216.73.217.86

Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

· Published 16/06/2026 16:27 · Modified 16/06/2026 17:19

Export JSON

Essential information

Published
16/06/2026 16:27
Modified
16/06/2026 17:19
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
blockchain c2 chisel clickfix credential theft dga etherrat hidden desktop lateral movement potemkin rmmproject
Tags
2026-06-16 blockchain c2 chisel clickfix credential-theft dga etherrat hidden desktop lateral movement potemkin rmmproject
Related entities
22 indicators, 22 observables, 19 techniques (mitre), 4 malware, 8 others

Description

A social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing , a custom loader with a deterministic . delivered , a 4.4 MB Lua-scriptable RAT featuring browser with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed , a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.

External references