Date: 05/21/2026
Severity: High
Summary
This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows. Rather than relying on software exploitation, the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer while minimizing traditional detection opportunities.
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise. Detection efforts should prioritize behavioral monitoring of PowerShell execution, LOLBin abuse, anomalous browser database access, and suspicious executable activity originating from user-writable directories.
Indicators of Compromise (IOC) List
Domain : | https://online-meet.com |
IP Address: | 185.213.240.179 |
Hash : | a7962ffda8cc0277c013ffd4bd4328e31aea8206b8379a0b574e05a5e5152812
8a132e7dd4876c87b5c425db32291bd54a2f3a477c78ceb4d29f297867a150fa
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://online-meet.com" or url like "https://online-meet.com" or siteurl like "https://online-meet.com" |
Detection Query 2 : | dstipaddress IN ("185.213.240.179") or srcipaddress IN ("185.213.240.179") |
Detection Query 3 : | sha256hash IN ("8a132e7dd4876c87b5c425db32291bd54a2f3a477c78ceb4d29f297867a150fa","a7962ffda8cc0277c013ffd4bd4328e31aea8206b8379a0b574e05a5e5152812")
|
Reference:
https://gurucul.com/blog/clickfix-abuse-fake-google-meet-delivers-salatstealer/