Analysis of Remcos RAT Deployed in Italy with a GLS-themed ClickFix Campaign

    Wednesday, November 12, 2025 In: Threat Research Print

    Date: 11/12/2025

    Severity: Medium

    Summary

    A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection. Italy saw its first ClickFix-style activity in January (Lumma Stealer) and, while several attempts have occurred since, no large-scale targeted campaigns have been observed domestically—contrasting with wider international activity. ClickFix represents an evolution of social engineering that exploits human interaction rather than software vulnerabilities.

    Indicators of Compromise (IOC) List

    URLs/Domains

    boldcleaningsolutionsatl.com

    http://193.23.118.155/header10.jpg

    https://boldcleaningsolutionsatl.com/

    http://193.23.118.155/logo10.png

    https://boldcleaningsolutionsatl.com/verify/img

    http://193.23.118.155/sprite10.png

    http://193.23.118.155/bg10.jpg

    IP Address

    196.251.116.2

    Hash

    b06e0f3027835543e95865fad146055e

    8efa780ee4901a0bf5eba76dc0365092

    37d12116ff0855a805add31a0ea493d5

    a232d52afb72de79a8e139c1a5923a5a5389d645

    c166d147f07ea7647cc4399f16d2f84e3fd61860

    dbf8da63a2718185a9743626b17affc7c90e520f

    7f9f3442aa8f20eb0858de0b6ebc69d5a957ab472ca68672237d5412c923c8d9

    b626c6f8924d4362e9159c8c403de3d527357f086a1d5ca27ef294d4ebae00b4

    9a263ada9289070045e4a9f22b0036a37ff06de299e05a8a985ee8b407a77701

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname LIKE "https://boldcleaningsolutionsatl.com/verify/img" or siteurl LIKE "https://boldcleaningsolutionsatl.com/verify/img" or url LIKE "https://boldcleaningsolutionsatl.com/verify/img" or domainname LIKE "http://193.23.118.155/header10.jpg" or siteurl LIKE "http://193.23.118.155/header10.jpg" or url LIKE "http://193.23.118.155/header10.jpg" or domainname LIKE "https://boldcleaningsolutionsatl.com/" or siteurl LIKE "https://boldcleaningsolutionsatl.com/" or url LIKE "https://boldcleaningsolutionsatl.com/" or domainname LIKE "http://193.23.118.155/logo10.png" or siteurl LIKE "http://193.23.118.155/logo10.png" or url LIKE "http://193.23.118.155/logo10.png" or domainname like "boldcleaningsolutionsatl.com" or siteurl like "boldcleaningsolutionsatl.com" or url like "boldcleaningsolutionsatl.com" or domainname like "http://193.23.118.155/sprite10.png" or siteurl like "http://193.23.118.155/sprite10.png" or url like "http://193.23.118.155/sprite10.png" or domainname like "http://193.23.118.155/bg10.jpg" or siteurl like "http://193.23.118.155/bg10.jpg" or url like "http://193.23.118.155/bg10.jpg"

    Detection Query 2 :

    dstipaddress IN ("196.251.116.2") or srcipaddress IN ("196.251.116.2")

    Detection Query 3 :

    md5hash IN ("37d12116ff0855a805add31a0ea493d5","8efa780ee4901a0bf5eba76dc0365092","b06e0f3027835543e95865fad146055e")

    Detection Query 4 :

    sha1hash IN ("dbf8da63a2718185a9743626b17affc7c90e520f","a232d52afb72de79a8e139c1a5923a5a5389d645","c166d147f07ea7647cc4399f16d2f84e3fd61860")

    Detection Query 5 :

    sha256hash IN ("9a263ada9289070045e4a9f22b0036a37ff06de299e05a8a985ee8b407a77701","b626c6f8924d4362e9159c8c403de3d527357f086a1d5ca27ef294d4ebae00b4","7f9f3442aa8f20eb0858de0b6ebc69d5a957ab472ca68672237d5412c923c8d9")

    Reference:

    https://cert-agid.gov.it/news/analisi-di-remcos-rat-diffuso-in-italia-con-campagna-clickfix-a-tema-gls/


    Tags

    MalwareREMCOSRATClickFixSocial EngineeringLumma StealerItaly

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.