Back to Intelligence

ClickFix, LofyStealer & JINX-0164: Multi-Vector Campaigns Targeting Developers & Gamers — OTX Pulse Analysis

SA
Security Arsenal Team
June 1, 2026
9 min read

Live OTX pulse data reveals a convergence of sophisticated social engineering campaigns targeting diverse sectors, including casual users, gamers, and high-value cryptocurrency developers.

The ClickFix campaign masquerades as a "BackgroundFix" image tool, deceiving users into executing commands via finger.exe to deploy a complex malware chain: CastleLoader serves as the initial access vector, which subsequently drops NetSupport RAT for remote access and the CastleStealer module for data exfiltration.

Simultaneously, the LofyGang group is actively distributing LofyStealer (also identified as GrabBot or Slinky). This two-stage malware specifically targets Minecraft players. It utilizes a large Node.js loader to mask a C++ payload that operates directly in memory, harvesting credentials and financial data from multiple browsers.

In the financial and technology sectors, the threat actor JINX-0164 is conducting precision supply-chain attacks. Operating since mid-2025, they leverage LinkedIn phishing and compromised CI/CD pipelines to deliver custom macOS malware—AUDIOFIX (a Python RAT/infostealer) and MINIRAT (a Go backdoor)—specifically against cryptocurrency organizations to hijack software development infrastructure.

Threat Actor / Malware Profile

ClickFix (BackgroundFix)

  • Distribution: Social engineering lures via fake image-editing tools ("BackgroundFix"). Prompts users to "verify they are human" by copying malicious commands to the clipboard.
  • Payload Behavior: Uses finger.exe to retrieve payloads. Drops CastleLoader, which functions as a loader for NetSupport RAT (remote access) and CastleStealer (data theft).
  • C2 Communication: Likely standard HTTP/HTTPS on non-standard ports (e.g., 688) or over specific domains associated with the campaign.
  • Persistence: NetSupport RAT typically establishes persistence via registry run keys or scheduled tasks.
  • Anti-Analysis: Uses reflective loading techniques and social engineering to bypass initial user heuristics.

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting the Minecraft gaming community, often distributed through illicit game modifications or "cheat" clients.
  • Payload Behavior: Two-stage architecture. A large (~53.5MB) Node.js loader acts as a trojanized library, which decrypts and loads a smaller (~1.4MB) native C++ payload directly into memory (fileless execution).
  • Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from eight popular browsers. Uses a "chromelevator" module to elevate privileges for browser data access. Employs syscalls evasion to avoid detection.
  • Persistence: Not explicitly detailed in the pulse, but similar stealers often use scheduled tasks or user profile startup folders.

JINX-0164

  • Distribution: LinkedIn-based social engineering (posing as recruiters/partners) and supply chain attacks (npm trojan, CI/CD hijacking).
  • Payload Behavior: Delivers AUDIOFIX, a Python-based infostealer and RAT, and MINIRAT, a lightweight Go backdoor. Targets macOS environments.
  • C2 Communication: Uses custom C2 protocols; IoCs include domains like driver-updater.net and login.teamicrosoft.com.
  • Persistence: Likely uses LaunchAgents or LaunchDaemons on macOS.

IOC Analysis

The provided IoCs consist of domains, hostnames, URLs, and file hashes (SHA256, SHA1, MD5).

  • Domains & Hostnames:

    • ClickFix: trindastal.com, poronto.com, brionter.com
    • JINX-0164: driver-updater.net, login.teamicrosoft.com, live.ong, teams.live.us.org, www.live.us.org
    • SOC Operationalization: These should be added to DNS blocklists (RPZ) and firewall deny-lists. Security tools can use passive DNS to map infrastructure relationships.

  • URLs:

    • http://giovettiadv.com:688, http://poronto.com:688 (ClickFix)
    • http://89.36.224.5/troubleshoot/mac/install.sh (JINX-0164)
    • SOC Operationalization: Block these specific URLs. The script URL is a clear indicator of a download attempt and can be detected by network proxy/DLP solutions.

  • File Hashes:

    • ClickFix: bde21d8b..., ed391a1..., f5dbaa0...
    • LofyStealer: d21a5d0... (MD5), fb203c0... (MD5), 293006c... (SHA256), 45d404e... (SHA256)
    • JINX-0164: b6cab0b... (SHA256)
    • SOC Operationalization: Hashes are for EDR and antivirus signature updates. The LofyStealer hashes are critical for hunting for the large Node.js loader on endpoints.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix BackgroundFix Execution via Finger.exe
id: 7c1c8f9e-6b4a-4e9f-a5d8-1b3f5e7c9a1b
description: Detects the execution of finger.exe with a command line that includes an IP address or a domain, which is a technique used by the ClickFix/BackgroundFix campaign to retrieve payloads.
status: experimental
author: Security Arsenal
date: 2026/06/01
references:
    - https://otx.alienvault.com/pulse/665c0e078b728d31f0000000/
tags:
    - attack.initial_access
    - attack.t1189  # Drive-by Compromise (social engineering)
    - attack.t1105 # Ingress Tool Transfer
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    filter_legit:
        CommandLine|contains: 'localhost' or CommandLine|contains: '127.0.0.1'
    condition: selection and not filter_legit
falsepositives:
    - Very unlikely, legitimate use of finger.exe is rare and typically internal.
level: high
---
title: Suspicious PowerShell Script Content from Clipboard
id: 1d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6g
description: Detects PowerShell scripts that appear to paste content from the clipboard or have characteristics of social engineering lures like "BackgroundFix", which is consistent with ClickFix activity.
status: experimental
author: Security Arsenal
date: 2026/06/01
references:
    - https://otx.alienvault.com/pulse/665c0e078b728d31f0000000/
tags:
    - attack.execution
    - attack.t1059.001 # PowerShell
logsource:
    category: process_creation
    product: windows
detection:
    selection_clipboard:
        CommandLine|contains:
            - 'Get-Clipboard'
            - '[Windows.Forms.Clipboard]'
    selection_lure_keywords:
        CommandLine|contains:
            - 'BackgroundFix'
            - 'clickfix'
            - 'verify you are human'
    condition: 1 of selection_
falsepositives:
    - Administrative scripts that legitimately use clipboard functions.
level: medium
---
title: LofyStealer Potential Payload Indicator
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
description: Detects the presence of a potential LofyStealer loader (Node.js) by looking for large node.exe processes or suspicious file paths related to the Minecraft directory.
status: experimental
author: Security Arsenal
date: 2026/06/01
references:
    - https://otx.alienvault.com/pulse/6659c9a68b728d31f0000000/
tags:
    - attack.execution
    - attack.t1059.001 # PowerShell
    - attack.initial_access
    - attack.t1566.001 # Spearphishing Attachment (social engineering lure)
logsource:
    category: process_creation
    product: windows
detection:
    selection_node:
        Image|endswith: '\node.exe'
        # LofyStealer loader is ~53.5MB, filter for unusually large processes
        # Note: This is a rough heuristic, adjust threshold as needed.
    # This is a more specific check, looking for a script in a common game dir
    selection_script:
        CommandLine|contains: '.js'
        CommandLine|contains:
            - 'minecraft'
            - 'mods'
            - '.minecraft'
    # A more generic selection for any node process running a JS file from a non-standard location
    selection_suspicious_path:
        Image|endswith: '\node.exe'
        ParentImage|notcontains:
            - 'node_modules'
            - 'Program Files'
            - 'Program Files (x86)'
    condition: 1 of selection_
falsepositives:
    - Legitimate use of Node.js for game servers or development.
level: medium

KQL Hunt Queries

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix activity: finger.exe usage and suspicious network connections
let ClickFixDomains = dynamic(["trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com"]);
// 1. Check for finger.exe usage
DeviceProcessEvents
| where FileName == "finger.exe" and ProcessCommandLine !contains "localhost"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| limit 100;
// 2. Check for network connections to known ClickFix domains
DeviceNetworkEvents
| where RemoteUrl has_any (ClickFixDomains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessAccountName, InitiatingProcessFileName
;
// 3. Hunt for LofyStealer: Suspicious node.exe processes
DeviceProcessEvents
| where FileName == "node.exe"
| where FolderPath !contains "Program Files"
| where isnotnull(ProcessCommandLine) and ProcessCommandLine contains ".js"
| extend SizeMB = todouble(ProcessId) * 0 // Placeholder for actual memory/size metric
// Note: KQL on DeviceProcessEvents does not directly expose process size, this is a conceptual check.
// An alternative is to look for the large file hashes on the endpoint.
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256
| limit 200;
// 4. Hunt for JINX-0164 indicators (if macOS data is ingested into Sentinel)
// This assumes 'DeviceNetworkEvents' can cover macOS endpoints
let JINX0164Domains = dynamic(["driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org", "www.live.us.org"]);
DeviceNetworkEvents
| where RemoteUrl has_any (JINX0164Domains)
| project Timestamp, DeviceName, DeviceType, OSPlatform, RemoteUrl, RemoteIP, InitiatingProcessAccountName
;

PowerShell IOC Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunts for indicators of ClickFix, LofyStealer, and JINX-0164.
.DESCRIPTION
    This script scans the local system for file hashes, processes, and registry keys
    associated with the described threats.
.NOTES
    File Name: OTX-Threat-Hunt.ps1
    Author:   Security Arsenal
#>

# Hashes from the OTX pulses
$TargetHashes = @(
    # ClickFix
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    # LofyStealer
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    # JINX-0164
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

# Domains to check in DNS cache (if elevated)
$SuspiciousDomains = @(
    "trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com",
    "driver-updater.net", "login.teamicrosoft.com", "live.ong",
    "teams.live.us.org", "www.live.us.org"
)

Write-Host "[+] Starting OTX Threat Hunt..." -ForegroundColor Cyan

# 1. Check for known file hashes (requires full disk scan, limited scope for speed)
Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Yellow
$DrivesToScan = @("C:\Users\", "C:\ProgramData\")
foreach ($drive in $DrivesToScan) {
    if (Test-Path $drive) {
        Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue -File |
        Where-Object { $_.Extension -match '\.(exe|dll|ps1|js|jar|sh)$' } |
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 2. Check for running suspicious processes
Write-Host "[+] Checking for suspicious running processes..." -ForegroundColor Yellow

# ClickFix: finger.exe
$fingerProc = Get-Process finger -ErrorAction SilentlyContinue
if ($fingerProc) {
    Write-Host "[!] Suspicious 'finger.exe' process running. PID: $($fingerProc.Id)" -ForegroundColor Red
}

# LofyStealer: node.exe (potential)
$nodeProcs = Get-Process node -ErrorAction SilentlyContinue
foreach ($proc in $nodeProcs) {
    # This is a basic check. A more advanced version would scan the process's memory or main module.
    # We can check the path of the executable.
    try {
        $procPath = $proc.MainModule.FileName
        if ($procPath -and !($procPath -like "*Program Files*")) {
            Write-Host "[!] Suspicious 'node.exe' process running from non-standard path: $procPath" -ForegroundColor Yellow
        }
    } catch {
        # Ignore errors for system processes
    }
}

# 3. Check for JINX-0164 related scheduled tasks (if applicable on Windows for a MacOS threat, just a placeholder for persistence checks)
# Since JINX-0164 targets macOS, we skip Windows-specific persistence for this actor.

Write-Host "[+] Hunt complete." -ForegroundColor Cyan


# Response Priorities

Immediate (Next 4 Hours)

  • Block IOCs: Immediately add all domains, hostnames, and URLs listed in the IOC Analysis to your firewalls, web proxies, and DNS blocklists (e.g., Cisco Umbrella, Palo Alto).
  • Endpoint Scan: Deploy a custom IOC hunt (using the provided PowerShell script or an equivalent EDR query) across all endpoints to identify and isolate any systems hosting the known file hashes or running the suspicious processes (e.g., finger.exe from user context).

24 Hours

  • Credential Audit: If a compromise is suspected or confirmed, initiate a forced password reset for all users, particularly those with administrative privileges or access to sensitive systems. Assume browser-stored credentials are compromised due to the infostealer capabilities of these malwares.
  • Threat Hunt: Conduct a broader hunt for network connections to the listed non-standard ports (e.g., 688) and unusual outbound traffic.

1 Week

  • User Awareness Training: Conduct targeted security awareness training for all employees, focusing on:
    • Recognizing social engineering lures like "BackgroundFix" or "verify you are human" prompts.
    • Verifying the authenticity of communications on professional networks like LinkedIn, especially for recruiters or partners sending files or links.
  • MacOS Hardening: For development teams, especially in the crypto sector, enhance macOS security controls. This includes configuring fdesetup for FileVault, enforcing Gatekeeper, and auditing any CI/CD pipelines for unauthorized packages or supply chain risks.
  • Application Control: Implement or review application whitelisting to prevent the execution of unauthorized tools like finger.exe or unexpected Node.js instances from non-standard directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164supply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action