The described attack involves a social engineering vector (ClickFix) delivering a malicious HTA payload that silently installs Potemkin, a custom loader with a deterministic DGA. Potemkin subsequently delivers RMMProject, a 4.4 MB Lua-scriptable RAT with capabilities including Chrome App-Bound Encryption bypass for credential theft, hidden desktop remote control, and 15 task types. EtherRAT, a Node.js backdoor leveraging Ethereum blockchain for C2 address resolution, is also deployed. Persistence is maintained via a Cloudflare tunnel. The attacker performs hands-on-keyboard actions to disable Windows Defender through AMSI bypasses, registry edits, and service termination. Lateral movement is conducted using WMIExec and SMBExec to deploy malware across the network, ultimately compromising the domain controller.

The attack results in credential theft, persistent remote access, and extensive lateral movement within the targeted network, including compromise of the domain controller. The use of advanced evasion techniques against Windows Defender and AMSI, combined with blockchain-based C2 and multi-stage payload delivery, enables sustained attacker presence and control over multiple hosts.

No official patch or vendor advisory is available for this threat. Since this is a multi-stage malware attack leveraging social engineering and endpoint compromise, mitigation should focus on monitoring for suspicious HTA payloads, detecting Potemkin and RMMProject indicators, and blocking known C2 infrastructure such as Cloudflare tunnels and Ethereum blockchain-based communications. Endpoint detection and response solutions should be tuned to detect AMSI bypass attempts and lateral movement techniques like WMIExec and SMBExec. Network segmentation and restricting administrative tool usage can help limit lateral spread. Patch status is not yet confirmed — check vendor advisories for any updates.