Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A ClickFix social engineering campaign was used to deploy the Potemkin loader, which later delivered both the RMMProject RAT and EtherRAT. The intrusion included hands-on-keyboard activity, lateral movement through WMIExec and SMBExec, and attempts to weaken or disable Microsoft Defender. In total, the attackers spread across more than 11 systems inside the victim environment.
Investigation
The investigation traced the compromise back to an unmanaged endpoint where a user executed a malicious command. Analysts identified a custom loader called Potemkin that used a deterministic domain generation algorithm, along with a Lua-enabled RAT named RMMProject that could bypass Chrome App-Bound Encryption. Researchers also documented EtherRAT, which retrieves command-and-control infrastructure through the Ethereum blockchain, as well as the use of Chisel tunnels during the intrusion.
Mitigation
One of the most effective defenses is disabling the Windows Run dialog through Group Policy to reduce the chance of ClickFix execution. Organizations should also enable Microsoft Defender Tamper Protection and monitor for unauthorized registry changes affecting security settings or attempts to disable the WinDefend service. Broad and consistent endpoint coverage remains essential to prevent attackers from gaining an initial foothold.
Response
If this activity is detected, responders should isolate affected systems immediately to stop additional lateral movement. Remediation should include terminating malicious Node.js processes, removing identified persistence mechanisms such as Run keys and scheduled tasks, and cleaning unauthorized Microsoft Defender exclusion paths. A full environment-wide sweep is necessary because the persistence methods may differ from one host to another.
"graph TB %% Class Definitions classDef initial_access fill:#f96,stroke:#333,stroke-width:2px classDef execution fill:#3498db,stroke:#333,stroke-width:2px classDef defense_evasion fill:#9b59b6,stroke:#333,stroke-width:2px classDef persistence fill:#2ecc71,stroke:#333,stroke-width:2px classDef c2 fill:#e74c3c,stroke:#333,stroke-width:2px classDef credential_access fill:#f1c40f,stroke:#333,stroke-width:2px classDef lateral_movement fill:#1abc9c,stroke:#333,stroke-width:2px classDef defense_impairment fill:#34495e,stroke:#333,stroke-width:2px %% Initial Access and Execution Phase action_clickfix["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Description: User is tricked via ClickFix social engineering to paste and run a command in the Windows Run Dialog.<br/><b/>Artifacts: cmd /min /c pcalua.exe -a mshta.exe…"] class action_clickfix initial_access exec_mshta["<b/>Action</b> – <b>T1218.005 System Binary Proxy Execution: Mshta</b><br/>Description: Abuses pcalua.exe to proxy mshta.exe execution to fetch remote HTA payload.<br/><b/>Artifacts: hte.hta payload, pcalua.exe"] class exec_mshta execution exec_msiexec["<b/>Action</b> – <b>T1218.007 System Binary Proxy Execution: Msiexec</b><br/>Description: Malicious MSI package is silently installed using msiexec.<br/><b/>Artifacts: inst24.msi, msiexec /qn"] class exec_msiexec execution %% Persistence and Loader Phase persist_netsh["<b/>Action</b> – <b>T1546.007 Event Triggered Execution: Netsh Helper DLL</b><br/>Description: Persistence established via an MSI AutostartRegistry component.<br/><b/>Artifacts: Potemkin loader, RunSearch.exe in %LOCALAPPDATA%\Microsoft\RunSearch"] class persist_netsh persistence %% Command and Control Phase c2_dga["<b/>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Description: Potemkin loader uses a Domain Generation Algorithm to find C2 servers.<br/><b/>Artifacts: Potemkin DGA"] class c2_dga c2 c2_ether["<b/>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Description: EtherRAT resolves its C2 address from the Ethereum blockchain via EtherHiding.<br/><b/>Artifacts: EtherRAT"] class c2_ether c2 %% Credential Access Phase cred_steal["<b/>Action</b> – <b>T1539 Steal Web Session Cookie</b><br/>Description: RMMProject RAT targets browsers to steal cookies and credentials via DLL injection to bypass Chrome App-Bound Encryption.<br/><b/>Artifacts: RMMProject, browser SQLite databases"] class cred_steal credential_access %% Lateral Movement Phase lat_move["<b/>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Description: Attacker moves laterally using WMIExec and SMBExec to spread the MSI installer.<br/><b/>Artifacts: WMIExec, SMBExec, msiexec /i \<IP>\ADMIN$\Temp\…"] class lat_move lateral_movement %% Defense Impairment Phase def_impair["<b/>Action</b> – <b>T1687 Exploitation for Defense Impairment</b><br/>Description: Fighting Windows Defender by patching AMSI, writing registry policies, and killing the service.<br/><b/>Artifacts: DisableAntiSpyware registry keys, Stop-Service WinDefend, AMSI patching"] class def_impair defense_impairment %% C2 Tunneling Phase c2_tunnel["<b/>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Description: Using Chisel to establish reverse SOCKS tunnels and Cloudflare tunnels to expose internal services.<br/><b/>Artifacts: Chisel, cloudflared renamed to svchost.exe"] class c2_tunnel c2 %% Connections %% Flow from initial access to execution action_clickfix –>|leads_to| exec_mshta action_clickfix –>|leads_to| exec_msiexec %% Execution leads to persistence exec_msiexec –>|installs| persist_netsh %% Persistence leads to C2 and Loader deployment persist_netsh –>|deploys| c2_dga persist_netsh –>|deploys| c2_ether %% C2 activities lead to credential access c2_dga –>|executes| cred_steal c2_ether –>|executes| cred_steal %% Lateral movement spreads the attack cred_steal –>|enables| lat_move lat_move –>|deploys_to_new_hosts| exec_msiexec %% Defense impairment protects the attacker exec_mshta –>|used_to_patch| def_impair def_impair –>|facilitates| c2_tunnel "
Attack Flow
Detections
System Processes Execution from Untypical Paths (via process_creation)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Disabling Windows Defender Protections (via registry_event)
View
Possible Impacket Command Line Patterns (via cmdline)
View
Suspicious Ransomware Interfering Service Stoppage (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
NodeJS Binary Executing From Uncommon Location (via cmdline)
View
LOLBAS Pcalua (via cmdline)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
LOLBAS Conhost (via cmdline)
View
Using Certutil for Data Encoding and Cert Operations (via cmdline)
View
Possible Tunneling Tool Usage [Windows] (via cmdline)
View
Suspicious CURL Usage (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Executable File Named Like a Legitimate System Process was Created (via file_event)
View
Possible Publicnode Ethereum Abuse Attempt As C2 Channel (via dns_query)
View
Suspicious File Download Direct IP (via proxy)
View
PowerShell Script Execution and Windows Defender Tampering [Windows Powershell]
View
Detection of Ethereum-based C2 Communication by EtherRAT [Windows Network Connection]
View
Detection of ClickFix HTA Payload Delivery via Mshta.exe [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary seeks to establish a C2 channel using EtherRAT’s signature method. To evade static analysis of their malware config, they use
curlto perform an HTTP POST request to a public Ethereum RPC endpoint (https://eth.drpc.org). This request is designed to fetch the actual C2 IP/domain from the blockchain. To satisfy the specific logic of the current detection rule, the command is structured to include the known malicious domainanus-staylard.xyzwithin the command line arguments, simulating the payload delivery or configuration phase. -
Regression Test Script:
# Simulation of EtherRAT C2 resolution via Ethereum RPC # This script mimics the specific command line patterns required to trigger the Sigma rule. $maliciousDomain = "anus-staylard.xyz" $rpcEndpoint = "https://eth.drpc.org" $maliciousIpString = "77.110.122.58:23205/lQhEQui9a4lZ.exe" # Constructing the command to match the (selection1 OR selection2) AND selection3 logic # Pattern: curl -s -X POST https://eth.drpc.org ... anus-staylard.xyz $cmd = "curl.exe -s -X POST $rpcEndpoint -d 'data=query' --user-agent '$maliciousDomain' --referer '$maliciousIpString'" Write-Host "[+] Executing simulated EtherRAT command: $cmd" Start-Process "cmd.exe" -ArgumentList "/c $cmd" -NoNewWindow -
Cleanup Commands:
# No permanent files are created by this simulation; # only ephemeral process execution occurs. Write-Host "[+] Simulation complete. No cleanup required."