clickfix
6 min read
FreeClickFix to NetSupport: Validating ClusterHawk, Cluster Profiles, and What's New
We seeded ClusterHawk with eSentire's published NetSupport indicators and clustered the infrastructure behind ClickFix delivery. The results validate against eSentire TRU's reporting and IoCs, and add a predictive WinRM signature plus anomaly-led IP triage.
By Chawkr Reports
01/11/2025
ClickFix to NetSupport: Validating ClusterHawk, Cluster Profiles, and What's New
TL;DR: Methodology first. We seeded ClusterHawk with eSentire's published NetSupport indicators and clustered/scored the infrastructure behind ClickFix delivery. We then validated our results against eSentire TRU's reporting and IoCs. Outcome: our method reproduces the delivery chain and infra families eSentire describes and adds operator-centric cluster profiles, a predictive WinRM signature (issuer + JA3S/JARM + RDP/WinRM), and anomaly-led triage that prioritizes the right IPs fast. (eSentire)
Goal & framing
- Goal: Validate that ClusterHawk can transform a public IoC list into coherent, operator-level clusters for ClickFix → NetSupport, surfacing reusable signals beyond flat indicators.
- Comparator: eSentire TRU's "Unpacking NetSupport RAT Loaders Delivered via ClickFix" (Oct 23, 2025) and the linked NetSupport IoCs (Oct 15, 2025). (eSentire, GitHub)
How we analyzed it
We ingested eSentire's NetSupport indicators (domains + IPs) into ClusterHawk and ran:
- Ensemble clustering on behaviors (services, TLS, provider/ASN, HTTP traits, DNS/cert reuse).
- Anomaly analysis (label-change, entropy, outlier density) to bubble "operator-touched" nodes.
Why this matters: Clustering extracts operator fingerprints you can hunt for, even as IoCs churn.
Method validation: what matched eSentire
-
Delivery chain: ClickFix social engineering → single-line Run-box PowerShell → JSON-staged loader → NetSupport execution/persistence. Our infra progression (delivery → CDN shield → admin/C2) matches. (eSentire)
-
Infra families (two pillars):
- MivoCloud Windows admin nodes exposing RDP (3389) + WinRM (5986) with Cloudbase-Init WinRM certs and stable JA3S/JARM; repeated month-coded hostnames (APR/MAY/JUNE).
- Cloudflare-fronted web/CDN used for delivery and sometimes C2/data egress with cPanel/WHM ports and stock edge titles. Both pillars are consistent with TRU's write-up. (eSentire)
-
Seed set acknowledgment: We used eSentire's Oct 15, 2025 NetSupport IoC list as our starting dataset (e.g., olbanha[.]com, deepholeintheworld[.]com, frontiersecu[.]com, lastmychancetoss[.]com and C2s like 141.98.11.175, 38.146.28.242, 185.39.19.233). Our analysis groups, prioritizes, and fingerprints this set to reveal the admin spine and high-risk nodes. (GitHub)
Bottom line: Given eSentire's IoCs as input, ClusterHawk independently reconstructs the same campaign structure, and adds actionable triage and hunts. (eSentire)
Where our method adds signal beyond the blog
-
Predictive signature (admin layer). The WinRM issuer "Cloudbase-Init WinRM" + JA3S
649d6810e8392f63dc311eecb6b7098b+ JARM26d26d16d26d26d22c26d26d26d26dfd9c9d14e4f4f67f94f0359f8b28f532+ RDP/WinRM co-exposure forms a cluster-unique signature for MivoCloud admin nodes. Great for pre-IoC detection. -
Anomaly-led triage (who to look at first). Outliers with highest entropy/label-change or role-switching: 94.158.245.104, 188.114.97.0, 94.158.245.81, 141.98.11.175, 160.153.0.10. Treat as active or transitioning.
-
Provider-risk view. Single-provider bias (MivoCloud) in the admin layer suggests a pressure/takedown path. For CDN, we outline pivot rules to find origins rapidly. (eSentire)
Operator-grade Cluster Profiles (ready for hunting & disruption)
Profile 1: MivoCloud Windows Administration Cluster (primary operational layer, strong signal)
Role / purpose: Operational admin & staging boxes used to deploy/manage NetSupport.
Key observables:
- RDP 3389 + WinRM 5986 exposed; Issuer CN: "Cloudbase-Init WinRM" on 5986.
- JA3S
649d6810e8392f63dc311eecb6b7098b; JARM26d26d16d26d26d22c26d26d26d26dfd9c9d14e4f4f67f94f0359f8b28f532. - Temporal hostnames (APR/MAY/JUNE) → batch builds.
- Provider skew: heavy MivoCloud dependency.
Concrete exemplars (priority): 94.158.245.104, 94.158.245.81, 141.98.11.175.
Why this matters: Most predictive handle for future infra, even as domains/edges rotate.
Hunts / detections (drop-in):
dest_port = 5986
AND tls.issuer.common_name = "Cloudbase-Init WinRM"
AND ja3s = "649d6810e8392f63dc311eecb6b7098b"
→ Escalate if same source exposes 3389 or hostname matches APR|MAY|JUN|JUL.... EDR tie-in: Alert on WinRM remoting from these IPs; correlate 4625 → 4624 RDP sequences.
Pivot plan: reverse DNS & cert chain → sibling grouping; time-align with delivery; check victim outbound to C2s (e.g., 185.39.19.233, 38.146.28.242, 185.163.45.41/30, 23.227.198.208, 185.225.17.74, 94.158.245.13/56/81/104/115/137).
False-positive guards: exclude known enterprise bastions/CMDB assets; exclude Cloudbase-Init hosts without the JA3S/JARM + RDP combo.
Profile 2: Cloudflare CDN Shield (delivery & occasional C2 cover: medium signal, high coverage)
Role / purpose: Shield layer that fronts delivery/C2; fast rotation; not for attribution, ideal for early discovery and origin pivoting.
Key observables: Cloudflare edges with cPanel/WHM ports (2082/2083/2086/2087), stock titles (HTTP 400/403, "Direct IP access not allowed"); frequent links to todocarritos[.]top, regopramide[.]top, amxdh1[.]icu, yourcialsupply[.]top, and business-looking .com/.orgs. Edges in 188.114.97.0/24 show high instability (sentinel range).
Use (safely): Pivot only. Prioritize domains that flip from edge → single origin or roll a new cert.
Hunts / detections: Edge appearance watch
domain in <dropper/domain set>
AND resp_status in (400,403)
AND http_title contains "Direct IP access not allowed"
→ launch origin enumeration (historical DNS, CT logs). Edge → origin flip alert: when a domain drops Cloudflare for a stable origin, immediately check for 5986/3389 and cert reuse (promotion to Profile 1).
Response: maintain watchlists; feed origin discoveries into Profile-1 hunts; obtain Cloudflare logs where possible. (eSentire)
Profile 3: Shared-Hosting Lure/Dropper Pods (low confidence; pivot-only)
Role: Short-lived landing pages/droppers that blend into mass web traffic; rotate fast.
Why low confidence: Common stacks (Apache/nginx, Let's Encrypt/Sectigo, cPanel/WHM) on multi-tenant hosting or behind CDNs do not prove actor control. We treat them as lead indicators to pivot to origins/admin.
Representative domains: mawp.us, nicewk.com, curemile.com, camplively.com, vietnam24hvoyage.com,
exemplar-industry.com, caribemove.com, oljaeinfalt.com, michellegraci.com, eddereklam.com, care4hygiene.com,
pennylamont.com, freaner.com, fivepathways.com, poormet.com, todocarritos.top, amxdh1.icu,
regopramide.top, yourcialsupply.top, ayzyw.top, haidao10.top, wavob.top, jiezishijie.top, kamagrafr.icu,
cuoreincomune.com, 2beinflow.com, surethinks.com, gcsglaw.com, cuenten.com, uncustomary.org.
Point-in-time resolutions (churn / multi-tenancy): camplively.com → 172.67.155.171, 104.21.72.232,
76.223.26.96 caribemove.com → 153.92.6.187, 35.227.197.36, 94.136.40.51 pennylamont.com → 69.163.180.94,
64.90.34.214, 75.119.222.18 freaner.com → 192.124.249.128, 144.208.65.4, 69.195.124.103 todocarritos.top →
193.111.208.19, 91.195.240.12, 104.21.7.26 amxdh1.icu → 98.142.240.201, 134.122.183.136 regopramide.top →
79.141.173.52, 15.197.130.221, 172.67.209.201 yourcialsupply.top → 79.141.162.181, 75.2.18.233,
162.255.118.67
How to use (safely): Pivot-only to origins/admin via historical DNS, CT logs, registrar/NS reuse, artifact linkage, and temporal correlation with C2 surges.
Overlap highlights (eSentire seed set ↔ our clustering/priority)
C2 IPs from eSentire's list, prioritized by ClusterHawk (selection): 141.98.11.175, 85.208.84.35, 38.146.28.242, 185.39.19.233, 94.158.245.104, 94.158.245.81, 94.158.245.115, 94.158.245.137, 94.158.245.56, 94.158.245.13, 185.163.45.41, 185.163.45.30, 23.227.198.208, 176.65.140.160, 185.225.17.74.
Domains from the eSentire list (grouped by our analysis): olbanha[.]com, deepholeintheworld[.]com, frontiersecu[.]com, lastmychancetoss[.]com, plus the broader dropper cohort in Profile 3. (eSentire)
On Cloudflare edges: many of the above domains resolved (at times) to 104.21.7.26, 172.67.209.201, 104.21.20.70, and 188.114.97.0/24; we treat these as pivots to uncover origins, not as attribution.
Ready-to-use hunts & detections
MivoCloud WinRM Admin Hunt (high signal)
network where
dest_port == 5986 and
tls.issuer.common_name == "Cloudbase-Init WinRM" and
ja3s == "649d6810e8392f63dc311eecb6b7098b"
→ Raise severity if the same source also exposes 3389.
RDP brute-force correlation (host + net) Correlate Windows Event ID 4625 bursts with inbound 3389 from nodes matching the WinRM signature above.
Cloudflare pivoting (medium signal / high coverage) Watch for new appearances of 104.21.7.26 / 172.67.209.201 / 104.21.20.70; immediately pivot via historical DNS, cert reuse, and origin enumeration; alert when new backends surface behind known domains.
Defensive priorities
- Lock down & monitor RDP/WinRM (VPN/MFA, geofencing; alert on the Cloudbase-Init + JA3S/JARM combo).
- Work the anomaly short-list first: 94.158.245.104, 188.114.97.0, 94.158.245.81, 141.98.11.175, 160.153.0.10. Treat as live.
- Close the CDN visibility gap: obtain Cloudflare logs where possible and pivot to origins rapidly. (eSentire)
Methodology verdict
- Validated: From the eSentire IoC seed, ClusterHawk reproduces the delivery chain and two core infra families, with direct indicator match.
- Value-add: Predictive admin fingerprint, anomaly-first triage, and a practical provider-risk lens.
- Caution: Shared-hosting droppers are pivot-only; don't use them as attribution without an origin link. (eSentire)
