ClickFix, LofyStealer & JINX-0164 Campaigns: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX pulses indicate a convergence of financially motivated threat activities leveraging diverse social engineering and supply-chain techniques. Three distinct campaigns—ClickFix, LofyStealer (LofyGang), and JINX-0164—are currently active.

Collectively, these threats demonstrate a shift towards specialized delivery mechanisms:

ClickFix utilizes fake "human verification" prompts to trigger clipboard hijacking, leveraging the legacy finger.exe utility to fetch payloads (CastleLoader, NetSupport RAT).
LofyGang targets the gaming sector (Minecraft) using a bulky Node.js loader to veil a memory-resident C++ infostealer (LofyStealer).
JINX-0164 focuses on the cryptocurrency sector, abusing LinkedIn recruiting and typosquatting domains (e.g., login.teamicrosoft.com) to deliver macOS-specific malware (AUDIOFIX, MINIRAT) via compromised CI/CD pipelines.

Threat Actor / Malware Profile

1. ClickFix (BackgroundFix)

Malware Families: CastleLoader, NetSupport RAT, CastleStealer
Distribution: Fake image-editing tools prompting "human verification".
Execution Chain: The lure copies malicious commands to the clipboard. The user executes them (often unknowingly via paste), invoking finger.exe to retrieve the CastleLoader payload, which then drops NetSupport RAT.
Persistence: NetSupport RAT typically establishes persistence via Registry Run keys or Scheduled Tasks.
Anti-Analysis: Uses reflective loading to keep payloads in memory.

2. LofyStealer (LofyGang)

Malware Families: LofyStealer, GrabBot, chromelevator
Target: Minecraft players.
Distribution: Social engineering, disguised as legitimate game mods/libraries.
Payload Behavior: Two-stage attack; a large 53.5MB Node.js loader unpacks a 1.4MB C++ payload that runs directly in memory.
C2/Objective: Exfiltrates cookies, passwords, tokens, and banking data from 8 distinct browsers.

3. JINX-0164

Malware Families: AUDIOFIX (Python RAT), MINIRAT (Go Backdoor)
Target: Cryptocurrency developers and infrastructure.
Distribution: LinkedIn phishing (recruiter persona), NPM trojans, typosquatting domains (login.teamicrosoft.com).
Platform: Specifically targets macOS environments.
Technique: Supply chain compromise via CI/CD hijacking to inject malicious scripts (install.sh).

IOC Analysis

The provided IOCs span multiple categories requiring distinct operational responses:

Domains & URLs (ClickFix/JINX): Indicators include trindastal.com, poronto.com, login.teamicrosoft.com, and driver-updater.net. SOC teams should immediately block these at the perimeter and DNS layer. The use of non-standard ports (e.g., :688) in ClickFix URLs is a key behavioral fingerprint.
File Hashes (SHA256/MD5): LofyStealer and JINX payloads are identified via specific hashes. EDR solutions should be configured to alert on execution matches for these hashes.
Hostnames: Typosquatting attempts (e.g., teams.live.us.org) suggest infrastructure spoofing. Certificate transparency logs or passive DNS replication can help identify sub-domain variations.

Tooling Recommendations:

SIEM: Correlate finger.exe execution with network connections to unknown IPs.
EDR: Hunt for the specific Node.js parent-child process relationships indicative of LofyStealer.

Detection Engineering

YAML

---
title: Potential ClickFix Activity via Finger.exe
id: 4e8a1c9a-1b3d-4c5f-9e8a-1b2c3d4e5f6g
description: Detects the use of finger.exe often associated with ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  condition: selection
falsepositives:
  - Legitimate administration usage (rare)
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: Suspicious Domain Request - JINX-0164 Typosquatting
id: 5f9b2d0b-2c4e-5d6a-0f9b-2c3d4e5f6a7b
description: Detects network connections to known typosquatting domains used by JINX-0164 targeting crypto orgs.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'login.teamicrosoft.com'
      - 'teams.live.us.org'
      - 'driver-updater.net'
      - 'live.ong'
  condition: selection
falsepositives:
  - Unknown
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001
---
title: Potential LofyStealer Node.js Loader
id: 6a0c3e1c-3d5f-6e7b-1a0c-3d4e5f6a7b8c
description: Detects Node.js processes spawning unusual child processes or shell, indicative of LofyStealer loader activity.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\node.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate development tooling
level: medium
tags:
  - attack.execution
  - attack.t1059.003


kql
// Hunt for ClickFix finger.exe usage and JINX network indicators
let IOCs = dynamic(["trindastal.com", "poronto.com", "brionter.com", "login.teamicrosoft.com", "driver-updater.net", "live.ong", "teams.live.us.org", "www.driver-updater.net", "www.live.us.org"]);
let FileHashes = dynamic(["bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"]);
// Network Activity
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteUrl contains ":688"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    // Process Activity for ClickFix and LofyStealer
    DeviceProcessEvents
    | where ProcessVersionInfoOriginalFileName =~ "finger.exe" or (InitiatingProcessVersionInfoOriginalFileName =~ "node.exe" and FileName in~("cmd.exe", "powershell.exe"))
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
)
| union (
    // File Hash Matches
    DeviceProcessEvents
    | where SHA256 in (FileHashes) or MD5 in ("d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf")
    | project Timestamp, DeviceName, AccountName, FileName, SHA256
)


powershell
# IOC Hunt Script for ClickFix and JINX-0164
# Requires Administrator Privileges

Write-Host "[+] Starting Threat Hunt: ClickFix & JINX-0164" -ForegroundColor Cyan

# 1. Check for running finger.exe processes (ClickFix)
$fingerProcess = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($fingerProcess) {
    Write-Host "[ALERT] finger.exe process detected! PID: $($fingerProcess.Id)" -ForegroundColor Red
    $fingerProcess | Select-Object Id, Path, StartTime
} else {
    Write-Host "[INFO] No finger.exe processes found." -ForegroundColor Green
}

# 2. Check Hosts File for JINX Typosquatting Domains
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @("login.teamicrosoft.com", "teams.live.us.org", "driver-updater.net", "live.ong")
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    $foundDomains = @()
    foreach ($domain in $maliciousDomains) {
        if ($hostsContent -match $domain) {
            $foundDomains += $domain
        }
    }
    if ($foundDomains.Count -gt 0) {
        Write-Host "[ALERT] Malicious domains found in hosts file:" -ForegroundColor Red
        $foundDomains | ForEach-Object { Write-Host " - $_" }
    } else {
        Write-Host "[INFO] No malicious hosts entries found." -ForegroundColor Green
    }
}

# 3. Scan for specific file hashes (Simulation of hash check on common download paths)
Write-Host "[INFO] Scanning user Downloads for specific hashes (limited scan)..." -ForegroundColor Cyan
# Note: Full disk hash scanning is resource intensive; this is a targeted example.
$targetHashes = @("bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17")
$downloadPath = "$env:USERPROFILE\Downloads"
if (Test-Path $downloadPath) {
    Get-ChildItem -Path $downloadPath -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $fileHash) {
            Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block all identified domains and URLs at the firewall and proxy level.
- Kill any instances of finger.exe running on non-admin workstations and quarantine the host.
- Block execution of the specific SHA256/MD5 hashes provided in the pulses via EDR policies.
24 Hours:
- Initiate credential reset and forced MFA re-enrollment for any users identified as potential victims of the infostealers (LofyStealer, CastleStealer).
- Investigate macOS devices for the presence of the AUDIOFIX or MINIRAT payloads (specifically checking for the install.sh script execution history).
1 Week:
- Conduct a security review of CI/CD pipelines and developer workstations, specifically checking for NPM package anomalies (JINX-0164 vector).
- Update application allowlisting policies to block unrecognized Node.js executables in user directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, LofyStealer & JINX-0164 Campaigns: OTX Pulse Analysis — Enterprise Detection Pack