Back to Intelligence

ClickFix, LofyStealer & EtherHiding: OTX Pulse Analysis — Multi-Vector Credential Theft Campaigns

SA
Security Arsenal Team
May 30, 2026
7 min read

The latest OTX pulses indicate a coordinated surge in credential theft operations leveraging diverse delivery mechanisms, ranging from social engineering lures targeting gamers to sophisticated supply chain attacks on developers and the abuse of blockchain infrastructure for resilient C2.

The campaigns are primarily financially motivated, focusing on the theft of cryptocurrency wallets, browser session cookies, and banking credentials. Notably, the ClickFix campaign has evolved to abuse legacy Windows utilities (finger.exe) to fetch payloads, while LofyStealer demonstrates a complex in-memory execution chain targeting the Minecraft community. Simultaneously, GHOST STADIUM is exploiting the hype around the 2026 FIFA World Cup to distribute Vidar and Lumma stealers via massive phishing infrastructure. Lastly, the ClearFake actors have innovated by using the BNB Smart Chain (BSC) Testnet to store C2 instructions, making takedowns significantly more difficult.

Threat Actor / Malware Profile

ClickFix / BackgroundFix

  • Malware: CastleLoader, NetSupport RAT, CastleStealer
  • Distribution: Masquerades as a free image-editing tool ("BackgroundFix"). Uses social engineering to trick users into copying a command to their clipboard.
  • Execution: The copied command invokes finger.exe, a legacy directory service tool, to connect to a remote server and download the CastleLoader payload.
  • Capabilities: Drops NetSupport RAT for remote access and CastleStealer (a .NET infostealer) to harvest credentials.

LofyGang / LofyStealer

  • Malware: LofyStealer (GrabBot/Slinky), Chromelevator
  • Distribution: Targets Minecraft players via social engineering, often disguised as game mods or utilities.
  • Execution: Two-stage malware. A 53.5MB Node.js loader acts as the initial dropper, executing a 1.4MB native C++ payload directly in memory to evade disk-based scanning.
  • Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers. Uses syscalls evasion for anti-analysis.

JINX-0164

  • Malware: AUDIOFIX (Python), MINIRAT (Go)
  • Target: Cryptocurrency software developers and infrastructure.
  • Distribution: LinkedIn social engineering (fake recruiters/business partners) and supply chain compromise (NPM trojans).
  • Capabilities: macOS-focused infostealer and backdoor. Capable of hijacking CI/CD pipelines to inject malicious code into software builds.

GHOST STADIUM

  • Malware: Vidar, Lumma
  • Target: Attendees of the 2026 FIFA World Cup (Hospitality, Finance, Media sectors).
  • Distribution: Phishing-as-a-Service (PaaS) utilizing over 4,300 fraudulent domains and pixel-perfect clones of FIFA authentication systems.
  • Capabilities: Harvests credentials and financial data. Leverages compromised Facebook advertising accounts for broad distribution.

ClearFake / EtherHiding

  • Malware: SectopRAT, ACRStealer
  • Distribution: Compromised legitimate websites (injected JavaScript).
  • C2 Innovation: Uses "EtherHiding" to store payload routing instructions inside smart contracts on the BNB Smart Chain Testnet.
  • Capabilities: Immutable C2 infrastructure resistant to traditional takedowns. Delivers stealers upon passing anti-bot checks.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based indicators:

  • Domains & URLs: A significant number of domains (e.g., fifa.gold, trindastal.com, driver-updater.net) are used for initial access and C2. SOC teams should immediately block these at the perimeter and DNS level.
  • File Hashes: SHA256 and MD5 hashes are provided for the Node.js loaders, CastleLoader, and macOS payloads. These should be loaded into EDR solutions for process blocking and file scanning.
  • Network Artifacts: Specific URLs and non-standard ports (e.g., :688) are observed. The use of blockchain RPC endpoints (BSC Testnet) for C2 by ClearFake is a critical behavioral indicator to hunt for, as standard IP blocking may be less effective against smart contract interactions.

Operational Guidance: Prioritize the domains and hashes in your blocklists. For the ClearFake activity, monitoring for processes initiating connections to known blockchain RPC nodes (specifically BSC testnet) from non-crypto user workstations is a high-value hunt.

Detection Engineering

YAML
---
title: Potential ClickFix BackgroundFix Activity via Finger.EXE
id: 8c2e9a12-7d4f-4b9e-8c1a-1f3e5d6b7a8c
description: Detects the execution of finger.exe initiated by a user shell or script, which is often abused by ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6364a1c8-1d4c-4e9f-9b3a-4c8d5e6f7a8b
tags:
    - attack.defense_evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_legit:
        CommandLine|contains: 'windows.microsoft.com'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administration using legacy tools (rare)
level: high
---
title: Suspicious PowerShell Clipboard Invocation (ClickFix Pattern)
id: 9d3f0b23-8e5g-5c0f-9d2b-5g9e6f7g8b9c
description: Detects PowerShell commands that appear to paste clipboard content or execute commands matching the ClickFix social engineering pattern.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6364a1c8-1d4c-4e9f-9b3a-4c8d5e6f7a8b
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_clipboard:
        CommandLine|contains:
            - 'Get-Clipboard'
            - 'cb'
    selection_suspicious_cmd:
        CommandLine|contains:
            - 'iex'
            - 'Invoke-Expression'
    condition: all of selection_*
falsepositives:
    - Administrative scripts utilizing clipboard data
level: medium
---
title: Potential ClearFake EtherHiding C2 Communication
id: 0e4g1c34-9f6h-6d1g-0e3c-6h0f7g8h9i0d
description: Detects processes connecting to BNB Smart Chain Testnet RPC endpoints, a tactic used by ClearFake for C2 hiding.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6364a1c8-1d4c-4e9f-9b3a-4c8d5e6f7a8c
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'bsc-testnet'
            - 'data-seed-prebsc-1-s1'
        DestinationPort: 8545
    filter_crypto_user:
        User|contains:
            - 'crypto-trader'
            - 'dev-admin'
    condition: selection and not filter_crypto_user
falsepositives:
    - Legitimate Web3 developers testing on testnet
level: high


kql
// Hunt for ClickFix Finger.exe activity and Network Connections to malicious domains
let MaliciousDomains = pack_array('trindastal.com', 'poronto.com', 'brionter.com', 'giovettiadv.com', 'driver-updater.net', 'live.ong', 'fifa.gold', 'fifa.black', 'fifa.tax', 'fifaweb.com', 'fifa.red', 'fifa.fund', 'fifa-com.shop');
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "finger.exe" or InitiatingProcessFileName == "node.exe"
| extend CommandLineCheck = iff(isempty(CommandLine), "NoCmd", CommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine = CommandLineCheck, InitiatingProcessFileName, FolderPath
| union (DeviceNetworkEvents
| where RemoteUrl has_any (MaliciousDomains) or RemoteIP == "148.178.22.16"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine)


powershell
# IOC Hunt Script: ClickFix and LofyStealer Artifacts
# Requires Admin Privileges

$MaliciousHashes = @( 
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

Write-Host "[+] Scanning for Malicious File Hashes..."

# Get fixed drives
$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    Write-Host "[INFO] Scanning drive:" $Drive.Root
    try {
        # Recursively get files (Limit to specific common payload locations to improve performance)
        $Paths = @("$($Drive.Root)Users\", "$($Drive.Root)ProgramData\", "$($Drive.Root)Temp\", "$($Drive.Root)Windows\Temp\")
        
        foreach ($Path in $Paths) {
            if (Test-Path $Path) {
                Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
                    $FilePath = $_.FullName
                    try {
                        $Hash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
                        if ($MaliciousHashes -contains $Hash) {
                            Write-Host "[!!!] MALICIOUS FILE DETECTED: $FilePath (Hash: $Hash)" -ForegroundColor Red
                        }
                    } catch {
                        # Ignore access errors
                    }
                }
            }
        }
    } catch {
        Write-Host "[ERROR] Error scanning drive" $Drive.Root
    }
}

Write-Host "[+] Checking for Suspicious Node.js Processes..."
$NodeProcesses = Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "node.exe" -and $_.WorkingSetSize -gt 50000000 } # > 50MB
if ($NodeProcesses) {
    Write-Host "[!] Large Node.js process detected (Potential LofyStealer Loader):"
    $NodeProcesses | Select-Object ProcessId, CommandLine, WorkingSetSize | Format-Table
}

Write-Host "[+] Checking for Finger.exe Execution..."
$Events = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data='finger.exe']]" -ErrorAction SilentlyContinue -MaxEvents 10
if ($Events) {
    Write-Host "[!] Finger.exe execution events found in Security Log:"
    $Events | Select-Object TimeCreated, Message | Format-List
}


# Response Priorities

*   **Immediate:**
    *   Block all listed domains and IPs at the network edge and proxy.
    *   Block the provided file hashes in EDR and antivirus.
    *   Isolate any endpoints exhibiting `finger.exe` execution patterns or large Node.js memory footprints unrelated to development.

*   **24 Hours:**
    *   Conduct credential resets for any accounts accessed from infected endpoints (focus on crypto wallets, email, and banking).
    *   Scan web servers for signs of ClearFake compromise (injected JS referring to BSC contracts).
    *   Validate macOS endpoints for JINX-0164 indicators if they interact with LinkedIn recruiters or NPM packages.

*   **1 Week:**
    *   Review and harden browser extension policies to prevent tampering by stealers like Vidar and Lumma.
    *   Implement application control to restrict the execution of `finger.exe` and unsigned Node.js binaries on user workstations.
    *   Conduct security awareness training focused on "too good to be true" gaming mods, World Cup ticket scams, and LinkedIn recruitment scams.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixlofystealercredential-theftc2-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action