logo

Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

ID: d115e0c5-6a83-50df-b032-c5f3571081af

STIX ID: report--d115e0c5-6a83-50df-b032-c5f3571081af

Feed Name: Huntress Blog

Threat Score
78/100

Date Published: 2026-06-16

Date Updated: 2026-06-25

...
...

**Executive summary:** This Huntress case study documents a ClickFix-initiated, multi-stage intrusion that escalated from a single unmonitored endpoint into a compromise affecting 11+ hosts — deploying a custom Potemkin DGA loader, a Lua-scriptable RMMProject implant (credential/cookie theft, hidden-desktop remote control, module loading), and EtherRAT (Node.js backdoor resolving C2 via an Ethereum smart contract); the actor used Cloudflare tunnels, Chisel SOCKS, WMIExec/SMBExec lateral movement, Defender disablement, and multiple persistence mechanisms. The report provides deep technical analysis, Yara rules, and numerous IoCs to aid detection and remediation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.