Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack
A detailed technical analysis of a ClickFix attack chain observed in May 2026 that led to a full hands-on-keyboard intrusion across 11 hosts. The infection began with a user tricked into running a command via the Windows Run Dialog, which fetched and silently installed an MSI dropping 'Potemkin', a custom x64 loader using a Domain Generation Algorithm (DGA) with XorShift32 seeded at 151678 to find its C2. Potemkin reflectively loads 'RMMProject', a 4.4 MB Lua-scriptable DLL with 15 task types including browser credential theft (with a Chrome App-Bound Encryption bypass via DLL injection), hidden remote desktop control, process injection, and module loading. The attacker also deployed EtherRAT (a Node.js backdoor resolving C2 via Ethereum blockchain) and Cloudflare tunnels, then moved laterally via WMIExec and SMBExec to reach the domain controller. The post includes full DGA Python implementation, cipher decryption algorithm, C2 protocol details, and indicators of compromise.
