Back to Intelligence

RedHook RAT & Clubfoot Wolf OTX Pulse Analysis — Cloud Abuse & Remote Access Trojan Surge

SA
Security Arsenal Team
July 10, 2026
5 min read

Recent OTX pulses indicate a coordinated surge in Remote Access Trojan (RAT) activity utilizing diverse delivery mechanisms. The threat landscape is characterized by three distinct operations:

  1. RedHook (Mobile): A sophisticated Android RAT leveraging the Shizuku framework to abuse ADB Wireless Debugging for privilege escalation, expanding operations from Vietnam to Indonesia's finance and government sectors.
  2. Clubfoot Wolf (Enterprise): A persistent threat cluster targeting Russian and Belarusian critical sectors (Manufacturing, Chemical) using LNK files and PowerShell loaders to deploy NetSupport Manager.
  3. Cloud Platform Abuse: Cybercriminals are weaponizing Vercel's legitimate hosting infrastructure to distribute LogMeIn RAT via phishing campaigns impersonating Adobe PDF viewers.

The common objective across these campaigns is establishing persistent remote control for surveillance, data theft, and potential ransomware deployment.

Threat Actor / Malware Profile

RedHook (Android RAT)

  • Distribution: Phishing messages targeting mobile users in Southeast Asia.
  • Payload Behavior: Exploits ADB Wireless Debugging to gain shell access. Utilizes the Shizuku framework to interact with system-level APIs normally restricted.
  • C2 Communication: Connects to C2 infrastructure hosted on 3n7wj.com domains.
  • Persistence: Autonomous abuse of debugging features to maintain access.

Clubfoot Wolf (Threat Cluster)

  • Distribution: Mass phishing emails with malicious attachments, specifically utilizing LNK files.
  • Payload Behavior: LNK files execute a PowerShell loader that retrieves and installs NetSupport Manager, a legitimate remote administration tool abused for C2.
  • C2 Communication: Utilizes domains like imhfamily.com and fleepsterones.fun for C2 and payload staging.
  • Anti-Analysis: Uses obfuscated PowerShell commands and URL shorteners to evade detection.

LogMeIn Delivery Campaign

  • Distribution: Phishing emails containing links to Vercel-hosted pages mimicking Adobe PDF viewers.
  • Payload Behavior: Users are tricked into downloading Invoice06092025.exe.bin (disguised as a document), which auto-installs LogMeIn remote access software.
  • TTPs: Trusted platform exploitation (Vercel) to bypass reputation-based filtering.

IOC Analysis

The provided indicators span multiple vectors:

  • Domains: A mix of specific threat infrastructure (e.g., api.3n7wj.com, imhfamily.com) and abused legitimate platforms. SOC teams should immediately block these domains at the proxy/DNS level.
  • File Hashes: Numerous SHA256 and MD5 hashes are provided for the RedHook samples, NetSupport loaders, and LogMeIn droppers. These should be uploaded to EDR allowlists/quarantine lists.
  • URLs: Specific endpoints related to device registration (/ws/device?menberId=) and phishing URLs (sunlightfriends.tech).

Operational Guidance: Use YARA rules for the file hashes and SIEM correlation rules for the domain DNS requests. Decode PowerShell logs to hunt for the specific Clubfoot Wolf obfuscation patterns.

Detection Engineering

Sigma Rules

YAML
---
title: Potential RedHook RAT C2 Activity
id: 2d3c8a9a-1f4b-4c8a-9b1c-1d2e3f4a5b6c
description: Detects network connections to known RedHook C2 infrastructure domains related to the Android RAT campaign.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    product: zeek
    category: dns
detection:
    selection:
        query|contains:
            - '.3n7wj.com'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - c2
    - mobile.malware
    - redhook
---
title: Clubfoot Wolf PowerShell Loader
id: 5e6f7a8b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects suspicious PowerShell execution patterns often used by Clubfoot Wolf to load NetSupport Manager.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'NetSupport'
            - 'client32.dll'
            - 'DownloadString'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Administrative scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001
    - clubfoot.wolf
---
title: Suspicious LogMeIn Installation from Vercel
id: 9a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
description: Detects installation of LogMeIn binaries initiated following a connection to Vercel hosting infrastructure, indicative of the phishing campaign.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    product: windows
    service: process_creation
detection:
    selection_image:
        Image|contains:
            - 'msiexec.exe'
            - 'LogMeIn.exe'
    selection_parent:
        ParentImage|endswith:
            - '\browser.exe'
            - 'chrome.exe'
            - 'firefox.exe'
            - 'msedge.exe'
    selection_cmdline:
        CommandLine|contains:
            - 'Invoice'
            - '.exe.bin'
    condition: all of selection_*
falsepositives:
    - Legitimate admin installs
level: critical
tags:
    - attack.initial_access
    - attack.t1204
    - vercel.abuse

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for RedHook C2 Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "3n7wj.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for Clubfoot Wolf LNK and PowerShell Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "cmd.exe" or FileName =~ "powershell.exe")
| where ProcessCommandLine has_any ("NetSupport", "client32.dll", "imhfamily.com")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for Suspicious LogMeIn Installation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "msiexec.exe" or ProcessCommandLine has "LogMeIn"
| where InitiatingProcessFileName has_any ("chrome.exe", "firefox.exe", "msedge.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

PowerShell Hunt Script

PowerShell
# Registry and File Persistence Hunt for LogMeIn and RedHook Artifacts

# Check for unusual LogMeIn installations (Persistence)
$logmein_paths = @(
    "HKLM:\SOFTWARE\LogMeIn",
    "HKCU:\Software\LogMeIn"
)

Write-Host "Checking for LogMeIn Registry Persistence..."
foreach ($path in $logmein_paths) {
    if (Test-Path $path) {
        Write-Host "[!] FOUND: $path" -ForegroundColor Red
        Get-ItemProperty $path | Format-List
    }
}

# Check file system for specific IOCs (Invoice files)
Write-Host "Scanning user directories for Invoice executables..."
$users = Get-ChildItem "C:\Users" -Directory
foreach ($user in $users) {
    $targetPath = "C:\Users\$($user.Name)\Downloads"
    if (Test-Path $targetPath) {
        $files = Get-ChildItem $targetPath -Filter "Invoice*.exe*" -ErrorAction SilentlyContinue
        if ($files) {
            Write-Host "[!] FOUND suspicious Invoice file in $($user.Name) profile" -ForegroundColor Red
            $files | Select-Object FullName, CreationTime, LastWriteTime
        }
    }
}

Response Priorities

  • Immediate: Block all listed domains (3n7wj.com, imhfamily.com, fleepsterones.fun, sunlightfriends.tech) at the perimeter firewall and DNS. Block the specific file hashes provided in the pulses on all endpoints.
  • 24 Hours: Conduct a threat hunt for NetSupport Manager and LogMeIn instances on corporate networks. Verify installation legitimacy with users. Isolate any devices showing signs of RedHook C2 communication (rare on corporate Windows networks, but check for emulators).
  • 1 Week: Review mobile device management (MDM) policies to ensure ADB Wireless Debugging is disabled on all corporate-enrolled Android devices. Update email security gateways to flag Vercel-hosted links and attachments containing LNK files.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareredhook-ratnetsupport-managerclubfoot-wolfvercel-abuseremote-access-trojans

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.