A single deceptive prompt. That is all it took for attackers to gain a foothold inside an organization, spread to over 11 systems, and deploy two separate remote access tools before anyone noticed.
A new campaign using the ClickFix technique has shown how far one unguarded moment can go. ClickFix is a social engineering trick that presents users with a fake troubleshooting instruction on a compromised website.
The prompt tells the user to press Win+R, paste a command into the Windows Run dialog, and hit Enter. It looks like a legitimate fix, and that is the point. People follow clear, authoritative directions, and attackers count on exactly that.
Researchers at Huntress identified this ClickFix attack in May 2026, tracing it from a single unmonitored endpoint through a full hands-on-keyboard intrusion across the victim’s network.
The attacker had already been active for some time before anyone could see what was happening, because the machine where it started had no endpoint agent installed.
The infection began when a user visited a compromised website and ran a command that used pcalua.exe, a legitimate Windows utility, to silently fetch and run a remote script.
That script downloaded and installed an MSI package in the background with no visible indication to the user.
The MSI dropped a custom loader the researchers named Potemkin, which connected to a command-and-control server and loaded a fully featured remote access tool called RMMProject entirely in memory.
Separately, the attacker deployed EtherRAT, a Node.js backdoor that retrieves its server address from the Ethereum blockchain, making it hard to disrupt through traditional domain takedowns.
Huntress said in a report shared with Cyber Security News (CSN) that the intrusion escalated quickly, with the operator moving across the network using WMIExec and SMBExec, fighting through Windows Defender, and eventually killing the antivirus service before EtherRAT reached over 11 hosts.
Hackers Use ClickFix Prompt
The attack started with a ClickFix command that abused pcalua.exe to proxy mshta.exe, fetching a remote HTA file from cl.distritovagas[.]com.
That HTA payload silently downloaded the MSI installer, inst24.msi, from an attacker-controlled server and executed it without any prompt.
The MSI deployed Potemkin into the user’s AppData folder and registered a startup registry key so it would survive every reboot.
Potemkin is a lean, purpose-built loader with a Domain Generation Algorithm that produces 10,000 candidate domains from a built-in word list and probes each one until it finds a live server.
Once connected, its only job is to fetch and reflectively load RMMProject, a 4.4 MB DLL with 15 task types covering browser credential theft, cookie stealing across Chrome, Firefox, and Edge, a hidden remote desktop module, and process injection.
![Wireshark capture of a Potemkin DGA probe to C2 anus-staylard[.]xyz (Source - Huntress)](https://blog.shomoysoft.com/storage/blog-images/wireshark20capture20of20a20potemkin20dga20probe20to20c220anus-staylard5b5dxyz20source20-20huntress-6c15dd9f.webp)
Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared, securing persistent internet-reachable access inside the network.
Hands-On Intrusion and Defender Evasion
Once inside, a human operator took direct control and began working through the network manually.
They used compromised Administrator credentials, ran reconnaissance consistent with the Impacket toolkit, and moved laterally to the domain controller via WMIExec and SMBExec.
The goal was to spread EtherRAT across as many hosts as possible while establishing multiple fallback paths.
The attacker worked hard to silence Windows Defender throughout the session. They cycled through AMSI patches, registry policy writes, reflective in-memory loading, and exclusion path abuse before stopping the Defender service outright.
A reverse shell on port 43301 and multiple Chisel SOCKS tunnels gave them layered persistence that could survive individual detections.
Huntress recommended that organizations immediately audit endpoint coverage, since the whole intrusion started on a machine with no monitoring agent.
Disabling the Windows Run dialog through Group Policy removes the ClickFix entry point, as the attack depends on the user pasting a command into that dialog.
Teams should alert on cloudflared or renamed copies on endpoints, and treat Stop-Service WinDefend alongside bulk Add-MpPreference exclusion commands as high-confidence threat signals.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b | Potemkin Loader (RunSearch.exe) |
| SHA256 | 3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce | RMMProject RAT (avast_update.bin) |
| SHA256 | cd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee145 | ABE helper DLL embedded in RMMProject; injected into Chrome/Edge to bypass App-Bound Encryption |
| SHA256 | 79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b | inst24.msi – MSI installer that drops Potemkin |
| SHA256 | 2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a | cons_1.0.1.msi – MSI that delivers EtherRAT |
| IP Address | 77.110.122[.]58 | Primary C2 and staging server |
| IP Address | 213.165.41[.]26 | Chisel reverse SOCKS server |
| IP Address | 198.41.200[.]63 | Cloudflare edge IP (cloudflared tunnel contact) |
| IP Address | 198.41.192[.]77 | Cloudflare edge IP (cloudflared tunnel contact) |
| Domain | cl.distritovagas[.]com | ClickFix HTA delivery domain |
| Domain | sonra.eutialyson[.]com | MSI download domain |
| Domain | anus-staylard[.]xyz | Live C2 domain for Potemkin and RMMProject |
| Domain | resumeacceptable[.]com | EtherRAT C2 resolved from Ethereum blockchain |
| Ethereum Contract | 0xb3f2897f2bc797e5b9033faef8c81e92b01cb831 | EtherRAT Ethereum contract address |
| Ethereum Storage Key | 0x40b57c3622c1CbfD699207F71F2dE5A8Fe256893 | EtherRAT storage key |
| Build ID | ab653feb-9e78-4578-87ed-2e30329fe858 | EtherRAT hardcoded build identifier |
| File Path | C:\Windows\Temp\D0OK1nWwId9W.ps1 | First malicious PowerShell script dropped |
| File Path | C:\Windows\Temp\lQhEQui9a4lZ.exe | Chisel client binary |
| File Path | C:\ProgramData\p\O67tak2KFRmJ.ps1 | In-memory reflective Chisel loader |
| File Path | C:\ProgramData\p\J6Gupb9TpYNI.ps1 | PowerShell script to download the Chisel client |
| File Path | C:\ProgramData\p\fsjH6IHuUkhh.ps1 | AMSI bypass + Defender registry disable + reflective Chisel load |
| File Path | C:\ProgramData\p\ek_full.ps1 | Registry-based Defender disable script |
| File Path | C:\ProgramData\p\ek_kill_av.ps1 | Defender kill via registry policies, Set-MpPreference toggles, and service stops |
| File Path | C:\ProgramData\p\ek_disable_av.ps1 | Defender disable script |
| File Path | C:\ProgramData\p\yH88LG8yCOnU.ps1 | Reverse shell looping TCP connection to 77.110.122[.]58:43301 |
| Registry Key | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunSearch | Potemkin loader persistence key |
| Registry Key | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate | EtherRAT persistence key (masquerades as Edge updater) |
| File Path | %LOCALAPPDATA%\hyper-v.ver | Potemkin UUID persistence file |
| File Path | %TEMP%\dll_debug.log | Potemkin debug log |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
