ClickFix, LofyStealer, and JINX-0164: Multi-Vector Campaigns Targeting Developers and Gamers — OTX Intelligence Briefing | Security Arsenal

Threat Summary

Recent intelligence from the OTX pulse feed indicates a convergence of sophisticated social engineering campaigns targeting specific demographics and industry verticals. The ClickFix campaign has evolved, now abusing the legacy finger.exe utility to deliver a malware chain consisting of CastleLoader, NetSupport RAT, and CastleStealer via clipboard hijacking. Simultaneously, LofyStealer (associated with LofyGang) is aggressively targeting the gaming community—specifically Minecraft players—using a complex Node.js and C++ in-memory execution framework to harvest browser credentials.

In a separate but equally critical campaign, the JINX-0164 threat actor has been observed conducting supply chain attacks and LinkedIn-based phishing against cryptocurrency and software development organizations. Their objective is the deployment of macOS-native malware (AUDIOFIX and MINIRAT) to hijack CI/CD pipelines and steal intellectual property. Collectively, these pulses highlight a trend toward precision targeting and the abuse of legitimate development tools for initial access.

Threat Actor / Malware Profile

ClickFix (CastleLoader, NetSupport RAT, CastleStealer)

Distribution Method: Social engineering lures masquerading as image-editing tools ("BackgroundFix"). Users are tricked into copying malicious commands to their clipboard which invoke finger.exe.
Payload Behavior: The chain starts with finger.exe retrieving an initial payload, leading to CastleLoader. This loader utilizes reflective loading techniques to drop NetSupport RAT (a remote access trojan) and CastleStealer (a .NET-based information stealer).
C2 Communication: Connects to hardcoded domains, often utilizing non-standard ports (e.g., 688) to bypass basic firewall filtering.
Persistence: Likely established via scheduled tasks or registry run keys associated with the NetSupport RAT component.

LofyStealer (LofyGang / GrabBot / Slinky)

Distribution Method: Social engineering targeting Minecraft players. Distributed as a fake game mod or utility.
Payload Behavior: A two-stage malware comprising a 53.5MB Node.js loader (obfuscated within legitimate libraries) and a 1.4MB native C++ payload. The C++ payload executes entirely in memory to evade disk-based scanning.
C2 Communication: Exfiltrates data to attacker-controlled servers.
Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from at least eight different web browsers.

JINX-0164 (AUDIOFIX, MINIRAT)

Distribution Method: LinkedIn phishing (posing as recruiters) and supply chain compromise via trojanized npm packages.
Payload Behavior: Targets macOS environments. Deploys AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go-based backdoor). Focuses on cryptocurrency wallet theft and developer credential harvesting.
Persistence: Uses launch agents or compromised shell scripts (e.g., install.sh) to maintain access.

IOC Analysis

The provided pulses contain high-fidelity Indicators of Compromise (IOCs) that should be prioritized for immediate blocking:

Domains & URLs: C2 infrastructure and phishing domains such as trindastal.com, poronto.com, driver-updater.net, and live.ong. Notable is the use of typosquatting (e.g., login.teamicrosoft.com and teams.live.us.org). URLs utilizing port 688 (:688) are specific to the ClickFix campaign.
File Hashes: A mix of MD5, SHA1, and SHA256 hashes corresponding to the Node.js loaders, C++ payloads, and macOS install scripts.
Operationalization: SOC teams should ingest these hashes into EDR solutions for immediate scanning. Domains must be blocked at the DNS layer and on secure web gateways. Network traffic analysis should specifically hunt for connections to non-standard ports (688) and connections involving finger.exe processes.

Detection Engineering

YAML

---
title: Potential ClickFix Activity via Finger.exe
id: 4e3b1c8f-9a2d-4b5c-8e1d-2f3a4b5c6d7e
status: experimental
description: Detects the execution of finger.exe, which is abused by the ClickFix campaign to fetch payloads via clipboard hijacking. Legacy utility usage is rare in modern environments.
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
author: Security Arsenal
date: 2026/06/03
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\finger.exe'
        CommandLine|contains:
            - 'http'
    condition: selection
falsepositives:
    - Legitimate use of finger utility (rare)
level: high
---
title: Potential JINX-0164 macOS Payload Deployment
id: 5f4c2d9e-0b3e-5c6d-9f2e-3g4b5c6d7e8f
status: experimental
description: Detects macOS processes downloading shell scripts associated with JINX-0164 AUDIOFIX/MINIRAT campaigns targeting crypto firms.
references:
    - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
author: Security Arsenal
date: 2026/06/03
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        Image|endswith:
            - '/curl'
            - '/wget'
    selection_cli:
        CommandLine|contains:
            - 'install.sh'
            - 'driver-updater.net'
            - 'live.ong'
    condition: all of selection_*
falsepositives:
    - Legitimate software updates
level: high
---
title: Suspicious Node.js Loader Activity (LofyStealer)
id: 6g5d3e0f-1c4f-6d7e-0f3g-4h5c6d7e8f9g
status: experimental
description: Detects Node.js processes exhibiting behavior consistent with the LofyStealer loader, such as spawning child processes or hiding within legitimate library paths.
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
date: 2026/06/03
tags:
    - attack.defense_evasion
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\node.exe'
        ParentImage|endswith:
            - '\node.exe'
        CommandLine|contains:
            - '.js'
    condition: selection
falsepositives:
    - Legitimate Node.js development workflows
level: medium


kql
// Hunt for ClickFix finger.exe execution and JINX-0164 Network Indicators
// Union of process creation and network events
DeviceProcessEvents
| where FileName =~ "finger.exe" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| union (
    DeviceNetworkEvents
    | where RemoteUrl has_any ("driver-updater.net", "live.ong", "trindastal.com", "poronto.com", "brionter.com", "teamicrosoft.com", "live.us.org")
    | project Timestamp, DeviceName, RemoteUrl, RemotePort, RemoteIP, InitiatingProcessAccountName
)
| union (
    DeviceNetworkEvents
    | where RemotePort == 688 // Specific to ClickFix C2
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP
)


powershell
# IOC Hunt Script for ClickFix and LofyStealer Payloads
# Checks for running finger.exe processes and scans for specific file hashes

$ClickFixHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb"
)

$LofyHashes = @(
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

# Check for finger.exe process
$fingerProc = Get-Process -Name finger -ErrorAction SilentlyContinue
if ($fingerProc) {
    Write-Host "[ALERT] finger.exe process detected (Potential ClickFix Activity) - PID: $($fingerProc.Id)" -ForegroundColor Red
}

# Scan common directories for malware hashes
$pathsToScan = @("$env:TEMP", "$env:APPDATA", "C:\Users\Public", "C:\Windows\Temp")

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($fileHash -in $ClickFixHashes) {
                Write-Host "[ALERT] ClickFix Payload found: $($_.FullName)" -ForegroundColor Red
            }
            if ($fileHash -in $LofyHashes) {
                Write-Host "[ALERT] LofyStealer Payload found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Response Priorities

Immediate: Block all listed domains and hostnames at the DNS and Firewall level. Hunt for and isolate any endpoints exhibiting finger.exe execution or connections to port 688.
24h: If credential-stealing malware (LofyStealer/CastleStealer) is suspected, initiate identity verification and forced password resets for affected accounts, particularly developers and admins.
1 Week: Conduct architecture hardening by restricting the use of legacy utilities (like finger.exe) via Application Control policies. Review and secure software supply chain pipelines (npm packages) and validate LinkedIn recruiting communication channels.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, LofyStealer, and JINX-0164: Multi-Vector Campaigns Targeting Developers and Gamers — OTX Intelligence Briefing