Back to Intelligence

Remus Stealer, CloudZ RAT & AI Extension Infostealers: OTX Pulse Analysis

SA
Security Arsenal Team
May 7, 2026
6 min read

The latest OTX pulses indicate a coordinated evolution in the infostealer and RAT landscape, specifically targeting enterprise credentials and OTP mechanisms. The threat landscape is dominated by the Remus stealer—an evolution of Lumma designed to bypass Chrome's Application-Bound Encryption—and CloudZ RAT, which utilizes a "Pheno" plugin to intercept SMS/OTP data via the Microsoft Phone Link application.

Additionally, adversaries are increasingly abusing the hype around Generative AI. ClickFix campaigns continue to evolve, using fake image-editing tools (BackgroundFix) to deliver CastleLoader and NetSupport RAT via social engineering. Simultaneously, threat actors are weaponizing the OpenClaw AI agent framework and publishing malicious AI browser extensions (e.g., "Chat AI for Chrome") to deliver Remote Access Trojans (RATs) and meddler-in-the-middle payloads. The collective objective is credential harvesting, session hijacking, and establishing persistent remote access.

Threat Actor / Malware Profile

Remus Stealer (Lumma Successor)

  • Type: 64-bit Information Stealer
  • Distribution: Malvertising, fake software cracks.
  • Behavior: A direct successor to Lumma Stealer, specifically designed to bypass Chrome's App-Bound Encryption protections to steal cookies and session data even when the "Steal website credentials" setting is disabled. It employs innovative injection techniques and potentially abuses Ethereum blockchain for C2 (EtherHiding).

CloudZ RAT + Pheno Plugin

  • Type: Remote Access Trojan / Infostealer
  • Distribution: Phishing emails, compromised downloads.
  • Behavior: Uses an undocumented plugin "Pheno" to exploit the Microsoft Phone Link application. It intercepts synchronized mobile data, allowing theft of SMS messages and OTPs without infecting the phone itself. Utilizes dynamic memory allocation to evade detection.

ClickFix / CastleLoader

  • Type: Social Engineering Loader
  • Distribution: Fake "BackgroundFix" image tools, browser popups.
  • Behavior: Triggers fake "Are you human" verification that copies malicious commands to the clipboard. Invokes finger.exe to retrieve payloads, ultimately dropping CastleLoader, NetSupport RAT, and CastleStealer.

Malicious AI Extensions & OpenClaw Skill

  • Type: Browser Extension / Supply Chain Attack
  • Distribution: Chrome Web Store, OpenClaw package repositories.
  • Behavior: Extensions like "Supersonic AI" and "Huiyi" perform passive DOM observation and traffic proxying. The "DeepSeek-Claw" OpenClaw skill tricks AI agents into executing PowerShell commands that download signed-but-malicious MSI packages (GoToMeeting sideloading).

IOC Analysis

The provided intelligence includes a mix of network and file-based indicators:

  • Network Indicators (IPs/Domains):

    • Remus C2: 217.156.122.57, 217.156.122.75, 217.156.122.12.
    • ClickFix Infrastructure: 38.146.28.30, trindastal.com, poronto.com.
    • CloudZ Infrastructure: 185.196.10.136.
    • OpenClaw/Remcos: dropras.xyz, trackpipe.dev.
    • Action: Block these IPs and domains at the perimeter firewall and proxy servers. Correlate outbound connections to these IPs with internal endpoint logs.

  • File Hashes (SHA256/MD5/SHA1):

    • Includes hashes for CastleStealer, malicious AI extensions, CloudZ RAT, and GhostLoader payloads.
    • Action: Import these into EDR detection rules. Use PowerShell to scan specific directories (Downloads, AppData) for these specific hash values.

  • CVEs:

    • CVE-2025-55182: Associated with the AI browser extension exploits. Ensure browser patching is prioritized.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Activity via Finger.exe
id: 8a1b2c3d-4e5f-6789-0abc-def123456789
description: Detects execution of finger.exe which is abused in ClickFix campaigns to retrieve payloads via clipboard manipulation and HTTP requests.
status: experimental
author: Security Arsenal
date: 2026/05/08
references:
    - https://otx.alienvault.com/pulse/6651234567890
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        CommandLine|contains: 'http'
    condition: selection
falsepositives:
    - Legitimate use of finger.exe (rare)
level: high
---
title: CloudZ RAT - Phone Link Process Injection
id: 0c3d4e5f-6a7b-8901-2cde-f345678901bc
description: Detects potential code injection or suspicious child processes spawned by Microsoft Phone Link, indicative of CloudZ RAT with Pheno plugin behavior.
status: experimental
author: Security Arsenal
date: 2026/05/08
references:
    - https://otx.alienvault.com/pulse/6651234567894
tags:
    - attack.privilege_escalation
    - attack.t1055.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\YourPhone.exe'
        Image|notcontains:
            - '\YourPhone.exe'
            - '\WindowsApps\'
    condition: selection
falsepositives:
    - Rare legitimate plugin behavior
level: critical
---
title: Remus Stealer - Application Bound Encryption Bypass
id: 9b2c3d4e-5f6a-7890-1bcd-ef234567890a
description: Detects attempts to access Chrome App-Bound Encryption keys or Local State files associated with Remus/Lumma stealer activity.
status: experimental
author: Security Arsenal
date: 2026/05/08
references:
    - https://otx.alienvault.com/pulse/6651234567892
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Google\Chrome\User Data\Local State'
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
    condition: selection and not filter
falsepositives:
    - Backup software or indexing services
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Remus/CloudZ C2 IPs and ClickFix Infrastructure
let MaliciousIPs = dynamic(["217.156.122.57", "217.156.122.75", "217.156.122.12", "45.151.106.110", "185.196.10.136", "38.146.28.30"]);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Scanner for Remus, CloudZ, and ClickFix Payloads
# Requires Admin Privileges for full system scan

$TargetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", # CastleStealer
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321", # CloudZ
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54"
)

Write-Host "Starting Hunt for Infostealer Hashes..." -ForegroundColor Cyan

# Search Common User Directories
$PathsToScan = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\AppData\Local\Temp",
    "$env:USERPROFILE\AppData\Roaming",
    "C:\ProgramData"
)

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -File | ForEach-Object {
            try {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!] MATCH FOUND: $($_.FullName) (SHA256: $Hash)" -ForegroundColor Red
                }
            } catch {
                # Ignore access errors for locked files
            }
        }
    }
}

# Check for suspicious finger.exe usage
Write-Host "Checking for recent finger.exe execution..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue |
    Where-Object {$_.Message -match 'finger.exe'} |
    Select-Object TimeCreated, Message | Format-List

Response Priorities

  • Immediate:

    • Block all listed IPv4 addresses and domains on perimeter firewalls and Secure Web Gateways.
    • Isolate endpoints exhibiting finger.exe network activity or CloudZ RAT behaviors (YourPhone.exe injection).
    • Quarantine files matching the provided SHA256 hashes using EDR capabilities.

  • 24 Hours:

    • Initiate credential reset and identity verification for accounts suspected of being compromised via Remus or CloudZ (specifically focusing on OTP theft).
    • Audit and remove any unapproved "AI" browser extensions from the enterprise environment.
    • Review logs for connections to the 217.156.122.0/24 subnet (Remus C2).

  • 1 Week:

    • Implement strict Software Restriction Policies (SRP) or AppLocker to block finger.exe execution for non-admin users.
    • Review and hardening Microsoft Phone Link usage; consider disabling it if not business-critical.
    • Update browser security configurations to enforce App-Bound Encryption protections where supported.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsremus-stealercloudz-ratclickfixinfostealerbrowser-extensions

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action