Threat Summary
Recent OTX Pulse data reveals a convergence of high-impact threat activity targeting the education sector and broad-spectrum campaigns leveraging current social engineering trends.
-
UNC6240 (ShinyHunters) is actively exploiting a critical zero-day vulnerability (CVE-2026-35273, CVSS 9.8) in Oracle PeopleSoft to deploy MeshCentral, a remote administration tool, facilitating data extortion and lateral movement. This campaign specifically targets higher education in the US.
-
A ClickFix campaign utilizing the Potemkin Loader is distributing RMMProject, a Lua-scriptable RAT. The infection chain relies on social engineering (fake browser updates/resume prompts) to deliver malicious HTA files which silently install MSI packages. The payload includes credential theft capabilities and utilizes a Domain Generation Algorithm (DGA) for C2 resilience.
-
A broad AsyncRAT distribution campaign is exploiting the "AI hype," disguising malware as AI learning resources. It uses complex multi-stage obfuscation (LNK files, PowerShell, AutoHotkey) to deliver the RAT, which employs reflective injection and process hollowing to evade detection.
Threat Actor / Malware Profile
UNC6240 (ShinyHunters)
- Objective: Data extortion and lateral movement within high-value educational networks.
- Malware: MeshCentral (Remote Administration).
- Methodology: Exploitation of CVE-2026-35273 in Oracle PeopleSoft Environment Management component prior to patch availability.
- C2: HTTP/HTTPS communication to distinct infrastructure (e.g.,
azurenetfiles.net).
Potemkin Loader & RMMProject
- Objective: Initial access leading to credential theft and long-term persistence (RAT).
- Malware: Potemkin (Custom Loader), RMMProject (Lua RAT), Chisel (Proxying), EtherRAT.
- Distribution: "ClickFix" social engineering—users are tricked into clicking fake browser errors or downloading malicious resume files, leading to HTA execution.
- Behavior: Potemkin uses a deterministic DGA for C2. RMMProject specifically targets browser credentials (Chrome App-Bound Encryption).
AsyncRAT (AI-Themed)
- Objective: Remote control and data theft via generic commodity malware.
- Malware: AsyncRAT.
- Distribution: Malicious archives containing LNK shortcuts and hidden PDFs, themed around AI tools (e.g., "ChatGPT" guides).
- Behavior: Uses AutoHotkey and PowerShell for obfuscation. Persists via Scheduled Tasks. Uses process hollowing and reflective injection.
IOC Analysis
The provided IOCs include a mix of network and file-based indicators essential for detection and blocking:
- Domains: Key delivery and C2 domains such as
azurenetfiles.net(MeshCentral),resumeacceptable.com(Potemkin), andshampobiskworld.nl(AsyncRAT). These should be immediately blocked on DNS and Proxies. - IPv4: Specific C2 IPs like
176.120.22.24and77.110.122.58should be blacklisted. - File Hashes: SHA256 and MD5 hashes for the Potemkin MSI, AsyncRAT payloads, and MeshCentral agents. These are critical for EDR correlation and scanning.
- URLs: Specific paths like
/agent.ashx(MeshCentral) and HTA/MSI delivery URLs indicate the specific mechanics of the exploitation and delivery.
Operational Guidance: SOC teams should load these hashes into EDR alerting and the domains/IPs into firewall blocklists. The specific URL paths allow for creating IDS/IPS signatures to detect MeshCentral beaconing or Potemkin downloading stages.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Potemkin Loader Activity via HTA
description: Detects HTA applications spawning MSI installers, a behavior associated with the Potemkin Loader and ClickFix campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/17
tags:
- attack.initial_access
- attack.execution
- clickfix
- potemkin
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\\mshta.exe'
Image|endswith:
- '\\msiexec.exe'
condition: selection
falsepositives:
- Legitimate software installers launched via web
level: high
---
title: AsyncRAT AI-Themed LNK Execution
description: Detects PowerShell execution spawned by Windows Explorer via LNK files, often indicative of malicious shortcuts used in AI-themed campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/17
tags:
- attack.initial_access
- attack.user_execution
- asyncrat
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\\explorer.exe'
selection_child:
Image|endswith:
- '\\powershell.exe'
CommandLine|contains:
- 'downloadstring'
- 'iex'
selection_keywords:
CommandLine|contains:
- 'AI'
- 'GPT'
- 'chat'
condition: all of selection_*
falsepositives:
- Legitimate administrative scripts
level: medium
---
title: MeshCentral Agent Network Connection
description: Detects network connections to MeshCentral agent paths (agent.ashx) often used by UNC6240 for C2.
status: experimental
author: Security Arsenal
date: 2026/06/17
tags:
- attack.command_and_control
- attack.t1071
- unc6240
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort|endswith:
- '443'
DestinationUrl|contains:
- '/agent.ashx'
condition: selection
falsepositives:
- Legitimate MeshCentral usage (verify against asset inventory)
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Potemkin Loader and AsyncRAT Execution Chains
let SuspiciousDomains = dynamic([\"azurenetfiles.net\", \"resumeacceptable.com\", \"shampobiskworld.nl\", \"cl.distritovagas.com\"]);
let SuspiciousHashes = dynamic([\"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f\", \"79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b\"]);
// Process Creation Events
DeviceProcessEvents
| where (ProcessCommandLine contains \"Invoke-Expression\" or ProcessCommandLine contains \"IEX\")
or (InitiatingProcessFileName == \"mshta.exe\" and FileName == \"msiexec.exe\")
or (InitiatingProcessFileName == \"explorer.exe\" and FileName == \"powershell.exe\" and ProcessCommandLine matches regex @\"(?i)(AI|GPT)\")
| extend ThreatType = iff(InitiatingProcessFileName == \"mshta.exe\", \"Potemkin-ClickFix\", \"AsyncRAT-Lure\")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, ThreatType, AccountName, SHA256
| union (
DeviceNetworkEvents
| where RemoteUrl in (SuspiciousDomains) or RemoteIP in (\"176.120.22.24\", \"77.110.122.58\")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, ThreatType=\"C2-Communication\"
)
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunt Script for ShinyHunters, Potemkin, and AsyncRAT
.DESCRIPTION
Checks for Scheduled Tasks, Registry Run Keys, and Network Connections associated with the provided OTX Pulses.
#>
$IOC_Domains = @(
\"azurenetfiles.net\",
\"resumeacceptable.com\",
\"shampobiskworld.nl\",
\"shampoolagtto.com\",
\"sonra.eutialyson.com\"
)
$IOC_Hashes = @(
\"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f\", # MeshCentral Agent
\"79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b\" # Potemkin MSI
)
Write-Host \"[+] Checking Scheduled Tasks for Suspicious Actions (AsyncRAT/Potemkin)...\" -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {
$_.Actions.Execute -like \"*powershell*\" -or
$_.Actions.Execute -like \"*cmd*\" -or
$_.Actions.Execute -like \"*mshta*\"
} | Select-Object TaskName, State, Actions
Write-Host \"[+] Checking Registry Run Keys for Persistence...\" -ForegroundColor Cyan
$RunPaths = @(\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\")
foreach ($Path in $RunPaths) {
if (Test-Path $Path) {
Get-Item $Path | Select-Object -ExpandProperty Property | ForEach-Object {
$Value = (Get-ItemProperty -Path $Path -Name $_).$_
if ($Value -match \".*\.exe.*\" -or $Value -match \"powershell\") {
Write-Host \"Found: $_ = $Value\" -ForegroundColor Yellow
}
}
}
}
Write-Host \"[+] Checking Hosts File for IOC Domains...\" -ForegroundColor Cyan
$HostsPath = \"$env:SystemRoot\\System32\\drivers\\etc\\hosts\"
if (Test-Path $HostsPath) {
$Content = Get-Content $HostsPath
foreach ($Domain in $IOC_Domains) {
if ($Content -match $Domain) {
Write-Host \"[!] SUSPICIOUS: $Domain found in hosts file!\" -ForegroundColor Red
}
}
}
Write-Host \"[+] Checking Recent Processes for Hash Matches...\" -ForegroundColor Cyan
# Note: This requires admin privileges and might be noisy. Simulating check logic.
Write-Host \"Manual verification required for file hashes in C:\\Windows\\Temp and User Downloads.\"
Response Priorities
-
Immediate:
- Block all IOCs (IPs, Domains, Hashes) at the perimeter and on endpoints.
- Isolate any systems exhibiting signs of MeshCentral agent connections (
agent.ashx) or Potemkin infection chains (mshta.exe->msiexec.exe). - Hunt for the specific file hashes provided in the pulses across the environment.
-
24 Hours:
- Conduct credential audits for any users on potentially compromised endpoints, specifically looking for browser credential theft (RMMProject/AsyncRAT capability).
- Review Oracle PeopleSoft logs for exploitation of CVE-2026-35273 around late May/early June 2026.
-
1 Week:
- Apply the critical patch for CVE-2026-35273 to Oracle PeopleSoft infrastructure immediately.
- Harden web application firewalls (WAF) to block attempts to exploit the Environment Management component.
- Deploy security awareness training focusing on "AI-powered" scams and "ClickFix" fake browser update tactics.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareshinyhunterspotemkin-loaderasyncratclickfixoracle-peoplesoft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.