ClickFix, JINX-0164 & GHOST STADIUM: Cross-Platform Infostealer & Blockchain C2 Campaigns — OTX Intel | Security Arsenal

Recent OTX pulses reveal a coordinated surge in credential theft and infostealer activity spanning social engineering, supply chain attacks, and blockchain-based infrastructure. Threat actors are leveraging high-profile events like the 2026 FIFA World Cup (GHOST STADIUM) and lucrative targets in the cryptocurrency sector (JINX-0164) to distribute diverse payloads including Vidar, Lumma, and custom macOS malware.

Notably, the ClickFix campaign continues to evolve, using fake image-editing tools to invoke finger.exe for payload delivery (CastleLoader/NetSupport RAT). Simultaneously, LofyStealer targets the gaming ecosystem via Node.js loaders, and advanced actors are utilizing the BNB Smart Chain testnet to host immutable C2 instructions for ClearFake/SectopRAT, complicating takedown efforts.

Threat Actor / Malware Profile

ClickFix / CastleLoader

Distribution: Social engineering via "BackgroundFix" fake image editing tool; prompts users to verify humanity via clipboard commands.
Payload Behavior: Uses finger.exe to retrieve CastleLoader, which drops NetSupport RAT and CastleStealer (.NET).
C2 Communication: HTTP connections to domains like trindastal.com and poronto.com (Port 688).
Persistence: Standard RAT persistence mechanisms via NetSupport.

LofyStealer (LofyGang)

Distribution: Social engineering targeting Minecraft players; disguised as legitimate libraries.
Payload Behavior: Two-stage attack: 53.5MB Node.js loader dropper -> 1.4MB C++ memory payload. Steals cookies, passwords, tokens, and IBANs from 8 browsers.
Anti-Analysis: Uses syscalls evasion and reflective loading in memory.

JINX-0164

Distribution: LinkedIn phishing (recruiter impersonation) and supply chain compromises (npm trojan).
Payload Behavior: Custom macOS malware: AUDIOFIX (Python infostealer) and MINIRAT (Go backdoor).
Targeting: Cryptocurrency software developers and infrastructure.

GHOST STADIUM

Distribution: Facebook ads and SEO poisoning leading to 4,300+ fraudulent FIFA domains.
Payload Behavior: Pixel-perfect clone of FIFA auth system; harvests credentials to distribute Vidar and Lumma stealers.

ClearFake / EtherHiding

Infrastructure: BNB Smart Chain (BSC) Testnet smart contracts.
Technique: "EtherHiding" stores payload routing in blockchain contracts, making C2 immutable.
Payload: Delivers SectopRAT and ACRStealer via compromised sites.

IOC Analysis

The provided indicators include high-confidence domains, file hashes, and network endpoints associated with active campaigns.

Domains (TLD Abuse): Multiple suspicious TLDs (.gold, .black, .fund, .cfd) used for GHOST STADIUM and ClearFake infrastructure.
Network Ports: Non-standard ports (e.g., TCP 688) observed in ClickFix C2 communications.
File Hashes: SHA256 hashes for CastleLoader components and LofyStealer payloads.
Operational Guidance: SOC teams should immediately block the listed domains and network ranges. EDR solutions should be configured to flag execution of finger.exe and unsigned Node.js binaries touching browser data directories.

Detection Engineering

Sigma Rules

YAML

---
title: Suspicious Finger.exe Execution - Potential ClickFix Loader
id: 0e8c4d2b-6a1f-4b3c-8d9e-1f2a3b4c5d6e
description: Detects the execution of finger.exe, which is abused by ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/63456789
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\finger.exe'
  condition: selection
falsepositives:
  - Legitimate administrative use of finger.exe (rare)
level: high
---
title: LofyStealer Node.js Loader Activity
description: Detects Node.js processes spawning child processes typical of LofyStealer loading behavior.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/63456790
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate Node.js development scripts
level: medium
---
title: Connection to GHOST STADIUM or Malicious Infrastructure
description: Detects network connections to domains associated with FIFA phishing or ClickFix C2.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/63456791
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'fifa.gold'
      - 'fifa.black'
      - 'trindastal.com'
      - 'poronto.com'
      - 'veloitall.cfd'
  condition: selection
falsepositives:
  - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix Finger.exe activity
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where ProcessCommandLine contains "finger.exe" or FileName == "finger.exe"  
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName  
| extend Tactic = "Execution", Technique = "Command and Scripting Interpreter";

// Hunt for GHOST STADIUM / Malicious Domain Connections
DeviceNetworkEvents  
| where Timestamp > ago(3d)  
| where RemoteUrl has_any ("fifa.gold", "fifa.black", "fifa.tax", "trindastal.com", "driver-updater.net", "veloitall.cfd")  
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName  
| extend Tactic = "Command and Control", Technique = "Application Layer Protocol";

// Hunt for LofyStealer Node.js Parent Processes
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where InitiatingProcessFileName endswith "node.exe" and FileName in ("cmd.exe", "powershell.exe", "regsvr32.exe")  
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

PowerShell Hunt Script

PowerShell

# Check for connections to ClickFix C2 Port 688 or Suspicious Domains
$targetDomains = @("trindastal.com", "poronto.com", "fifa.gold", "fifa.black", "driver-updater.net")
$suspiciousConnections = Get-NetTCPConnection | Where-Object { 
    $_.RemotePort -eq 688 -or 
    ($_.RemoteAddress -and (Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue | Where-Object { $targetDomains -contains $_.NameHost }))
}

if ($suspiciousConnections) {
    Write-Host "[ALERT] Suspicious network connections detected:" -ForegroundColor Red
    $suspiciousConnections | Format-Table -AutoSize
} else {
    Write-Host "No suspicious connections found on standard ports." -ForegroundColor Green
}

# Check for finger.exe processes
$fingerProcess = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($fingerProcess) {
    Write-Host "[ALERT] finger.exe process detected (ClickFix Indicator):" -ForegroundColor Red
    $fingerProcess | Select-Object Id, ProcessName, Path, StartTime
} else {
    Write-Host "No finger.exe processes found." -ForegroundColor Green
}

Response Priorities

Immediate: Block all listed IOC domains and IP ranges at the perimeter and proxy. Alert on any internal system attempting connections to finger.exe or port 688.
24 Hours: Initiate credential resets and MDE scans for endpoints in environments where Minecraft or developer tools (Node.js) are prevalent. Verify integrity of CI/CD pipelines for crypto-related teams (JINX-0164 target).
1 Week: Review and restrict the use of legacy utilities (e.g., finger.exe) via Application Whitelisting. Harden browser policies to restrict extensions and credential access (LofyStealer/GHOST STADIUM).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, JINX-0164 & GHOST STADIUM: Cross-Platform Infostealer & Blockchain C2 Campaigns — OTX Intel