Threat Summary
The OTX pulses from July 16, 2026 reveal a complex landscape of credential theft and infostealing operations targeting diverse sectors. Threat actors are employing novel techniques including LLM jailbreaking via CTF framing, the sophisticated OkoBot framework targeting cryptocurrency users, massive phishing campaigns from compromised infrastructure, ClickFix campaigns abusing AI platforms, and targeted espionage by UNC6508 against medical research institutions. These campaigns demonstrate an evolution in attack techniques, combining social engineering, platform abuse, and custom malware to achieve persistent access and credential harvesting. The primary objectives include cryptocurrency wallet theft, research data exfiltration, and establishing long-term access to high-value targets.
Threat Actor / Malware Profile
OkoBot Framework
- Distribution: PowerShell scripts (TookPS) delivered via ClickFix attacks or fake GitHub software repositories
- Payload Behavior: Multi-stage infection chain deploying over 20 malicious modules including HDUtil launcher, browser extension injectors
- C2 Communication: SSH tunneling infrastructure for command and control
- Persistence: Browser extension injectors installing Rilide, SeedHunter, OkoSpyware
- Anti-Analysis: Uses obfuscation techniques and modular architecture to evade detection
MacSync Stealer
- Distribution: Malicious shared Claude chat links distributed through malvertising and paid Google ads
- Payload Behavior: Steals credentials and cryptocurrency wallet data from macOS systems
- C2 Communication: Communicates with C2 servers via domains listed in IOCs
- Persistence: Potentially establishes persistence through macOS launch agents or profiles
- Anti-Analysis: Uses obfuscated installation commands to evade detection
UNC6508
- Distribution: Exploits REDCap servers and trojanized legitimate files
- Payload Behavior: Custom INFINITERED malware for credential harvesting and email exfiltration
- C2 Communication: Custom C2 infrastructure for command and control
- Persistence: Trojanized files that survive software upgrades
- Anti-Analysis: Advanced evasion techniques suitable for long-term espionage
IOC Analysis
The indicators include:
- Domains: Legitimate-looking domains potentially used for C2 or phishing
- File Hashes: MD5 and SHA256 hashes of malware samples
- URLs: Phishing URLs and malicious resource locations
- CVEs: Vulnerabilities exploited in LLM jailbreaking attacks
SOC teams should operationalize these indicators by:
- Blocking domains in proxy/DNS solutions
- Adding file hashes to EDR allow/block lists
- Scanning endpoints for files matching the hashes
- Implementing URL filtering for identified phishing sites
- Monitoring for exploitation attempts of listed CVEs
Tools that can decode these indicators:
- Threat intelligence platforms (MISP, ThreatConnect)
- EDR solutions (CrowdStrike, SentinelOne)
- Network security tools (FireEye, Palo Alto Networks)
- SIEM solutions (Splunk, Microsoft Sentinel)
Detection Engineering
Sigma Rules
---
title: OkoBot PowerShell Script Execution
id: 663a8d44-f0e5-44c2-93d1-5a08b1d9c72a
status: experimental
description: Detection of OkoBot PowerShell scripts (TookPS) execution typically delivered via ClickFix attacks
references:
- https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
author: Security Arsenal
date: 2026/07/16
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
logsource:
product: windows
service: powershell
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
selection_script:
ScriptBlockText|contains:
- 'TookPS'
- 'HDUtil'
- 'OkoSpyware'
condition: selection and selection_script
falsepositives:
- Legitimate PowerShell scripts with similar naming (rare)
level: high
---
title: MacSync Stealer Execution via Claude Chat
id: b8d7e43a-2b1f-4a9d-9c1e-8f7d6e5a4b3c
status: experimental
description: Detection of MacSync Stealer execution initiated through shared Claude chat links with obfuscated commands
references:
- https://www.zscaler.com/blogs/security-research/claudefix-shared-claude-chats-meet-clickfix
author: Security Arsenal
date: 2026/07/16
tags:
- attack.initial_access
- attack.user_execution
- attack.t1204
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
- '/bin/zsh'
selection_cli:
CommandLine|contains:
- 'MacSync'
- 'claude.ai'
- 'obfuscated'
condition: selection and selection_cli
falsepositives:
- Legitimate use of Claude AI platform
level: medium
---
title: UNC6508 REDCap Exploitation Activity
id: e9f8c54b-3c2a-4d1e-a0f2-7g6h5i4j3k2l
status: experimental
description: Detection of potential UNC6508 activity exploiting REDCap servers and deploying INFINITERED malware
references:
- https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research
author: Security Arsenal
date: 2026/07/16
tags:
- attack.initial_access
- attack.exploitation
- attack.t1190
logsource:
product: webserver
service: access
detection:
selection:
c-uri|contains:
- '/redcap/'
- '/api/'
selection_method:
cs-method: 'POST'
selection_payload:
cs-content-type|contains:
- 'application/x-www-form-urlencoded'
- 'multipart/form-data'
condition: selection and selection_method and selection_payload
falsepositives:
- Legitimate REDCap API usage
level: high
KQL for Microsoft Sentinel
// Hunt for OkoBot Framework Indicators
DeviceNetworkEvents
| where RemoteUrl in~ ("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com")
| extend SHA256 = iff(isnotempty(FileHash), FileHash, "")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, ActionType, SHA256
| order by Timestamp desc
// Hunt for MacSync Stealer execution
DeviceProcessEvents
| where ProcessCommandLine contains "MacSync" or ProcessCommandLine contains "claude.ai" or ProcessCommandLine contains "obfuscated"
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// Hunt for UNC6508 INFINITERED Malware Indicators
DeviceFileEvents
| where SHA256 in~ ("4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b",
"51a57bfc9ed3eb6451c1c28960e814d59e1698c666fb97ac5f694c398f23d045",
"58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86",
"8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec",
"ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7",
"c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b",
"db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136")
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessAccountName
| order by Timestamp desc
PowerShell Hunt Script
# OkoBot Framework IOC Hunt Script
# Check for known malicious file hashes
$okobotHashes = @(
"b07d451ee65a1580f20a784c8f0e7a46",
"187a1f68ae786e53d3831166dc84e6d2",
"d84e8dc509308523e0209d3cd3544619",
"83e6b8fcb92a0b13e109301f8ff649cf"
)
$infiniteredHashes = @(
"4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b",
"51a57bfc9ed3eb6451c1c28960e814d59e1698c666fb97ac5f694c398f23d045",
"58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86",
"8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec",
"ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7",
"c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b",
"db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136"
)
# Check for suspicious PowerShell scripts
function Find-SuspiciousPowerShellScripts {
param($Path)
$results = @()
$scripts = Get-ChildItem -Path $Path -Filter *.ps1 -Recurse -ErrorAction SilentlyContinue
foreach ($script in $scripts) {
$content = Get-Content -Path $script.FullName -Raw -ErrorAction SilentlyContinue
if ($content -match "TookPS|HDUtil|OkoSpyware|Rilide|SeedHunter") {
$results += [PSCustomObject]@{
Path = $script.FullName
Match = $matches[0]
}
}
}
return $results
}
# Check for suspicious browser extensions
function Find-SuspiciousBrowserExtensions {
$extensions = @()
# Chrome extensions
$chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
if (Test-Path $chromePath) {
$extDirs = Get-ChildItem -Path $chromePath -Directory
foreach ($dir in $extDirs) {
$manifest = Get-ChildItem -Path $dir.FullName -Filter "manifest." -Recurse -ErrorAction SilentlyContinue
if ($manifest) {
$content = Get-Content -Path $manifest.FullName -Raw -ErrorAction SilentlyContinue
if ($content -match "Rilide|SeedHunter|OkoSpyware") {
$extensions += [PSCustomObject]@{
Browser = "Chrome"
ExtensionID = $dir.Name
Path = $manifest.FullName
}
}
}
}
}
# Firefox extensions
$firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles"
if (Test-Path $firefoxPath) {
$profiles = Get-ChildItem -Path $firefoxPath -Directory
foreach ($profile in $profiles) {
$extensionsDir = "$($profile.FullName)\extensions"
if (Test-Path $extensionsDir) {
$extFiles = Get-ChildItem -Path $extensionsDir -Filter "*.xpi" -ErrorAction SilentlyContinue
foreach ($ext in $extFiles) {
if ($ext.Name -match "Rilide|SeedHunter|OkoSpyware") {
$extensions += [PSCustomObject]@{
Browser = "Firefox"
ExtensionID = $ext.Name
Path = $ext.FullName
}
}
}
}
}
}
return $extensions
}
# Scan for malicious files
function Find-MaliciousFiles {
param($Hashes, $Paths)
$results = @()
foreach ($path in $Paths) {
if (Test-Path $path) {
$files = Get-ChildItem -Path $path -Recurse -File -ErrorAction SilentlyContinue
foreach ($file in $files) {
try {
$fileHash = (Get-FileHash -Path $file.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($Hashes -contains $fileHash) {
$results += [PSCustomObject]@{
Path = $file.FullName
Hash = $fileHash
}
}
} catch {
# Skip files that can't be hashed
}
}
}
}
return $results
}
# Check network connections for suspicious domains
function Find-SuspiciousNetworkConnections {
$suspiciousDomains = @(
"coffeesaloon.online",
"livewallpapers.online",
"2baserec2.guru",
"kbeautyreviews.com",
"buywx.com",
"cincycarpetcleaning.com",
"homeinspectionsdelaware.com",
"vacationrentalvirginia.com",
"sonyda.com",
"trailblazehealth.com",
"sdlasik.com",
"pine-1.com"
)
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
$results = @()
foreach ($conn in $connections) {
try {
$remoteAddress = $conn.RemoteAddress
$dnsRecord = Resolve-DnsName -Name $remoteAddress -ErrorAction SilentlyContinue
if ($dnsRecord) {
foreach ($record in $dnsRecord) {
if ($record.NameHost -in $suspiciousDomains) {
$results += [PSCustomObject]@{
RemoteAddress = $remoteAddress
RemotePort = $conn.RemotePort
Domain = $record.NameHost
State = $conn.State
OwningProcess = (Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue).ProcessName
}
}
}
}
} catch {
# Skip if DNS resolution fails
}
}
return $results
}
# Execute scans
Write-Host "Scanning for OkoBot Framework indicators..." -ForegroundColor Yellow
$suspiciousScripts = Find-SuspiciousPowerShellScripts -Path $env:USERPROFILE
$suspiciousExtensions = Find-SuspiciousBrowserExtensions
$okobotFiles = Find-MaliciousFiles -Hashes $okobotHashes -Paths @($env:USERPROFILE, $env:TEMP, $env:APPDATA)
$infiniteredFiles = Find-MaliciousFiles -Hashes $infiniteredHashes -Paths @($env:USERPROFILE, $env:TEMP, $env:APPDATA)
$suspiciousConnections = Find-SuspiciousNetworkConnections
# Display results
Write-Host "\nSuspicious PowerShell Scripts:" -ForegroundColor Cyan
if ($suspiciousScripts.Count -gt 0) {
$suspiciousScripts | Format-Table -AutoSize
} else {
Write-Host "No suspicious PowerShell scripts found." -ForegroundColor Green
}
Write-Host "\nSuspicious Browser Extensions:" -ForegroundColor Cyan
if ($suspiciousExtensions.Count -gt 0) {
$suspiciousExtensions | Format-Table -AutoSize
} else {
Write-Host "No suspicious browser extensions found." -ForegroundColor Green
}
Write-Host "\nOkoBot Malicious Files:" -ForegroundColor Cyan
if ($okobotFiles.Count -gt 0) {
$okobotFiles | Format-Table -AutoSize
} else {
Write-Host "No OkoBot malicious files found." -ForegroundColor Green
}
Write-Host "\nINFINITERED Malicious Files:" -ForegroundColor Cyan
if ($infiniteredFiles.Count -gt 0) {
$infiniteredFiles | Format-Table -AutoSize
} else {
Write-Host "No INFINITERED malicious files found." -ForegroundColor Green
}
Write-Host "\nSuspicious Network Connections:" -ForegroundColor Cyan
if ($suspiciousConnections.Count -gt 0) {
$suspiciousConnections | Format-Table -AutoSize
} else {
Write-Host "No suspicious network connections found." -ForegroundColor Green
}
Write-Host "\nScan complete." -ForegroundColor Green
Response Priorities
Immediate (0-6 hours)
- Block all identified malicious domains at the DNS/proxy level
- Quarantine endpoints with files matching the provided hashes
- Hunt for suspicious PowerShell scripts containing TookPS, HDUtil, or OkoSpyware references
- Scan for browser extensions with Rilide, SeedHunter, or OkoSpyware components
- Isolate systems with confirmed infections to prevent lateral movement
24 hours
- Conduct comprehensive credential audits for potentially compromised accounts
- Review and reset credentials for cryptocurrency wallets and high-value research accounts
- Analyze network logs for connections to identified C2 infrastructure
- Verify integrity of REDCap servers and other targeted platforms
- Implement additional monitoring for AI platform abuse and LLM jailbreaking attempts
1 week
- Harden browser extension management policies
- Implement stricter controls on PowerShell script execution
- Enhance phishing awareness training, specifically regarding ClickFix and AI platform abuse
- Review and update vulnerability management for CVEs mentioned in the LLM jailbreaking campaign
- Develop detection rules for emerging techniques like LLM jailbreaking via CTF framing
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.