Date: 06/23/2026
Severity: High
Summary
A single ClickFix prompt on an unmonitored endpoint granted attackers unchallenged initial access. The breach quickly expanded to 11 hosts due to critical gaps in endpoint security coverage. The custom "Potemkin" loader used a deterministic DGA and custom cipher to deploy RMMProject. RMMProject RAT bypassed Chrome's App-Bound Encryption and embedded a LuaJIT scripting engine. The threat actors deployed EtherRAT and ultimately disabled Windows Defender completely. This attack highlights how missing telemetry allows actors to establish persistence and move laterally.
Indicators of Compromise (IOC) List
Domains/URLs : | sonra.eutialyson.com cl.distritovagas.com anus-staylard.xyz resumeacceptable.com |
IP Address : | 77.110.122.58 213.165.41.26 |
Hash : | 2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b
3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce
cd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee145
79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b
2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a
|
Ethereum contract : | 0xb3f2897f2bc797e5b9033faef8c81e92b01cb831 |
Storage key : | 0x40b57c3622c1CbfD699207F71F2dE5A8Fe256893 |
EtherRAT build ID : | ab653feb-9e78-4578-87ed-2e30329fe858 |
Files : | C:\Windows\Temp\D0OK1nWwId9W.ps1 C:\Windows\Temp\lQhEQui9a4lZ.exe C:\ProgramData\p\O67tak2KFRmJ.ps1 C:\ProgramData\p\J6Gupb9TpYNI.ps1 C:\ProgramData\p\fsjH6IHuUkhh.ps1 C:\ProgramData\p\ek_full.ps1 C:\ProgramData\p\ek_kill_av.ps1 C:\ProgramData\p\ek_disable_av.ps1 C:\ProgramData\p\yH88LG8yCOnU.ps1 %LOCALAPPDATA%\hyper-v.ver %TEMP%\dll_debug.log |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "cl.distritovagas.com" or url like "cl.distritovagas.com" or siteurl like "cl.distritovagas.com" or domainname like "resumeacceptable.com" or url like "resumeacceptable.com" or siteurl like "resumeacceptable.com" or domainname like "sonra.eutialyson.com" or url like "sonra.eutialyson.com" or siteurl like "sonra.eutialyson.com" or domainname like "anus-staylard.xyz" or url like "anus-staylard.xyz" or siteurl like "anus-staylard.xyz" |
Detection Query 2 : | dstipaddress IN ("77.110.122.58","213.165.41.26") or srcipaddress IN ("77.110.122.58","213.165.41.26") |
Detection Query 3 : | sha256hash IN ("79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b","3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce","2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b","cd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee145","2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a")
|
Detection Query 4 : | resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("C:\Windows\Temp\D0OK1nWwId9W.ps1","C:\Windows\Temp\lQhEQui9a4lZ.exe","C:\ProgramData\p\O67tak2KFRmJ.ps1","C:\ProgramData\p\J6Gupb9TpYNI.ps1","C:\ProgramData\p\fsjH6IHuUkhh.ps1","C:\ProgramData\p\ek_full.ps1","C:\ProgramData\p\ek_kill_av.ps1","C:\ProgramData\p\ek_disable_av.ps1","C:\ProgramData\p\yH88LG8yCOnU.ps1","%LOCALAPPDATA%\hyper-v.ver","%TEMP%\dll_debug.log") |
Detection Query 5 : | technologygroup = "EDR" and objectname IN ("C:\Windows\Temp\D0OK1nWwId9W.ps1","C:\Windows\Temp\lQhEQui9a4lZ.exe","C:\ProgramData\p\O67tak2KFRmJ.ps1","C:\ProgramData\p\J6Gupb9TpYNI.ps1","C:\ProgramData\p\fsjH6IHuUkhh.ps1","C:\ProgramData\p\ek_full.ps1","C:\ProgramData\p\ek_kill_av.ps1","C:\ProgramData\p\ek_disable_av.ps1","C:\ProgramData\p\yH88LG8yCOnU.ps1","%LOCALAPPDATA%\hyper-v.ver","%TEMP%\dll_debug.log") |
Reference:
http://huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack