Back to Intelligence

Potemkin Loader, AsyncRAT AI Lures & APT37 NarwhalRAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 17, 2026
6 min read

Recent OTX pulse data indicates a surge in diverse, high-efficacy malware campaigns utilizing distinct social engineering vectors. Three significant threats have emerged: a ClickFix campaign delivering the Potemkin Loader and RMMProject RAT, an AI-themed campaign distributing AsyncRAT, and a resurgence of APT37 activity leveraging NarwhalRAT via Microsoft-themed lures.

Collectively, these campaigns highlight a shift towards multi-stage infection chains relying on script-based loaders (HTA, LNK, BAT) to evade initial detection. The common objective across these disparate threats is remote access, credential theft (specifically targeting browser data), and establishing persistence within corporate environments.

Threat Actor / Malware Profile

Potemkin Loader & RMMProject

  • Distribution: "ClickFix" social engineering attacks where users are tricked into copying/pasting PowerShell commands or clicking fake browser updates. Delivered via malicious HTA files.
  • Payload Behavior: Potemkin acts as a loader featuring a Deterministic Domain Generation Algorithm (DGA). It drops RMMProject, a Lua-scriptable RAT.
  • C2 & Capabilities: Uses blockchain C2 infrastructure. RMMProject specializes in stealing browser credentials (Chrome App-Bound Encryption), lateral movement via tools like Chisel and EtherRAT, and creating a "Hidden Desktop" for stealth.

AsyncRAT (AI-Themed Campaign)

  • Distribution: Malicious compressed archives containing LNK shortcuts and hidden PDFs, masquerading as AI technical guides.
  • Payload Behavior: Uses AutoHotKey and multi-stage PowerShell obfuscation. Employs reflective injection and process hollowing.
  • C2 & Persistence: Establishes C2 via scheduled tasks. Known for heavy obfuscation to bypass static analysis.

APT37 (NarwhalRAT)

  • Distribution: Spear-phishing emails disguised as Microsoft security alerts, containing ZIP archives with malicious LNK files.
  • Payload Behavior: Multi-stage loaders using BAT obfuscation to deploy a Python-based backdoor.
  • C2 & Capabilities: Uses dead-drop resolvers (e.g., pCloud) to hide C2 IPs. Capabilities include keylogging, screen capture, microphone recording, and USB data exfiltration. Targets Korean-speaking users.

IOC Analysis

The provided indicators span multiple facets of the attack chain, requiring holistic operationalization:

  • Domains & URLs: Includes DGA-generated domains (e.g., resumeacceptable.com) and payload delivery URLs (e.g., sonra.eutialyson.com). SOC teams should immediately block these at the proxy and DNS firewall levels.
  • File Hashes: A mix of SHA256 (Potemkin/AsyncRAT) and MD5 (NarwhalRAT). These should be loaded into EDR threat feeds to quarantine existing files on disk.
  • Network Infrastructure: Specific IPv4 addresses associated with C2 infrastructure. Firewall logs should be queried for connections to these IPs.

Operationalization: utilize SIEM correlation rules to alert on processes making network connections to these specific domains within minutes of process creation.

Detection Engineering

YAML
title: Potemkin Loader Execution via HTA to MSI
id: 8d7f9a1b-2c3e-4d5f-8a9b-1c2d3e4f5a6b
description: Detects the execution of Potemkin Loader chain where mshta.exe launches msiexec.exe, often associated with ClickFix attacks.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000/
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\msiexec.exe'
        CommandLine|contains: '.msi'
    condition: selection
falsepositives:
    - Legitimate software installation via HTML help (rare)
level: critical
---
title: AsyncRAT AI Lure - LNK Spawn PowerShell
id: 9e8g0h2i-3j4k-5l6m-7n8o-9p0q1r2s3t4u
description: Detects suspicious LNK files launching PowerShell with encoded commands, a common vector in AI-themed AsyncRAT campaigns.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000001/
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'DownloadString'
    filter_legit:
        CommandLine|contains: 
            - 'Microsoft Update'
            - 'System32'
    condition: selection and not filter_legit
falsepositives:
    - Administrative scripts
level: high
---
title: APT37 NarwhalRAT - Python Suspicious Arguments
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects Python processes (NarwhalRAT) initiated by CMD or LNK with arguments typical of APT37 obfuscation or dead-drop usage.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000002/
tags:
    - attack.execution
    - attack.t1059.003
    - attack.g0020
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\python.exe'
    selection_cli:
        CommandLine|contains:
            - 'pcloud'
            - '-m base64'
            - 'http://'
    selection_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\rundll32.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate cloud sync scripts
level: critical



kql
// Hunt for Potemkin/AsyncRAT Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    "resumeacceptable.com", 
    "sonra.eutialyson.com", 
    "cl.distritovagas.com",
    "pestrear-lamp.xyz",
    "shampobiskworld.nl",
    "shampoolagtto.com",
    "shamppocosmaticso.com",
    "crwellfood.com",
    "fe01.co.kr"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend TailIndicator = "OTX_Pulse_IOC"

// Hunt for File Hashes on Endpoint
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b",
    "61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974",
    "7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8",
    "96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb"
) 
 or MD5 in (
    "3715092aa00f380cefe8b4d2eddb7d08",
    "7cef19f9c4480adac0cd4702ff98f46c",
    "7eb9cee1f696727752169f25cf79a338",
    "b6b0602310bb2d4360c52685119aac1b"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5
| extend TailIndicator = "OTX_Pulse_Malware_Sample"



powershell
# OTX Pulse IOC Hunter - Checks for running processes and registry keys associated with Potemkin, AsyncRAT, and NarwhalRAT

$MalwareHashes = @(
    "79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b",
    "61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974"
)

$C2Domains = @(
    "resumeacceptable.com", "pestrear-lamp.xyz", "shampobiskworld.nl", "crwellfood.com"
)

Write-Host "[+] Hunting for Potemkin/RMMProject/AsyncRAT Indicators..." -ForegroundColor Cyan

# Check for Suspicious Processes (PowerShell with encoded commands often used in AsyncRAT/Potemkin)
$suspiciousProcesses = Get-Process | Where-Object {$_.ProcessName -match "powershell|python|mshta|autohotkey"}
foreach ($proc in $suspiciousProcesses) {
    try {
        $cmd = (Get-CimInstance Win32_Process -Filter "ProcessId = $($proc.Id)").CommandLine
        if ($cmd -match "FromBase64String|DownloadString|-enc|-e|pcloud") {
            Write-Host "[!] Suspicious Process Detected: PID $($proc.Id) - $($proc.Name)" -ForegroundColor Red
            Write-Host "    CMD: $cmd"
        }
    } catch {}
}

# Scan Startup folders for LNK files (AsyncRAT/APT37 vector)
$startupPaths = @("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup", "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\Startup")
foreach ($path in $startupPaths) {
    if (Test-Path $path) {
        $lnkFiles = Get-ChildItem -Path $path -Filter "*.lnk"
        foreach ($lnk in $lnkFiles) {
            Write-Host "[+] Found LNK in Startup: $($lnk.Name) - Verify legitimacy." -ForegroundColor Yellow
        }
    }
}

# Check DNS Cache for C2 Domains
Write-Host "[+] Checking DNS Cache for C2 Domains..." -ForegroundColor Cyan
$dnsCache = Get-DnsClientCache | Where-Object {$C2Domains -contains $_.Entry}
if ($dnsCache) {
    Write-Host "[!] Detected C2 Domain in DNS Cache:" -ForegroundColor Red
    $dnsCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "[-] No C2 domains found in DNS cache."
}

Write-Host "[+] Hunt Complete. If indicators found, isolate host and initiate IR plan."


# Response Priorities

*   **Immediate:** Block all identified domains and IP addresses at the perimeter. Scan all endpoints for the SHA256 and MD5 hashes listed in the IOC analysis. Isolate any hosts showing positive hits.
*   **24h:** Conduct identity verification for users on infected hosts. Given RMMProject's capability to steal Chrome App-Bound Encryption credentials, force password resets and revoke session tokens for accounts accessed from those endpoints.
*   **1 Week:** Review and restrict the execution of HTA files, MSI packages, and LNK files from the internet. Implement application allowlisting policies to prevent the execution of unsigned loaders like Potemkin.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarepotemkin-loaderasyncratapt37narwhalratclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Potemkin Loader, AsyncRAT AI Lures & APT37 NarwhalRAT: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal | Security Arsenal