ClickFix & JINX-0164: Multi-Platform RAT and Stealer Campaigns Targeting Endpoints

Threat Summary

Recent OTX pulses indicate a surge in social engineering-driven campaigns utilizing diverse malware families to target both Windows and macOS ecosystems. We have identified three distinct threat clusters:

1. ClickFix Campaign: A malware distribution campaign masquerading as a "BackgroundFix" image tool. It leverages clipboard hijacking to force users to execute malicious commands via finger.exe, leading to the deployment of CastleLoader, which subsequently drops NetSupport RAT and the .NET stealer CastleStealer.
2. LofyStealer (LofyGang): A sophisticated infostealer specifically targeting Minecraft players. It employs a large Node.js loader to decrypt and execute a C++ payload in memory, capable of stealing credentials and browser data from eight different browsers.
3. JINX-0164: A threat actor active since mid-2025 focusing on the cryptocurrency sector. They utilize LinkedIn recruitment scams to deliver custom macOS malware, including AUDIOFIX (Python RAT) and MINIRAT (Go backdoor), often via supply chain compromise vectors.

These campaigns are characterized by heavy reliance on social engineering to bypass technical controls and reflect a trend toward multi-stage loaders and memory-resident payloads to evade detection.

Threat Actor / Malware Profile

ClickFix / CastleLoader / NetSupport RAT

• Distribution Method: Fake free image-editing tools (BackgroundFix) prompting "human verification" via clipboard commands.
• Payload Behavior: The finger.exe utility retrieves the CastleLoader, which uses reflective loading to inject NetSupport RAT (C2) and CastleStealer (data theft) into memory.
• Persistence: NetSupport RAT typically establishes persistence via Registry Run keys or Scheduled Tasks.
• Anti-Analysis: Use of LOLBins (finger.exe) and reflective loading keeps malicious artifacts off the disk initially.

LofyGang / LofyStealer

• Distribution Method: Social engineering within the Minecraft gaming community.
• Payload Behavior: A 53.5MB Node.js loader acts as a container for a 1.4MB C++ payload (GrabBot/Slinky). The C++ module runs directly in memory to harvest cookies, passwords, and crypto wallet data.
• C2 Communication: Standard HTTP/HTTPS C2 channels used for data exfiltration.
• Anti-Analysis: In-memory execution and obfuscation via legitimate-looking Node.js libraries.

JINX-0164 / AUDIOFIX / MINIRAT

• Distribution Method: LinkedIn phishing (posing as recruiters), malicious NPM packages, and CI/CD hijacking.
• Payload Behavior: Delivers macOS-specific payloads: AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Lightweight Go backdoor).
• Persistence: macOS LaunchAgents or LaunchDaemons.
• Anti-Analysis: Targeting macOS allows them to bypass traditional Windows-heavy security stacks; use of supply chain attacks compromises trusted build pipelines.

IOC Analysis

The intelligence provided reveals a mix of infrastructure and file-based indicators:

• Network Indicators: Several domains and URLs are associated with C2 infrastructure and payload delivery. Notable examples include trindastal.com, driver-updater.net (typosquatting), and login.teamicrosoft.com (credential harvesting).
• File Indicators: SHA256 and MD5 hashes are provided for the Node.js loaders, C++ payloads, and macOS install scripts.
• Operational Guidance: SOC teams should immediately block the listed domains at the proxy and DNS levels. File hashes should be uploaded to EDR detection engines. The presence of finger.exe spawning non-standard processes is a high-fidelity behavioral indicator of compromise.

Detection Engineering

---
title: Suspicious Finger.exe Child Process
id: 4c2d3b1a-8f9e-4a1d-b5c6-7d8e9f0a1b2c
description: Detects finger.exe spawning cmd or powershell, indicative of ClickFix activity.
status: experimental
author: Security Arsenal
date: 2026/05/31
references:
    - https://otx.alienvault.com/pulse/667a1b2c3d4e5f6a7b8c9d0e
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\finger.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Node.js Spawning Native Process (LofyStealer)
id: 5d3e4c2b-9a0f-5b2e-c6d7-8e9f0a1b2c3d
description: Detects Node.js spawning native executables, typical of the LofyStealer loader chain.
status: experimental
author: Security Arsenal
date: 2026/05/31
references:
    - https://otx.alienvault.com/pulse/668b2c3d4e5f6a7b8c9d0e1f
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '.exe'
    filter:
        Image|contains: 'node_modules'
    condition: selection and not filter
falsepositives:
    - Legitimate development tools
level: medium
---
title: macOS Browser Spawning Shell or Python (JINX-0164)
id: 6e4f5d3c-0b1g-6c3f-d7e8-9f0a1b2c3d4e
description: Detects macOS browsers spawning shell or python, associated with LinkedIn phishing drops.
status: experimental
author: Security Arsenal
date: 2026/05/31
references:
    - https://otx.alienvault.com/pulse/669c3d4e5f6a7b8c9d0e1f2g
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|contains:
            - 'Safari.app'
            - 'Chrome.app'
            - 'Firefox.app'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/python'
            - '/python3'
    condition: selection
falsepositives:
    - User downloads
level: high


kql
// Hunt for ClickFix C2 domains and LofyStealer network activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "driver-updater.net", "live.ong", "login.teamicrosoft.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where ProcessName == "finger.exe" or InitiatingProcessFileName == "finger.exe"
    | project Timestamp, DeviceName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
)


powershell
# IOC Hunt for ClickFix and LofyStealer Hashes
$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

Write-Host "Scanning for malware hashes..."
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    if ($_.Length -gt 0 -and $_.Length -lt 200MB) {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $MaliciousHashes) {
            Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Response Priorities

• Immediate:

  • Block all identified domains and IPs at the network perimeter.
  • Isolate endpoints showing evidence of finger.exe spawning child processes.
  • Quarantine files matching the provided SHA256 hashes.

• 24h:

  • Force password resets for users on compromised machines due to the presence of infostealers (CastleStealer/LofyStealer).
  • Investigate LinkedIn messages for crypto/developer teams targeted by JINX-0164.

• 1 Week:

  • Implement policies restricting the execution of finger.exe.
  • Review and harden CI/CD pipelines against supply chain infiltration.
  • Conduct awareness training regarding "fix" tools and recruiter-based phishing.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub