Attackers turned a single ClickFix social-engineering lure into a multi-stage Windows intrusion that abused pcalua.exe to launch mshta.exe, retrieve an HTA payload, and install malware that progressed through loaders and remote-access tooling. Reporting describes a chain involving EtherHiding infrastructure and GULoader, while Huntress documented a related intrusion in which an MSI dropped Potemkin, a custom x64 loader that used a deterministic 10,000-domain DGA to find command-and-control servers and reflectively load a follow-on DLL called RMMProject entirely in memory. RMMProject provided browser credential and cookie theft, a Chrome App-Bound Encryption bypass via helper DLL injection, hidden-desktop remote control, process injection, screenshot capture, and runtime module loading.
The operators then established persistence with Run keys, scheduled tasks, and a renamed Cloudflare Tunnel, and deployed EtherRAT, a Node.js backdoor that resolved its C2 from an Ethereum smart contract. Huntress said the attackers conducted hands-on-keyboard activity, repeatedly battled Microsoft Defender, attempted to deploy Chisel reverse SOCKS tunnels, and used WinRM, WMIExec, and SMBExec for lateral movement, spreading EtherRAT to more than 11 hosts including the domain controller. The intrusion showed how an unmonitored initial endpoint allowed hours of attacker activity before defenders had telemetry, enabling a single user action to escalate into a network-wide compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-23, Gurucul published additional technical details for the ClickFix/Potemkin/RMMProject/EtherRAT intrusion, including domains, IPs, hashes, file paths, an Ethereum contract and storage key, an EtherRAT build ID, and detection queries for hunting and incident response.
After gaining access, the attackers carried out hands-on-keyboard activity, battled Windows Defender, attempted Chisel reverse SOCKS tunnels, and used WinRM, WMIExec, and SMBExec for lateral movement. Huntress said EtherRAT spread to more than 11 hosts, including the domain controller, turning the initial compromise into a network-wide incident.
During the intrusion, the operators deployed EtherRAT, a Node.js backdoor whose C2 was resolved from an Ethereum smart contract, and set up persistence using a renamed Cloudflare tunnel along with Run key and scheduled task mechanisms.
The fetched HTA silently installed an MSI that dropped Potemkin, a custom x64 loader using a deterministic 10,000-domain DGA for C2 discovery, which then reflectively loaded the RMMProject DLL entirely in memory.
Huntress documented that in May 2026 a user on an unmonitored endpoint executed a malicious Run dialog command that abused pcalua.exe to launch mshta.exe and retrieve an HTA payload, initiating the intrusion.
On 2024-10-21, Ahmed Farouk documented a fake CAPTCHA campaign redirecting users from Arabic pirated movie sites to verification pages that instructed them to paste a PowerShell command into the Windows Run dialog. The chain fetched a second-stage script, downloaded a ZIP from BunnyCDN, executed Adobe-signed AcroBroker.exe with a malicious sqlite.dll to side-load Lumma Stealer, and established persistence via a Run registry key.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcecybersecuritynews.com
Open sourceblog.sicuranext.com
Open sourcehuntress.com
Open sourcemedium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.