Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption
From CTI Daily Brief — 2026-06-17 · published 2026-06-17 · view item permalink →
Huntress documented a ClickFix chain delivering a previously undocumented x64 loader named Potemkin (active since at least February 2026): a ClickFix lure installs an MSI that drops Potemkin via an HTA payload; the loader uses a domain-generation algorithm for C2 and reflectively loads follow-on modules in memory (Huntress, 2026-06-16). Its payloads are EtherRAT (Node.js RAT with blockchain C2) and RMMProject, a Lua-scriptable DLL providing hidden remote desktop, keylogging and browser credential theft — including a module specifically built to defeat Chromium's App-Bound Encryption (the credential-storage protection added in Chrome 127) (The Hacker News, 2026-06-16). Huntress observed lateral movement across 11+ hosts in one intrusion, indicating network-wide credential harvesting rather than single-host compromise.
Why it matters to us: The ABE bypass means saved Chrome credentials are again at risk on infected hosts. Hunt for mshta.exe spawned by msiexec.exe/cmd.exe, reflective-load memory anomalies, DGA-style DNS from mshta.exe children, and non-browser processes calling Chrome's DPAPI/LocalState decryption. Block mshta.exe via AppLocker/WDAC where feasible.