Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack
ID: d115e0c5-6a83-50df-b032-c5f3571081af
STIX ID: report--d115e0c5-6a83-50df-b032-c5f3571081af
Feed Name: Huntress Blog
**Executive summary:** This Huntress case study documents a ClickFix-initiated, multi-stage intrusion that escalated from a single unmonitored endpoint into a compromise affecting 11+ hosts — deploying a custom Potemkin DGA loader, a Lua-scriptable RMMProject implant (credential/cookie theft, hidden-desktop remote control, module loading), and EtherRAT (Node.js backdoor resolving C2 via an Ethereum smart contract); the actor used Cloudflare tunnels, Chisel SOCKS, WMIExec/SMBExec lateral movement, Defender disablement, and multiple persistence mechanisms. The report provides deep technical analysis, Yara rules, and numerous IoCs to aid detection and remediation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
