Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack
Essential information
- Published
- 16/06/2026 16:27
- Modified
- 16/06/2026 17:19
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- blockchain c2 chisel clickfix credential theft dga etherrat hidden desktop lateral movement potemkin rmmproject
- Tags
- 2026-06-16 blockchain c2 chisel clickfix credential-theft dga etherrat hidden desktop lateral movement potemkin rmmproject
- Related entities
- 22 indicators, 22 observables, 19 techniques (mitre), 4 malware, 8 others
Description
A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMMProject, a 4.4 MB Lua-scriptable RAT featuring browser credential theft with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed EtherRAT, a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by lateral movement via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.