Recent OTX pulses highlight a converging threat landscape where established ransomware operations (Interlock, INC, Rhysida) are leveraging sophisticated access vectors while credential theft campaigns (ClickFix, Steam Workshops) utilize social engineering and AI-generated infrastructure to distribute RATs and stealers.
- Ransomware Evolution: Hive0163 (Interlock) and INC ransomware continue to dominate. INC has transitioned to Rust-based encryptors for cross-platform capability (Windows/Linux/ESXi), while Interlock utilizes a complex ecosystem of loaders like MintLoader, SocGholish, and custom malware (NodeSnake, JunkFiction).
- Novel C2 Techniques: The DragonForce actor is observed weaponizing Microsoft Teams relay infrastructure (Backdoor.Turn) to blend malicious traffic with legitimate Microsoft traffic, complicating network detection.
- Credential Theft Surge: A significant rise in infostealer activity is noted through two distinct vectors: "ClickFix" campaigns targeting Brazilian finance sectors via fake CAPTCHAs delivering SmartRAT, and typosquatting/malicious mods on Steam Workshop distributing Lumma, Vidar, and DarkComet.
Collectively, these campaigns prioritize initial access via phishing (SocGholish), social engineering (Fake CAPTCHA, Gaming mods), and vulnerability exploitation (CVE-2023-36036, CVE-2025-61155) to deploy payloads facilitating data exfiltration and double-extortion ransomware.
Threat Actor / Malware Profile
Malware Families
- SmartRAT / Banana RAT: PowerShell-based banking trojans delivered via AI-generated sites. Features include encrypted C2, QR code interception, and clipboard manipulation.
- Lumma / Vidar: Information stealers targeting browser credentials, cookies, and crypto-wallets, distributed via trojanized Steam wallpapers.
- DragonForce / Backdoor.Turn: Custom Go-based backdoor utilizing Microsoft Teams TURN relays for C2 obfuscation, employing DLL side-loading and BYOVD (Bring Your Own Vulnerable Driver) techniques.
- INC Ransomware: Rust-based encryptor supporting double-extortion. Affiliates utilize Cobalt Strike and custom tools (Lynx, Sinobi) for lateral movement.
- InterlockRAT / NodeSnake: Custom tools within the Hive0163 arsenal, utilizing SystemBC for proxying and JunkFiction for payload delivery.
Distribution & Behavior
- Initial Access: Drive-by downloads (SocGholish), trojanized installers (Steam Workshop), SEO poisoning (Gootloader), and Fake CAPTCHA (ClickFix).
- Persistence: Scheduled tasks, DLL side-loading, and registry run keys.
- C2 Communication: Encrypted HTTP/HTTPS, abuse of legitimate infrastructure (MS Teams relays), and Tor hidden services (INC onion domains).
- Anti-Analysis: Junk code insertion, crypters (Tomb), and AI-generated domain fluxing to avoid signature detection.
IOC Analysis
The provided pulses contain a mix of network and host-based indicators essential for defense:
- Domains (Typosquatting & C2):
leadslaw.com,crefisa.online,windowsupdate-cdn.com. These should be blocked immediately at the DNS level. The latter attempts to impersonate legitimate Windows update infrastructure. - File Hashes (MD5/SHA1/SHA256): Numerous hashes associated with payloads, loaders, and configuration files. Examples include
333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c(Interlock) and6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141(INC). - CVEs:
CVE-2023-36036(Interlock/Rhysida),CVE-2025-61155(DragonForce). These indicate specific exploits used for initial access or privilege escalation. - URLs: Distribution links from cloud storage (Dropbox, Google Docs) often used in Steam campaigns to host malicious RAR archives.
Operationalization: SOC teams should ingest these IOCs into EDR solutions for scanning and into firewalls/proxies for blocking. The incblog.su and associated .onion domains indicate leak site activity useful for threat hunting.
Detection Engineering
YAML
---
title: Potential ClickFix Fake CAPTCHA PowerShell Execution
date: 2026/06/18
description: Detects suspicious PowerShell execution patterns often associated with ClickFix campaigns where users are tricked into running PS commands via fake captchas or browser updates.
references:
- https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
author: Security Arsenal
status: experimental
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: powershell
detection:
selection:
EventID: 4104
selection_keywords:
ScriptBlockText|contains:
- 'iex'
- 'Invoke-Expression'
- 'DownloadString'
filters:
ScriptBlockText|contains:
- 'captcha'
- 'verify'
- 'human'
- 'browser-update'
condition: selection and selection_keywords and filters
falsepositives:
- Legitimate system administration scripts
level: high
---
title: Suspicious Process Spawn by Wallpaper Engine
date: 2026/06/18
description: Detects Wallpaper Engine spawning suspicious child processes like PowerShell or CMD, which may indicate malicious wallpaper execution as seen in Steam Workshop campaigns.
references:
- https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/
author: Security Arsenal
status: experimental
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wallpaper32.exe'
- '\wallpaper64.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate user scripts interacting with Wallpaper Engine
level: medium
---
title: Ransomware precursors SystemBC and Cobalt Strike Beacon
date: 2026/06/18
description: Detects network connections or process execution indicative of SystemBC proxying or Cobalt Strike beacons used by INC and Interlock actors.
references:
- https://www.ibm.com/think/x-force/interlock-and-rhysida-within-the-ransonware-ecosystem
author: Security Arsenal
status: experimental
tags:
- attack.c2
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection_cs:
Initiated: 'true'
DestinationPort:
- 443
- 80
filter_legit:
DestinationHostname|endswith:
- '.microsoft.com'
- '.google.com'
- '.amazon.com'
condition: selection_cs and not filter_legit
falsepositives:
- Unknown
level: high
kql
// Hunt for ClickFix and Malicious Domain Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
"crefisa.online",
"windowsupdate-cdn.com",
"leadslaw.com",
"incblog.su"
)
| summarize Count=count() by DeviceName, RemoteUrl, InitiatingProcessAccountName
// Hunt for Suspicious PowerShell Process Creations (SmartRAT indicators)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
// Hunt for Steam Wallpaper Malware Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
powershell
# IOC Hunt Script for Steam Wallpaper & ClickFix Campaigns
# Checks for specific file hashes and suspicious registry paths
$TargetHashes = @(
"f0b3e112ce4807a28e2b5d66a840ed7f",
"edbf152ed9ac79e5d9e0111d1071af48",
"297eb45f028d44d750297d2f932b9c91",
"3c72e1f37f115b00c3ad6ed31bacfe8a",
"6bf4d4c62b5138ace281ce3d08297787",
"b17ccdb5531555e43f082d6e77c07227",
"18dedc0009f0927cba6425c84cce9883",
"5620f01284329f561b1839a36be55355",
"74414ed4b63aadec039b603c32762b80",
"8c2cc585ad8a13a72a704c0fda0c9854",
"95856f2ce428c728c9781d3296558068"
)
Write-Host "[+] Scanning for malware hashes from OTX Pulses..."
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
Write-Host "Scanning drive: $($Drive.Root)"
Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) - MD5: $Hash" -ForegroundColor Red
}
}
}
Write-Host "[+] Checking for suspicious Steam Workshop paths..."
$SteamPaths = @(
"$env:ProgramFiles\Steam\steamapps\workshop\content",
"$env:ProgramFiles(x86)\Steam\steamapps\workshop\content"
)
foreach ($Path in $SteamPaths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Filter *.rar -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
Write-Host "[!] Suspicious Archive found in Steam Workshop: $($_.FullName)" -ForegroundColor Yellow
}
}
}
# Response Priorities
* **Immediate Actions:**
* Block all identified domains and IPs at the perimeter and DNS level (e.g., `crefisa.online`, `windowsupdate-cdn.com`, `185.196.9.234`).
* Scan endpoints for the provided file hashes associated with Interlock, INC, and Steam malware.
* Isolate systems exhibiting PowerShell anomalies consistent with ClickFix or SmartRAT behavior.
* **24-Hour Actions:**
* Conduct credential resets for users in the Finance sector (Brazil target region) and those with confirmed Steam access on corporate assets.
* Review logs for access to `incblog.su` or Tor network activity indicating ransomware negotiation sites.
* Hunt for `Backdoor.Turn` artifacts and unusual MS Teams traffic patterns using the provided KQL.
* **1-Week Actions:**
* Patch vulnerabilities identified in the pulses, specifically `CVE-2023-36036`, `CVE-2025-61155`, and `CVE-2023-3519`.
* Implement application control policies to restrict Steam Wallpaper Engine and unauthorized PowerShell execution.
* Review MS Teams tenant logs for anonymous visitor token usage or unexpected relay server connections.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsransomware-as-a-servicecredential-theftclickfixsteam-malwaresmart-rat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.