Back to Intelligence

Multi-Vector Credential Theft: ClickFix, Argamal, and CloudZ Pheno Analysis — OTX Pulse Intelligence Pack

SA
Security Arsenal Team
June 4, 2026
6 min read

Recent OTX pulses reveal a converging focus on credential theft and initial access via diverse social engineering vectors. Security Arsenal analysts have identified four distinct but operationally similar threats active in the wild: the ClickFix campaign leveraging fake image-editing tools (BackgroundFix) to deliver CastleLoader and NetSupport RAT; the Argamal infostealer targeting gamers via adult game mods; a sophisticated Malware Distribution Ecosystem (TDS) impersonating open-source tools like Ghidra to distribute RemusStealer; and the CloudZ RAT with a "Pheno" plugin specifically designed to bypass MFA by intercepting OTPs from the Microsoft Phone Link application. Additionally, the APT group UAT-8302 continues its espionage campaign, deploying custom malware like NetDraft and CloudSorcerer to harvest credentials from government and telecom sectors.

Threat Actor / Malware Profile

ClickFix & CastleLoader

  • Distribution: Fake image-editing tools (BackgroundFix) utilizing clipboard hijacking to insert malicious commands.
  • Payload Behavior: Invokes finger.exe to retrieve payloads. Drops NetSupport RAT (remote access) and CastleStealer (credential theft).
  • Persistence: Utilizes reflective loading and established RAT mechanisms.

Argamal & Termixia

  • Distribution: Malicious installers for adult-themed (hentai) games, often hosted on platforms like Pixeldrain.
  • Persistence: COM Hijacking. Replaces the InprocServer32 entry for the Windows Color System Calibration Loader DLL (mscms.dll).
  • Behavior: Downloads and executes a Remote Access Trojan (RAT) after a dormancy period to evade sandbox detection.

TDS Ecosystem (RemusStealer / AnimateClipper)

  • Distribution: SEO poisoning and site impersonation of legitimate developer tools (Ghidra, dnSpy). Uses a Traffic Distribution System (TDS) to filter traffic.
  • Payload: Delivers SessionGate, RemusStealer, and AnimateClipper (cryptocurrency clipper) via CloudFront-hosted JavaScript.

CloudZ RAT & Pheno Plugin

  • Capability: Standard RAT capabilities combined with the Pheno plugin.
  • TTP: Exploits the Microsoft Phone Link application to intercept synchronized mobile data, specifically targeting SMS and One-Time Passwords (OTPs) for credential bypass.
  • Evasion: Uses dynamic memory allocation to evade detection.

UAT-8302 (China-nexus APT)

  • Target: Government, Telecommunications, Technology.
  • Malware: NetDraft (.NET backdoor), CloudSorcerer v3, Draculoader.
  • Objective: Credential harvesting and espionage within compromised networks.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple categories requiring different defensive postures:

  • Domains (TDS & C2): Indicators such as trindastal.com, poronto.com, and guiformat.com represent Command and Control (C2) infrastructure or payload delivery nodes. SOC teams should immediately block these at the perimeter and DNS layer.
  • File Hashes: SHA256 hashes (e.g., bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92) correspond to loaders, droppers, and the final payloads (CastleStealer, CloudZ). These must be uploaded to EDR allowlists for immediate hunting.
  • IPv4 Addresses: IPs like 194.150.220.218 are linked to the TDS infrastructure. Geo-blocking these may be effective if the organization has no business in the hosting region.
  • CVEs: The mention of CVE-2026-3102 (Argamal) and CVE-2025-0994 (UAT-8302) suggests exploitation vectors for privilege escalation or initial access that require patch validation.

Operational Note: The TDS campaign uses CloudFront, meaning simple IP blocking may fail; strict SSL inspection and domain filtering are required.

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious Finger.EXE Network Connection - ClickFix
id: 4f1b2c3d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects the use of finger.exe establishing network connections, a behavior associated with the ClickFix campaign retrieving payloads.
status: experimental
author: Security Arsenal
date: 2026/06/04
references:
    - https://otx.alienvault.com/pulse/642738291029238423/tags/clickfix/
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: network_connection
detection:
    selection:
        Image|endswith:
            - '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use (rare)
level: high
---
title: COM Hijacking via Windows Color System - Argamal
id: 5g2c3d4e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
description: Detects registry modification of the InprocServer32 value for the Windows Color System (MSCMS), a persistence mechanism used by Argamal malware.
status: experimental
author: Security Arsenal
date: 2026/06/04
references:
    - https://otx.alienvault.com/pulse/642738291029238499/tags/argamal/
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - 'CLSID\\{E76D97D0-6825-11D2-B6F6-00C04F998EC8}\\InprocServer32'
            - 'CLSID\\{A6106292-E2D6-40CB-AE8C-8B6F2A8C0B50}\\InprocServer32' 
        Details|contains:
            - '.dll'
    filter_legit:
        Details|contains:
            - 'C:\\Windows\\System32\\'
    condition: selection and not filter_legit
falsepositives:
    - Rare software installation
level: critical
---
title: Suspicious PowerShell Download Patterns - Infostealer Loader
id: 6h3d4e5f-7g8h-9i0j-1k2l-3m4n5o6p7q8r
description: Detects PowerShell commands downloading files from suspicious domains or obfuscated methods commonly used by Argamal and TDS loaders.
status: experimental
author: Security Arsenal
date: 2026/06/04
references:
    - https://otx.alienvault.com/pulse/642738291029238500/tags/powershell/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
    selection_flags:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_suspicious_urls:
        CommandLine|contains:
            - 'pixeldrain.com'
            - '.rtf'  
            - ':688' # ClickFix specific port usage in context
    condition: all of selection_*
falsepositives:
    - Administrative scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix finger.exe activity and TDS domains
let SuspiciousDomains = dynamic(["trindastal.com", "poronto.com", "brionter.com", "guiformat.com", "forestoaker.com", "baxe.pics"]);
let SuspiciousHashes = dynamic(["bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"]);
// Network Connections to IOCs
DeviceNetworkEvents
| where RemoteUrl in~ (SuspiciousDomains) or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    // Process Creation for finger.exe (ClickFix)
    DeviceProcessEvents
    | where ProcessVersionInfoOriginalFileName == "finger.exe"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| union (
    // File Hash Hunt
    DeviceFileEvents
    | where SHA256 in~ (SuspiciousHashes)
    | project Timestamp, DeviceName, FileName, SHA256, FolderPath
)

PowerShell Hunt Script

PowerShell
# Argamal Persistence Hunt: COM Hijacking for Windows Color System
# Checks for non-standard InprocServer32 paths for MSCMS

$RegPaths = @(
    "HKLM:\Software\Classes\CLSID",
    "HKCU:\Software\Classes\CLSID"
)

Write-Host "[+] Hunting for Argamal COM Hijacking Persistence..."

$ suspiciousKeys = Get-ChildItem -Path $RegPaths -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Name -match "InprocServer32" }

foreach ($key in $suspiciousKeys) {
    try {
        $val = (Get-ItemProperty -Path $key.PSPath -ErrorAction Stop)."(default)"
        if ($val -and $val -notlike "*C:\Windows\System32*" -and $val -like "*.dll") {
            Write-Host "[!] Suspicious DLL registration found: $($key.Name) -> $val" -ForegroundColor Red
        }
    } catch {
        # Ignore keys without default values
    }
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate:

    • Block all domains and IPs listed in the IOC Analysis at the firewall and proxy.
    • Hunt for finger.exe execution logs; if found, isolate the host and investigate for NetSupport RAT.
    • Scan endpoints for the listed SHA256 hashes.

  • 24 Hours:

    • Initiate credential reset for any users identified on compromised hosts (specifically those infected with CastleStealer or Argamal).
    • Audit Microsoft Phone Link usage and logs for CloudZ RAT Pheno plugin indicators.
    • Verify integrity of software downloads for developer tools (Ghidra, dnSpy) to ensure no TDS compromise.

  • 1 Week:

    • Implement application allowlisting to prevent unauthorized finger.exe usage.
    • Review and patch CVEs mentioned in UAT-8302 pulses (CVE-2025-0994, CVE-2025-20333).
    • Conduct user awareness training focused on "fake tool" social engineering and credential verification prompts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsclickfixargamalcloudz-ratuat-8302infostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action