Active detection guidance for Remus/Lumma evolution, macOS ClickFix infostealers, and Gamaredon's GammaSteel targeting Ukraine.
Threat Summary
Recent OTX pulses highlight three concurrent and high-impact threats targeting different vectors and operating systems. First, the Remus malware has emerged as a sophisticated evolution of the Lumma Stealer, specifically designed to bypass browser Application-Bound Encryption (ABE) to harvest credentials and cryptocurrency wallet data. Second, a ClickFix campaign is aggressively targeting macOS users, leveraging fake system utility lures to trick users into executing malicious Terminal commands that deploy infostealers like Macsync and AMOS. Third, the Russia-aligned Gamaredon group (UAC-0010) continues its cyberespionage operations against Ukraine with GammaSteel, a memory-resident stealer utilizing the Windows registry for persistence. Collectively, these campaigns represent a surge in credential theft and espionage tooling requiring immediate defensive attention.
Threat Actor / Malware Profile
-
Remus Stealer (Lumma Evolution)
- Actor: Unknown cybercriminals (evolution from doxxed Lumma developers).
- Distribution: Likely via software cracks or fake updates.
- Behavior: A 64-bit info-stealer capable of bypassing Chrome and Edge Application-Bound Encryption protections. It injects into browser processes to extract sensitive data directly from memory or filesystem, bypassing traditional OS-level security controls.
- Objective: Theft of browser cookies, saved passwords, and cryptocurrency wallet keys.
-
ClickFix (macOS Campaign)
- Actor: Unknown.
- Distribution: SEO poisoning and fake blog posts offering "troubleshooting" advice for macOS issues.
- Behavior: Uses social engineering to convince users to copy/paste complex commands into Terminal. These commands download and execute payloads (Macsync, Shub Stealer, AMOS) disguised as legitimate utilities.
- Objective: Data exfiltration from macOS endpoints.
-
Gamaredon Group (GammaSteel)
- Actor: Russian FSB-associated group (UAC-0010, Armagedon).
- Target: Ukrainian Government, Defense, and Critical Infrastructure.
- Behavior: GammaSteel operates primarily in-memory to evade disk-based scanning. It uses Windows DPAPI for encryption and maintains persistence by storing 71 distinct payload functions within the
HKCU\Printersregistry key. - Objective: Cyberespionage and data exfiltration.
IOC Analysis
The provided indicators of compromise (IOCs) include network infrastructure used for command and control (C2) and payload delivery.
- Domains (C2 & Delivery):
jihiz.com,kayeart.com,bintail.com,wusetail.com,malext.com,miappl.com,pla7ina.cfd,vagturk.com,justsstop.ru. - IP Addresses:
165.22.170.129(Associated with Gamaredon infrastructure). - URLs:
https://justsstop.ru/(Gamaredon related).
Operational Guidance: SOC teams should immediately block these domains and IPs at the perimeter and proxy level. These indicators should be fed into EDR solutions to flag processes attempting to connect to these endpoints. Given Gamaredon's targeting, organizations with ties to Ukraine or Eastern Europe should elevate the severity of the justsstop.ru indicator.
Detection Engineering
Sigma Rules
---
title: Potential GammaSteel Registry Persistence
id: 88a4b3c2-1f0e-4a5b-9e6d-1c2b3a4d5e6f
description: Detects suspicious persistence mechanisms via modification of HKCU\Printers registry key, associated with Gamaredon GammaSteel.
status: experimental
date: 2026/06/08
author: Security Arsenal
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Printers'
Details|contains:
- 'cmd'
- 'powershell'
- 'http'
condition: selection
falsepositives:
- Legitimate printer driver installation
level: high
tags:
- attack.persistence
- attack.t1112
- gamaredon
- gammasteel
---
title: macOS ClickFix Terminal Download Pattern
id: 99c5d4e3-2f1e-5b6c-0f7e-2d3c4b5e6f7a
description: Detects macOS Terminal processes executing curl or wget combined with pipe operations, characteristic of ClickFix campaigns.
status: experimental
date: 2026/06/08
author: Security Arsenal
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/Terminal'
CommandLine|contains:
- 'curl'
- 'wget'
CommandLine|contains:
- '|'
- 'sh'
condition: selection
falsepositives:
- Legitimate developer administration
level: medium
tags:
- attack.execution
- attack.t1059.004
- clickfix
- macos
---
title: Remus Stealer Browser Process Access
id: aad6e5f4-3g2e-6c7d-1g8f-3e4d5c6f7g8h
description: Detects potential Remus/Lumma behavior where a non-browser process accesses browser sensitive files like 'Local State' or 'Login Data'.
status: experimental
date: 2026/06/08
author: Security Arsenal
logsource:
product: windows
category: file_access
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
- '\AppData\Local\Microsoft\Edge\User Data\Default\Login Data'
- '\AppData\Local\Google\Chrome\User Data\Default\Local State'
filter_legit:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\browser.exe'
condition: selection and not filter_legit
falsepositives:
- Backup software
- Antivirus scans
level: high
tags:
- attack.credential_access
- attack.t1555.003
- remus
- stealer
**KQL (Microsoft Sentinel)**
kql
// Hunt for Gamaredon and ClickFix Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com", "justsstop.ru")
or RemoteIP == "165.22.170.129"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend ThreatCategory = case(
RemoteUrl has "justsstop.ru" or RemoteIP == "165.22.170.129", "Gamaredon/GammaSteel",
RemoteUrl has_any ("pla7ina.cfd", "jihiz.com"), "ClickFix/macOS",
"Other Infostealer")
**PowerShell Hunt Script**
powershell
# GammaSteel Registry Persistence Hunt
# Checks for unusual values in HKCU\Printers registry key
$RegPath = "HKCU:\Printers"
$SuspiciousPatterns = @("http", "cmd", "powershell", "script", "invoke")
Write-Host "Checking for GammaSteel persistence in $RegPath..."
if (Test-Path $RegPath) {
$Items = Get-Item $RegPath -ErrorAction SilentlyContinue
if ($Items) {
foreach ($Property in $Items.Property) {
$Value = (Get-ItemProperty -Path $RegPath -Name $Property).$Property
if ($Value -is [string]) {
foreach ($Pattern in $SuspiciousPatterns) {
if ($Value -like "*$Pattern*") {
Write-Host "[!] Suspicious registry property found: $Property" -ForegroundColor Red
Write-Host " Value: $Value"
}
}
}
}
}
} else {
Write-Host "Registry path not found."
}
Response Priorities
-
Immediate:
- Block all listed domains and IP addresses (
165.22.170.129) on network firewalls and secure web gateways. - Deploy the provided Sigma rules to SIEM/EDR to alert on GammaSteel registry modifications and macOS Terminal script execution.
- Block all listed domains and IP addresses (
-
24 Hours:
- Initiate credential resets for accounts potentially exposed to Remus or macOS infostealers (focus on users with high privileges or crypto access).
- Scan endpoints for the presence of the
HKCU\Printersregistry anomalies.
-
1 Week:
- Enforce Application-Bound Encryption policies where supported and review browser security configurations to mitigate Remus-style attacks.
- Implement macOS restrictions to prevent unsigned Terminal execution or use of bash/curl to download executables from the internet.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.