Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Potemkin loader delivering EtherRAT and RMMProject in memory

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The Potemkin loader is delivering EtherRAT and RMMProject to Windows systems, giving operators in-memory payload execution and browser credential theft. The loader uses a DGA to reach C2 and reflectively loads follow-on modules, limiting on-disk visibility. The payload set expands control to remote screen access, screenshot capture, and credential collection, increasing post-compromise risk.

Related Happenings

ClickFix multi-loader delivery campaign targeting Windows and macOS users

Campaign
H score34 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

How related: Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, per independent reports from Morphisec, BlueVoyant, and Huntress, respectively.

About this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
H score33 First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
H score39 First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Open Happening

GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping

Technical Analysis
H score16 First: 19.12.2025 17:34 Last: 19.12.2025 17:34 Sources 1

About this happening: A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...

Open Happening

ClickFix variants delivering LummaC2 and Rhadamanthys

Malware Activity
H score21 First: 24.11.2025 22:42 Last: 24.11.2025 22:42 Sources 1

About this happening: Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...

Open Happening

Timeline

  1. 16.06.2026 20:41 2 articles · 6h ago

    Potemkin loader uses in-memory execution to deliver EtherRAT and RMMProject on Windows

    Technical Analysis Update

    Huntress identified Potemkin as a custom x64 loader that uses a domain generation algorithm to reach C2 and reflectively loads follow-on modules in memory. The loader serves as a conduit for EtherRAT and RMMProject, expanding the campaign to include remote screen control, browser credential theft, screenshot capture, browser autofill collection, and other post-compromise actions on Windows hosts.

    Show sources
    Open in new tab