Back to Intelligence

Remus Stealer, ClickFix & CloudZ RAT: Credential Theft Campaign Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 7, 2026
7 min read

Threat Summary

OTX Pulse data from the last 72 hours reveals a coordinated surge in infostealer and Remote Access Trojan (RAT) activity targeting enterprise credentials and session data. The threat landscape is characterized by a three-pronged attack vector:

  1. Social Engineering (ClickFix): The "BackgroundFix" campaign utilizes the ClickFix technique, tricking users into copying clipboard commands that invoke finger.exe to deliver CastleLoader, which subsequently drops NetSupport RAT and CastleStealer.
  2. Supply Chain & Application Abuse (AI Extensions): Eighteen malicious browser extensions masquerading as GenAI productivity tools (e.g., "Chat AI for Chrome") are actively harvesting prompts and intercepting HTTPS traffic via MITM attacks.
  3. Platform-Specific Evasion (Remus & CloudZ): The 64-bit Remus stealer (an evolution of Lumma) is actively bypassing Application-Bound Encryption, while CloudZ RAT utilizes the "Pheno" plugin to exploit Microsoft Phone Link for SMS/OTP interception without compromising the mobile device directly.

The collective objective of these campaigns is the mass exfiltration of authenticated sessions, cryptocurrency wallet keys, and multi-factor authentication (MFA) tokens to facilitate initial access brokering and financial fraud.

Threat Actor / Malware Profile

1. ClickFix / CastleLoader

  • Distribution: Fake image-editing tools ("BackgroundFix") distributed via malicious SEO and forums.
  • Execution Chain: Social Engineering -> Clipboard hijacking -> finger.exe (LOLBin) -> CastleLoader -> NetSupport RAT / CastleStealer.
  • Behavior: Reflective loading injection; establishes persistence via scheduled tasks or registry run keys.
  • C2 Communication: HTTP/HTTPS communication to hardcoded domains (e.g., trindastal.com).

2. Remus Stealer (Lumma v2)

  • Distribution: Malvertising and cracked software repositories.
  • Behavior: Bypasses Chrome/Edge Application-Bound Encryption to steal cookies and passwords. Utilizes "EtherHiding" technique where C2 instructions are fetched from the Ethereum blockchain.
  • Anti-Analysis: 64-bit architecture; employs obfuscation to evade signature-based detection.

3. CloudZ RAT & Pheno Plugin

  • Distribution: Phishing emails and malicious downloads.
  • Behavior: Focuses on the "MobileShell" component of Windows. The Pheno plugin accesses data synchronized by the Microsoft Phone Link app, allowing attackers to read SMS messages and OTPs from the linked phone directly from the infected PC.
  • Persistence: Uses dynamic memory execution and fileless techniques to evade disk scanning.

4. Malicious AI Extensions (Huiyi, Supersonic AI)

  • Distribution: Chrome Web Store (or side-loaded via similar mechanisms).
  • Behavior: API interception, passive DOM observation, and response modification. Specific focus on stealing GenAI prompts and session cookies.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators that should be immediately operationalized:

  • Network (IPv4/Domains): Includes 217.156.122.57 (Remus C2) and 185.196.10.136 (CloudZ C2). These should be blocked at the perimeter and firewall level.
  • File Hashes (SHA256/MD5): Multiple loaders and payload hashes are provided (e.g., CastleStealer bde21d8be...). These should be added to EDR allowlist/denylist configurations.
  • CVE: CVE-2025-55182 is associated with the malicious AI extensions. Vulnerability management teams should prioritize patching or disabling extensions if the underlying browser vulnerability is not yet mitigated.

Operational Guidance: SOC teams should ingest these IOCs into SIEM correlation engines to look for outbound connections to the listed IPs or execution of the listed file hashes. The presence of finger.exe in process logs is a high-fidelity anomaly for enterprise environments.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix Activity via Finger.EXE
id: 9a6e8b1c-5d2f-4a8e-9b1c-5d2f4a8e9b1c
description: Detects the suspicious use of finger.exe, a legacy LOLBin, often used in ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate legacy administration (rare)
level: high
---
title: PowerShell Downloading MSI File (OpenClaw/GhostLoader Vector)
id: 8b7c9a2d-4e3f-5b6a-9c2d-4e3f5b6a9c2d
description: Detects PowerShell commands downloading .msi files, a technique observed in the OpenClaw skill campaign to deliver signed binaries for sideloading.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
tags:
    - attack.command_and_control
    - attack.t1102.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_flags:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'DownloadFile'
            - 'IWR'
    selection_ext:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation scripts
level: medium
---
title: Suspicious Browser Credential File Access
id: 7d6e8c1a-3b4d-5c9e-8d1a-3b4d5c9e8d1a
description: Detects non-browser processes accessing browser Login Data or Local State files, indicative of stealer activity like Remus or CastleStealer.
status: experimental
date: 2026/05/07
author: Security Arsenal
references:
    - https://cyberpress.org/remus-bypasses-browser-encryption/
tags:
    - attack.credential_access
    - attack.t1003.005
logsource:
    category: file_access
    product: windows
detection:
    selection_targets:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Google\Chrome\User Data\Local State'
            - '\Microsoft\Edge\User Data\Default\Login Data'
            - '\Microsoft\Edge\User Data\Local State'
    exclusion_browsers:
        Image|contains:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\brave.exe'
    condition: selection_targets and not exclusion_browsers
falsepositives:
    - Backup software
    - Legitimate password managers
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Finger.exe execution and Remus/CloudZ C2 Connections
let IOCs_Domains = dynamic(["trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "chatgptforchrome.com", "dropras.xyz", "trackpipe.dev"]);
let IOCs_IPs = dynamic(["38.146.28.30", "217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110", "185.196.10.136"]);
// Check for process creation of finger.exe
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "finger.exe"
| project DeviceName, Timestamp, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| union (
    // Check for network connections to malicious IPs
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP in (IOCs_IPs) or RemoteUrl has_any (IOCs_Domains)
    | project DeviceName, Timestamp, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
# IOC Hunt for ClickFix, Remus, and CloudZ Components
# Checks for processes, file artifacts, and network connections

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", # CastleLoader
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5", # AI Extension
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321"  # CloudZ
)

$MaliciousIPs = @(
    "38.146.28.30",
    "217.156.122.57",
    "217.156.122.75",
    "217.156.122.12",
    "185.196.10.136"
)

Write-Host "[+] Scanning for processes matching malicious file hashes..." -ForegroundColor Cyan
$Processes = Get-Process -IncludeUserName -ErrorAction SilentlyContinue
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.Path
        if ($FilePath -and (Test-Path $FilePath)) {
            $FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS PROCESS DETECTED: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
                Write-Host "    Path: $FilePath" -ForegroundColor Red
                Write-Host "    User: $($Proc.UserName)" -ForegroundColor Red
            }
        }
    } catch { Continue }
}

Write-Host "[+] Scanning for active network connections to known C2 IPs..." -ForegroundColor Cyan
$NetConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $NetConnections) {
    $RemoteIP = $Conn.RemoteAddress.ToString()
    if ($MaliciousIPs -contains $RemoteIP) {
        $OwningProcess = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] C2 CONNECTION DETECTED: $RemoteIP on port $($Conn.RemotePort)" -ForegroundColor Red
        if ($OwningProcess) {
            Write-Host "    Owning Process: $($OwningProcess.ProcessName) (PID: $($OwningProcess.Id))" -ForegroundColor Red
            Write-Host "    Path: $($OwningProcess.Path)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for finger.exe execution (ClickFix Indicator)..." -ForegroundColor Cyan
if (Get-Process finger -ErrorAction SilentlyContinue) {
    Write-Host "[!] ALERT: finger.exe is currently running. Potential ClickFix activity." -ForegroundColor Red
} else {
    Write-Host "[-] No instances of finger.exe found." -ForegroundColor Green
}

Response Priorities

Immediate (0-4 hours):

  • Block all IP addresses and domains listed in the IOC Analysis section at perimeter firewalls and proxies.
  • Scan endpoints for the file hashes provided in the Pulse data.
  • Investigate any process creation events involving finger.exe.

24 Hours:

  • If infection is suspected (presence of Remus, CloudZ, or CastleStealer), force a password reset for affected user accounts and revoke session tokens.
  • Review browser extension policies; remove any extensions identified (Supersonic AI, Chat AI for Chrome, Huiyi).
  • Verify Microsoft Phone Link usage and configurations; consider disabling it for sensitive accounts if not business critical.

1 Week:

  • Implement Application-Bound Encryption enforcement policies where supported to mitigate Remus/Lumma evasion techniques.
  • Update AI/LLM usage policies to restrict the installation of unauthorized browser extensions.
  • Conduct a review of PowerShell execution policies to prevent unauthorized MSI downloads.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsremus-stealerclickfixcloudz-ratinfostealerai-threats

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action