Back to Intelligence

Gamaredon GammaSteel, ClickFix RATs, and TDS Stealers: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 5, 2026
6 min read

OTX Pulse data from 2026-06-05 highlights a convergence of sophisticated delivery mechanisms and persistent espionage threats. We are observing three distinct but high-risk campaigns:

  1. Gamaredon (UAC-0010) Espionage: Continued aggression against Ukrainian entities using the memory-resident GammaSteel infostealer, which leverages Windows Registry keys for payload storage.
  2. ClickFix / Job Platform Phishing: A widespread campaign abusing the legacy Finger protocol and fake CAPTCHAs to deliver CastleLoader, a Python-based RAT, via typosquatted job recruitment domains.
  3. TDS-Driven Malware Distribution: A Traffic Distribution System (TDS) impersonating open-source tools (Ghidra, dnSpy) to distribute SessionGate, RemusStealer, and AnimateClipper.

Collectively, these threats emphasize the abuse of legitimate utilities (LOLBins), search engine optimization (SEO) poisoning, and social engineering to bypass traditional perimeter defenses.

Threat Actor / Malware Profile

Gamaredon (UAC-0010 / Armageddon)

  • Objective: Cyberespionage against Ukrainian government, defense, and critical infrastructure.
  • Malware: GammaSteel (infostealer), GammaLoad, GammaWorm.
  • Persistence: Stores 71 payload functions in HKCU\Printers registry keys using DPAPI encryption. Operates primarily in-memory to evade disk-based scanning.
  • Propagation: Utilizes USB propagation (GammaWorm) and phishing emails.

ClickFix Operators

  • Objective: Initial access and data theft via remote access trojans.
  • Malware: CastleLoader (Portable Python-based RAT).
  • Distribution: Typosquatted domains mimicking LinkedIn/Indeed. Attack chain starts with Google Ads leading to fake CAPTCHA pages.
  • Execution: Leverages the Windows finger.exe protocol to fetch commands, deploying portable Python (CPython/IronPython) for execution.

TDS / Malware-as-a-Service Ecosystem

  • Objective: Credential theft (cryptocurrency, sessions) and payload delivery.
  • Malware: SessionGate, RemusStealer, AnimateClipper.
  • Distribution: SEO poisoning for tools like Ghidra. Professional sites load CloudFront-hosted JavaScript to hijack clicks and route victims through a strict TDS gate (anti-bot, first-visit checks).

IOC Analysis

The provided pulses yield a mix of network and file-based indicators that SOC teams should immediately operationalize:

  • Domains: Includes typosquatted recruitment domains (e.g., teamsvoicehub.com) and infrastructure impersonating open-source projects (e.g., guiformat.com).
  • IP Addresses: Hosts associated with C2 infrastructure and TDS nodes (e.g., 194.150.220.218).
  • File Hashes (SHA256): Malicious payloads including Python scripts and RTF documents used in the initial infection stages.

Operationalization:

  1. Blocklist: immediately ingest all domains and IPs into firewall, proxy, and DNS blocklists.
  2. EDR Telemetry: Hunt for file hashes 08a47436... and 87361ba2... on endpoints.
  3. Network Detection: Monitor for connections to the non-standard ports found in URLs (e.g., :48261).

Detection Engineering

YAML
title: Gamaredon GammaSteel Registry Persistence
id: 9b5c7c1a-1234-5678-9abc-1b2c3d4e5f6g
description: Detects persistence mechanism used by Gamaredon GammaSteel storing payloads in HKCU\Printers registry keys.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/
tags:
    - attack.persistence
    - attack.t1114.001  # Application Layer Protocol: Web Protocols (DPAPI usage)
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Printers'
        TargetObject|contains: 'HKCU\'
    filter:
        Details|contains: 'GUID'
    condition: selection and not filter
falsepositives:
    - Legitimate printer driver installations (rare in HKCU context)
level: high
---
title: ClickFix Campaign Finger Protocol Abuse
id: a1b2c3d4-5678-90ef-ghij-klmnopqrstuv
description: Detects the use of the legacy Finger protocol by threat actors to fetch commands or payloads, as seen in ClickFix campaigns.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://www.levelblue.com/blogs/spiderlabs-blog/clickfix-is-now-hiring-from-job-platform-impersonation-to-python-based-rat-delivery
tags:
    - attack.command_and_control
    - attack.t1071.001  # Application Layer Protocol: Web Protocols
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate use of finger.exe (extremely rare in modern envs)
level: critical
---
title: Portable Python Execution from User Directory
id: e5f6g7h8-9012-34ij-klmn-opqrstuvwxy
description: Detects execution of python.exe or pythonw.exe from user profile directories, indicative of portable Python runtimes used by malware like CastleLoader.
status: experimental
date: 2026/06/05
author: Security Arsenal
references:
    - https://www.levelblue.com/blogs/spiderlabs-blog/clickfix-is-now-hiring-from-job-platform-impersonation-to-python-based-rat-delivery
tags:
    - attack.execution
    - attack.t1059.001  # PowerShell
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
    selection_path:
        CommandLine|contains:
            - '\AppData\Local\Temp'
            - '\Downloads'
            - '\Desktop'
    condition: all of selection_*
falsepositives:
    - Developers running local Python scripts
level: medium


kql
// Hunt for Gamaredon Registry Activity
DeviceRegistryEvents
| where Timestamp > ago(1d)
| where RegistryKey has @"Printers" 
| where InitiatingProcessAccountName != "SYSTEM" // Focus on userland persistence
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend Description = "Potential GammaSteel persistence in Printers key"

// Hunt for ClickFix Network Indicators (Finger.exe + suspicious connections)
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName =~ "finger.exe" 
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine
| extend Description = "Suspicious Finger.exe usage (ClickFix indicator)"

// Hunt for connections to known malicious IPs from Pulse
let MaliciousIPs = pack_array("194.150.220.218", "217.156.122.75", "165.22.170.129");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (MaliciousIPs)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine


powershell
# PowerShell Hunt Script for GammaSteel and ClickFix Artifacts
# Requires Administrator Privileges

Write-Host "[+] Hunting for Gamaredon GammaSteel Persistence..."
$PrintersKey = "Registry::HKCU\Printers"
if (Test-Path $PrintersKey) {
    $Values = Get-Item $PrintersKey -ErrorAction SilentlyContinue
    if ($Values) {
        Write-Host "[!] Found HKCU\Printers Registry Key. Reviewing subkeys..."
        Get-ChildItem $PrintersKey -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Path = $_.Name
            $Data = (Get-ItemProperty $_.PSPath)
            Write-Host "Subkey: $Path"
            $Data.PSObject.Properties | Where-Object {$_.Name -notlike "PS*"} | ForEach-Object {
                Write-Host "  Value: $($_.Name) -> $($_.Value)"
            }
        }
    } else {
        Write-Host "[-] No HKCU\Printers key found."
    }
}

Write-Host "\n[+] Hunting for Portable Python in User Directories..."
$Users = Get-ChildItem "C:\Users" -Directory
foreach ($User in $Users) {
    $PythonPaths = @(
        "$($User.FullName)\Downloads\python*.exe",
        "$($User.FullName)\AppData\Local\Temp\python*.exe",
        "$($User.FullName)\Desktop\python*.exe"
    )
    foreach ($Path in $PythonPaths) {
        if (Test-Path $Path) {
            Write-Host "[!] Suspicious portable python found: $Path"
            # Check file signature/version info
            Get-Item $Path | Select-Object FullName, Length, VersionInfo
        }
    }
}

Write-Host "\n[+] Checking for Finger.exe network usage (Recent Events)..."
$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=3; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
    $Events | Where-Object {$_.Message -like '*finger.exe*'} | ForEach-Object {
        Write-Host "[!] Finger.exe network activity detected:"
        $_.Message
    }
} else {
    Write-Host "[-] No recent Sysmon network events found."
}


# Response Priorities

*   **Immediate**:
    *   Block all IOCs (Domains and IPs) at the perimeter and proxy.
    *   Scan endpoints for the specific SHA256 file hashes provided (`08a47436...`, `87361ba2...`).
    *   Isolate systems exhibiting `finger.exe` network traffic.
*   **24h**:
    *   Conduct identity checks for users in regions targeted by the TDS campaign (Brazil, France, Germany, Poland, UK, Russia) to identify potential credential compromise.
    *   Inspect `HKCU\Printers` registry keys across the enterprise for GammaSteel persistence.
*   **1 Week**:
    *   Harden endpoint policies to block execution of unsigned portable Python interpreters.
    *   Review and restrict access to the legacy Finger protocol (`finger.exe`).
    *   Implement application allowlisting for popular open-source tools (Ghidra, dnSpy) to prevent TDS poisoning.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptgamaredongammasteelclickfixcastleloadertraffic-distribution-system

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action