Back to Intelligence

ClickFix & JINX-0164 Campaigns: Multi-Vector Malware Delivery — OTX Pulse Analysis

SA
Security Arsenal Team
May 30, 2026
7 min read

Recent OTX pulse data reveals a convergence of sophisticated social engineering and supply chain attacks targeting specific sectors. While the actors vary—ClickFix, LofyGang, and JINX-0164—the collective intelligence highlights a surge in "fake utility" and "recruitment" lures designed to bypass user skepticism.

  • ClickFix Campaigns: Malicious actors are using fake image editing tools (BackgroundFix) to trick users into clipboard hijacking. The copied commands invoke finger.exe, a living-off-the-land binary (LoLBin), to fetch a reflective loader (CastleLoader) which ultimately delivers NetSupport RAT and CastleStealer. This chain demonstrates a move from browser-based scams to system-level execution.
  • Gaming Sector Targeting: The LofyGang (LofyStealer) campaign specifically targets Minecraft players. By disguising payloads within Node.js libraries, they deliver a complex infostealer capable of extracting credentials and financial data from multiple browsers using memory-resident techniques.
  • Infrastructure Intrusion: The JINX-0164 actor is actively targeting the software development infrastructure of cryptocurrency firms. Using LinkedIn phishing and trojanized npm packages, they deliver macOS-specific malware (AUDIOFIX, MINIRAT), signaling a strategic pivot towards compromising build pipelines and developer environments.

Collective Objective: Financial gain via credential theft (LofyStealer, CastleStealer), remote access (NetSupport RAT, MINIRAT), and potentially long-term persistence within development environments (JINX-0164).

Threat Actor / Malware Profile

ClickFix (BackgroundFix / CastleLoader)

  • Distribution: Fake free image-editing websites; social engineering prompts users to "verify they are human" by copying clipboard commands.
  • Payload Behavior: The copied command executes finger.exe to retrieve a payload. This delivers CastleLoader, a reflective loader that injects NetSupport RAT (remote administration) and CastleStealer (credential harvester) directly into memory.
  • C2 Communication: Utilizes domains on non-standard ports (e.g., :688) to blend in with legitimate traffic or evade simple port blocking.
  • Persistence: Likely achieved via NetSupport RAT's installation mechanisms.
  • Anti-Analysis: Use of reflective loading keeps the payload off the disk, making static analysis difficult.

LofyGang (LofyStealer / GrabBot)

  • Distribution: Social engineering targeting Minecraft players; distributed as malicious Node.js libraries.
  • Payload Behavior: A two-stage loader. A 53.5MB Node.js loader drops a 1.4MB C++ payload (LofyStealer) that executes in-memory. It targets cookies, passwords, tokens, and financial data from 8 browsers.
  • C2 Communication: Standard HTTP/HTTPS likely used for exfiltration; uses syscall evasion to hide from endpoint detection.
  • Persistence: Unknown from the data, but likely via scheduled tasks or startup folders given the Windows target.
  • Anti-Analysis: Syscall evasion and large, obfuscated Node.js loader to confuse analysts.

JINX-0164

  • Distribution: LinkedIn social engineering (fake recruiters); supply chain attack via trojanized npm packages; typosquatting domains (e.g., login.teamicrosoft.com).
  • Payload Behavior: Delivers AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor) specifically tailored for macOS.
  • C2 Communication: Uses hardcoded domains and potentially cloud infrastructure to blend in.
  • Persistence: macOS-specific launch agents or daemons (implied by macOS targeting).
  • Anti-Analysis: Targeting macOS allows evasion of many traditional Windows-focused EDR solutions.

IOC Analysis

  • Domains: Numerous typosquatted and suspicious domains are present (e.g., trindastal.com, driver-updater.net, login.teamicrosoft.com). SOC teams should block these at the DNS layer immediately.
  • File Hashes: SHA256, MD5, and SHA1 hashes are provided for loaders and payloads. These should be added to allow/block lists and used to hunt for existing infections on endpoints.
  • URLs: Specific URLs point to payload delivery mechanisms (e.g., http://giovettiadv.com:688, http://89.36.224.5/troubleshoot/mac/install.sh). These are critical for blocking at the proxy.

Operationalization: Feed these IOCs into your SIEM's threat intelligence platform (e.g., Microsoft Sentinel, Splunk). Correlate network logs (Firewall/Proxy) against the domains/URLs. Use EDR solutions to scan endpoints for the file hashes. The unusual use of finger.exe and non-standard ports (688) provides high-fidelity detection opportunities.

Detection Engineering

YAML
---
title: Suspicious Finger.exe Usage - ClickFix BackgroundFix
description: Detects the execution of finger.exe often used by ClickFix campaigns to retrieve payloads via clipboard hijacking.
status: stable
date: 2026/05/30
author: Security Arsenal
references:
  - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
    CommandLine|contains:
      - 'http'
  condition: selection
falsepositives:
  - Legitimate use of finger.exe (rare in modern enterprises)
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: Potential LofyStealer Node.js Loader Activity
description: Detects execution of Node.js processes with arguments indicative of LofyStealer's loader mechanism targeting Minecraft players.
status: stable
date: 2026/05/29
author: Security Arsenal
references:
  - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\node.exe'
  selection_cli:
    CommandLine|contains:
      - 'minecraft'
      - 'libs'  # Often obfuscated in libs
  condition: all of selection_*
falsepositives:
  - Legitimate Minecraft mod development or server management
level: medium
tags:
  - attack.initial_access
  - attack.t1192
---
title: macOS NPM Trojan Installer Execution - JINX-0164
description: Detects the execution of shell scripts from remote IPs associated with JINX-0164 or generic npm install commands on macOS, indicative of supply chain attacks.
status: stable
date: 2026/05/28
author: Security Arsenal
references:
  - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
logsource:
  category: process_creation
  product: macos
detection:
  selection_curl:
    Image|endswith:
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - 'install.sh'
  selection_npm:
    Image|endswith: '/npm'
    CommandLine|contains: 'install'
  condition: 1 of selection_*
falsepositives:
  - Legitimate developer software installation
level: high
tags:
  - attack.initial_access
  - attack.t1195.002


kql
// Hunt for ClickFix C2 traffic on non-standard ports and suspicious domains
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemotePort in (688) // Observed port from ClickFix pulse
| or NetworkConnectionStatus =~ "Established"
| where RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort, RemoteIP

// Hunt for LofyStealer file presence
DeviceFileEvents
| where Timestamp >= ago(7d)
| where SHA256 in ("293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for JINX-0164 macOS indicators
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has_any ("driver-updater.net", "login.teamicrosoft.com", "live.ong")
| or ProcessCommandLine contains "install.sh"
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName


powershell
# PowerShell Hunt Script for ClickFix and LofyStealer Indicators

# Define IOCs
$ClickFixHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb"
)
$LofyStealerHashes = @(
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)
$ClickFixDomains = @("trindastal.com", "poronto.com", "brionter.com")

Write-Host "[+] Scanning for ClickFix and LofyStealer file indicators..." -ForegroundColor Cyan

# Get all files from C:\ drive (This may take time, restrict to known sus paths if possible)
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($ClickFixHashes -contains $FileHash) {
                Write-Host "[!] ClickFix Malware Found: $($_.FullName)" -ForegroundColor Red
            }
            if ($LofyStealerHashes -contains $FileHash) {
                Write-Host "[!] LofyStealer Malware Found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking hosts file for ClickFix domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $ClickFixDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] Suspicious hosts file entry found for: $Domain" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate**: Block the domains and URLs listed in the IOC Analysis at your perimeter (DNS, Proxy, Firewall). Hunt for the specific file hashes on all endpoints. Investigate any processes spawned by `finger.exe`.
*   **24h**: If credential-stealing malware (LofyStealer, CastleStealer) is suspected or confirmed, initiate identity verification procedures for affected users. Force password resets and enable MFA for all accounts, particularly those with access to financial or developer systems.
*   **1 week**: Conduct a review of software supply chain security, specifically for npm packages and developer onboarding processes. Implement stricter controls for LinkedIn-based recruitment outreach and verify the identity of external recruiters. Harden macOS endpoints in the environment with EDR solutions capable of detecting the described behaviors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164supply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action