 'C:\Windows\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter_legit_ms
falsepositives:
    - Unsigned in-house tools signed with internal Microsoft certs (rare)
level: medium
tags:
    - attack.defense_evasion
    - attack.resource_development


kql
// Hunt for ClickFix and Vidar Network Indicators
// Look for connections to known ClickFix domains and Vidar C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("bull-run.fun", "spot-wave.fun", "signspace.cloud")
    or RemoteIP in ("172.94.9.250", "149.154.167.99", "135.181.237.59", "194.87.92.109")
| extend DeviceCustom = case(
    RemoteUrl has "bull-run" or RemoteUrl has "spot-wave", "ClickFix C2",
    RemoteIP == "149.154.167.99", "Telegram IP (Potential Vidar Dead Drop)",
    RemoteIP == "194.87.92.109", "Gremlin C2",
    "Unknown Threat")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, DeviceCustom


powershell
# IOC Hunt Script for Vidar & Gremlin Stealers
# Checks for specific file hashes, suspicious process paths, and scheduled tasks

$VidarHashes = @(
    "702ef1b4007f07887e9faaee0667b50b",
    "87332fcdf79e1c0bfb7713e9a52c0313",
    "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105"
)

$GremlinHashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55"
)

Write-Host "[+] Scanning for Vidar and Gremlin Stealer Artifacts..." -ForegroundColor Cyan

# Check File Hashes in User Profiles
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[scanning] $Path" -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            !$_.PSIsContainer -and $_.Length -gt 1mb 
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
            if ($VidarHashes -contains $Hash) {
                Write-Host "[!] ALERT: Vidar Stealer found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check for Suspicious Scheduled Tasks (Common Persistence)
Write-Host "[+] Checking Suspicious Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.State -eq "Ready" -and 
    ($_.TaskName -match "Update" -or $_.TaskName -match "Service" -or $_.TaskName -match "Driver") -and
    $_.Actions.Execute -match ".exe$" -and
    $_.Author -eq "" -or $_.Author -eq $null
} | ForEach-Object {
    Write-Host "[!] Suspicious Task Found: $($_.TaskName) - Action: $($_.Actions.Execute)" -ForegroundColor Yellow
}

Write-Host "[+] Hunt Complete."

Response Priorities

Immediate (0-4 hours):

  • Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoint (EDR/Firewall).
  • Isolate endpoints exhibiting ClickFix behavior (Browser -> Terminal/PowerShell execution).
  • Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133).

24 Hours:

  • Conduct credential audit for accounts active on systems where Vidar or Gremlin was detected. Force password resets and invalidate session tokens (especially for Steam/Telegram/Crypto).
  • Review code-signing logs for any binaries signed by the Fox Tempest-associated certificates.

1 Week:

  • Implement application signing policies to block execution of binaries signed by the specific "Microsoft Artifact Signing" certificates unless explicitly allowlisted.
  • Update browser sandboxing policies to restrict interaction with Terminal/Shell scripts.
  • Conduct a hunt for Go-binaries with high entropy making outbound connections to non-corporate IPs.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealerfox-tempestclickfixinfostealersd-wan-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action