The infection chain is multi-staged and demonstrates significant planning. Initial PowerShell payloads are hosted on domains such as gitcodes[.]org and redirect to secondary domains like tradingviewtool[.]com and tradingviewtoolz[.]com, where further payloads including compressed executables and droppers are retrieved. These components are masked under benign names like "My Support" to avoid suspicion and are configured to auto-start upon system reboot. In more advanced variants, fake DocuSign pages (e.g., docusign.sa[.]com) use clipboard poisoning techniques overwriting the user’s clipboard with an encoded multi-stage script that, when executed, installs the malware silently.

Furthermore, the campaign has been linked to a broader ecosystem involving threat groups such as FIN7, STORM-0408, and Scalert Goldfinch, based on overlaps in infrastructure, scripting patterns, and payload delivery methods. Researchers also found that components of the campaign are hosted on trusted platforms like Discord CDN and GitHub repositories, complicating detection and takedown efforts.

This campaign demonstrates a shift in attacker strategy relying not just on technical exploits but on user manipulation, abuse of trusted brands, and execution of legitimate tools for malicious purposes. Organizations and individuals are at risk of credential theft, surveillance, and further compromise if proper defensive measures are not implemented.

Impact

• Gain Access
• Credential Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• gitcodes.org
• tradingviewtool.com
• tradingviewtoolz.com
• docusign.sa.com
• mhousecreative.com

IP

• 185.209.21.241
• 91.211.249.44
• 95.215.204.156

MD5

• fac81ad5aa4b5cc68318159e50404cd1

• 480b411f6a567244383b7afe3b43dfa3

SHA-256

• 431b0b19239fc5e0eeaee70cd6e807868142e8cd0b2b6b1bd4a7a2cc8eb57d15

• ab8fdde9fb9b88c400c737d460dcbf559648dc2768981bdd68f55e1f98292c2a

SHA1

• 95c6a4f8d59a4c82f64ba7a025735b158a27ee00

• eacfaa7ce4b3b1d55bedb2a2321177933d2a7e1e

Remediation

• Do not trust unknown CAPTCHAs or script instructions from unfamiliar websites.
• Block access to suspicious domains listed in IOCs below using your firewall or DNS filters.
• Disable clipboard scripting in browsers or use browser extensions that protect clipboard activity.
• Educate users not to copy and run unknown PowerShell commands from web pages.
• Restrict PowerShell use to administrators only, with strict execution policies.
• Monitor for unusual startup entries, especially unknown .exe files or scripts.
• Use application control tools like AppLocker to block unauthorized applications (like client32.exe or wbdims.exe).
• Update endpoint security tools with behavioral detection for RATs and clipboard injection.
• Inspect clipboard history for suspicious encoded content (often base64 or script blobs).
• Audit Windows Startup folder and Registry Run keys for persistence mechanisms.