ClickFix, LofyStealer & JINX-0164: Multi-Vector Credential Theft Campaign Analysis — OTX Pulse Intelligence Pack | Security Arsenal

Threat Summary

The OTX pulses from 2026-05-27 through 2026-05-30 reveal a coordinated surge in credential theft and infostealer campaigns targeting diverse sectors. Five distinct threat operations are leveraging sophisticated delivery mechanisms ranging from social engineering lures to blockchain-based C2 infrastructure:

ClickFix Campaign: Masquerading as free image-editing tools (BackgroundFix), this campaign uses clipboard manipulation and finger.exe to deliver CastleLoader, which subsequently deploys NetSupport RAT and CastleStealer—targeting browser credentials and system data.
LofyStealer: A two-stage infostealer specifically targeting Minecraft players through social engineering. The 53.5MB Node.js loader delivers a 1.4MB C++ memory-resident payload that extracts credentials from eight browser types.
JINX-0164: A financially motivated actor active since mid-2025, conducting supply chain attacks against cryptocurrency organizations via LinkedIn phishing, deploying macOS malware (AUDIOFIX, MINIRAT).
GHOST STADIUM: A Chinese-speaking operation running a massive phishing ecosystem targeting the 2026 FIFA World Cup with over 4,300 fraudulent domains, delivering Vidar and Lumma stealers.
ClearFake with Blockchain C2: Exploiting BNB Smart Chain testnet to store C2 instructions in smart contracts, delivering SectopRAT and ACRStealer through compromised websites.

Collectively, these campaigns demonstrate a shift toward immutable infrastructure (blockchain C2), platform-specific targeting (gamers, crypto developers), and event-driven fraud (World Cup). The primary objective across all operations is credential harvesting for financial gain, with secondary focus on establishing persistent remote access.

Threat Actor / Malware Profile

ClickFix Adversary

Distribution: Fake image-editing tools (BackgroundFix) promoted as free utilities
Payload Behavior: Clipboard manipulation to execute malicious commands via finger.exe; CastleLoader reflective loader
C2 Communication: HTTP on port 688 to domains like poronto.com, giovettiadv.com
Persistence: Unknown in available data
Anti-Analysis: Reflective loading techniques to evade memory scanning

LofyStealer / GrabBot / Slinky (LofyGang)

Distribution: Social engineering targeting Minecraft players
Payload Behavior: Two-stage delivery—Node.js loader (53.5MB) disguised in legitimate libraries, memory-resident C++ payload (1.4MB)
C2 Communication: Unknown in available data
Persistence: Likely established through browser extensions or scheduled tasks
Anti-Analysis: Syscall evasion, in-memory execution to avoid disk-based detection

JINX-0164

Distribution: LinkedIn-based social engineering posing as recruiters/partners; supply chain compromise via npm packages
Payload Behavior: AUDIOFIX (Python infostealer/RAT), MINIRAT (Go backdoor) targeting macOS
C2 Communication: HTTP to domains like driver-updater.net, live.ong
Persistence: Likely launch agents/daemons on macOS
Anti-Analysis: Platform-specific targeting (macOS) to evade traditional Windows-focused controls

GHOST STADIUM

Distribution: Pixel-perfect FIFA website clones across 300+ domains; Facebook advertising exploitation
Payload Behavior: Vidar (infostealer), Lumma (credential harvester)
C2 Communication: HTTP to domains like fifa.gold, fifa.black, fifaweb.com
Persistence: Likely via startup persistence mechanisms
Anti-Analysis: Phishing-as-a-service model with rapid domain rotation

ClearFake with SectopRAT & ACRStealer

Distribution: Compromised Swiss websites with injected JavaScript
Payload Behavior: SectopRAT, ACRStealer delivered via blockchain smart contract queries
C2 Communication: BNB Smart Chain testnet smart contracts for C2 instructions; hostnames like afraid.veloitall.cfd
Persistence: Unknown in available data
Anti-Analysis: Immutable C2 infrastructure on blockchain; EtherHiding technique

IOC Analysis

The provided OTX pulses contain 207 total indicators across the following types:

Domains (32): Including fraudulently registered FIFA domains (fifa.gold, fifa.black), C2 domains (poronto.com, driver-updater.net), and blockchain-related infrastructure
Hostnames (10): Including typosquatting attempts (login.teamicrosoft.com, teams.live.us.org)
URLs (3): HTTP endpoints on non-standard ports (688) and install scripts
IPv4 (1): 148.178.22.16 (GHOST STADIUM infrastructure)
FileHash-SHA256 (6): Malicious payloads for CastleStealer, LofyStealer, and macOS malware
FileHash-SHA1 (2): Additional LofyStealer component hashes
FileHash-MD5 (2): LofyStealer loader components

SOC Operationalization

Block List Integration: Import all domains and hostnames into DNS firewall (Cisco Umbrella, Palo Alto DNS Security)
EDR Scanning: Deploy file hash IoCs to CrowdStrike Falcon, Microsoft Defender ATP for scanning
Network Detection: Configure SIEM (Splunk, Sentinel) to alert on HTTP connections to listed domains/ports
Threat Intelligence Platform: Feed IoCs into MISP, Anomali ThreatStream, or OpenCTI for correlation
Proxy/Web Gateway: Block URLs and enforce SSL inspection for HTTP traffic on port 688

Tooling for Decoding

VirusTotal for file hash analysis
URLScan.io for URL/host reputation
WhoisXML for domain registration analysis
Shodan for IP infrastructure assessment
Blockchain explorers (BscScan) for smart contract analysis

Detection Engineering

YAML

---
title: Suspicious finger.exe Execution with Clipboard Content - ClickFix Detection
id: 8f4a2b1c-3d5e-4f7a-9a1b-2c3d4e5f6a7b
status: experimental
description: Detects ClickFix campaign using finger.exe with clipboard content as observed in BackgroundFix malware distribution
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
author: Security Arsenal
date: 2026/05/30
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        CommandLine|contains: 'clip'
    condition: selection
falsepositives:
    - Legitimate use of finger.exe (rare)
level: high
---
title: Node.js Loader with Large Memory Footprint - LofyStealer Detection
id: 7e3d1a2b-4c6e-5f8a-9b2c-1d3e4f5a6b7c
status: experimental
description: Detects LofyStealer Node.js loader component with characteristic large file size and suspicious parameters
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
date: 2026/05/29
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - '--loader'
            - '--experimental-modules'
    filter:
        ParentImage|contains:
            - '\npm\'
            - '\yarn\'
            - '\nodejs\'
    condition: selection and not filter
falsepositives:
    - Legitimate Node.js development
level: medium
---
title: Suspicious HTTP Connection to Blockchain Testnet - ClearFake C2 Detection
id: 6d2c0a1b-3b5d-4e7a-8a1c-0b1c2d3e4f5a
status: experimental
description: Detects connections to BNB Smart Chain testnet endpoints used by ClearFake for C2 via smart contracts
references:
    - https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
author: Security Arsenal
date: 2026/05/27
tags:
    - attack.command_and_control
    - attack.c2
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 80
            - 443
        DestinationHostname|contains:
            - '.cfd'
            - '.lat'
            - '.in.net'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate connections to similar TLDs
level: medium


kql
// Hunt for ClickFix C2 connections on port 688
DeviceNetworkEvents
| where RemotePort == 688
| where ActionType in ("ConnectionAllowed", "ConnectionSuccess")
| where RemoteUrl has_any ("poronto.com", "giovettiadv.com", "brionter.com", "trindastal.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
| extend IoCType = "ClickFix_C2_Port688"


powershell
<#
    Security Arsenal - IOC Hunt Script
    Scans for indicators from ClickFix, LofyStealer, JINX-0164, GHOST STADIUM, and ClearFake campaigns
    Date: 2026-05-30
#>

param(
    [switch]$Verbose,
    [string]$OutputPath = "$env:TEMP\IOC_Hunt_$(Get-Date -Format 'yyyyMMdd').csv"
)

# IoCs from OTX Pulses
$IOC_Hashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$IOC_Domains = @(
    "trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com",
    "driver-updater.net", "live.ong", "teamicrosoft.com", "teams.live.us.org",
    "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund", "fifa-com.shop",
    "afraid.veloitall.cfd", "root-cul.xamir3on.lat", "ohn.stainedunstitch.work",
    "getcfgs.qen9varol.lat", "ootid.srv-auth-dlt-msh.in.net"
)

$IOC_IPs = @("148.178.22.16", "89.36.224.5")

$results = @()

# Function to calculate file hash
function Get-FileHashCustom {
    param([string]$Path)
    try {
        $hash = Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction Stop
        return $hash.Hash.ToLower()
    } catch {
        return $null
    }
}

# Scan file system for IoC hashes
if ($Verbose) { Write-Host "Scanning for malicious file hashes..." }

$commonPaths = @(
    "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "$env:TEMP",
    "$env:APPDATA", "$env:LOCALAPPDATA", "C:\ProgramData"
)

foreach ($path in $commonPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = Get-FileHashCustom -Path $_.FullName
            if ($fileHash -and $IOC_Hashes -contains $fileHash) {
                $results += [PSCustomObject]@{
                    Timestamp = Get-Date
                    IoCType = "FileHash"
                    IoCValue = $fileHash
                    FilePath = $_.FullName
                    Severity = "Critical"
                    Campaign = "OTX_Pulse_Collection"
                }
            }
        }
    }
}

# Check DNS cache for malicious domains
if ($Verbose) { Write-Host "Checking DNS cache for malicious domains..." }

try {
    $dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
    if ($dnsCache) {
        foreach ($entry in $dnsCache) {
            foreach ($domain in $IOC_Domains) {
                if ($entry.Name -like "*$domain*") {
                    $results += [PSCustomObject]@{
                        Timestamp = Get-Date
                        IoCType = "DNS_Cache"
                        IoCValue = $entry.Name
                        Data = $entry.Data
                        Severity = "High"
                        Campaign = "OTX_Pulse_Collection"
                    }
                }
            }
        }
    }
} catch {
    if ($Verbose) { Write-Host "Could not access DNS cache: $_" }
}

# Check hosts file for malicious domains
if ($Verbose) { Write-Host "Checking hosts file for malicious domains..." }

$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($line in $hostsContent) {
        if ($line -notmatch "^#" -and $line -match "\S+") {
            foreach ($domain in $IOC_Domains) {
                if ($line -match $domain) {
                    $results += [PSCustomObject]@{
                        Timestamp = Get-Date
                        IoCType = "Hosts_File"
                        IoCValue = $line.Trim()
                        FilePath = $hostsPath
                        Severity = "High"
                        Campaign = "OTX_Pulse_Collection"
                    }
                }
            }
        }
    }
}

# Check for suspicious network connections
if ($Verbose) { Write-Host "Checking active network connections..." }

$activeConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($conn in $activeConnections) {
    $remoteIP = $conn.RemoteAddress
    if ($IOC_IPs -contains $remoteIP) {
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        $results += [PSCustomObject]@{
            Timestamp = Get-Date
            IoCType = "Network_Connection"
            IoCValue = $remoteIP
            LocalPort = $conn.LocalPort
            RemotePort = $conn.RemotePort
            ProcessName = if ($process) { $process.ProcessName } else { "Unknown" }
            ProcessId = $conn.OwningProcess
            Severity = "Critical"
            Campaign = "OTX_Pulse_Collection"
        }
    }
}

# Check for ClickFix persistence (BackgroundFix references)
if ($Verbose) { Write-Host "Checking for ClickFix-related artifacts..." }

$clickFixPaths = @(
    "$env:USERPROFILE\*\BackgroundFix*",
    "$env:APPDATA\*\BackgroundFix*",
    "$env:TEMP\*\BackgroundFix*"
)

foreach ($path in $clickFixPaths) {
    $files = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
    if ($files) {
        foreach ($file in $files) {
            $results += [PSCustomObject]@{
                Timestamp = Get-Date
                IoCType = "Suspicious_File"
                IoCValue = $file.FullName
                FilePath = $file.FullName
                Severity = "High"
                Campaign = "ClickFix_BackgroundFix"
            }
        }
    }
}

# Output results
if ($results.Count -gt 0) {
    $results | Export-Csv -Path $OutputPath -NoTypeInformation
    Write-Host "Found $($results.Count) IoC matches. Results saved to: $OutputPath" -ForegroundColor Yellow
    $results | Format-Table -AutoSize
} else {
    Write-Host "No IoCs found on this system." -ForegroundColor Green
}

Response Priorities

Immediate (0-4 hours)

Block all domains and hostnames from the IOC list at DNS firewall and web proxy level
Deploy file hash IoCs to all EDR solutions for immediate scanning
Block outbound traffic on non-standard port 688 (ClickFix C2)
Isolate any endpoints with confirmed IoC matches
Enable enhanced logging on web-facing systems to detect ClearFake injection patterns

24 Hours

Conduct credential inventory for users who may have accessed FIFA-related domains or clicked suspicious image-editing tool links
Force password reset for accounts with suspicious login activity matching GHOST STADIUM targeting
Review LinkedIn messages for recruitment-themed phishing (JINX-0164 campaign)
Scan all macOS endpoints for AUDIOFIX and MINIRAT indicators
Validate Minecraft-related software installations for LofyStealer compromise

1 Week

Implement email filtering for FIFA World Cup-related keywords and sender domains
Deploy application whitelisting for Node.js execution in user directories
Configure SSL inspection to detect blockchain-based C2 communication patterns
Establish monitoring for BNB Smart Chain testnet RPC calls from internal networks
Conduct security awareness training focused on event-based fraud (World Cup) and social engineering (LinkedIn recruitment)
Review and harden CI/CD pipelines for supply chain attack prevention

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, LofyStealer & JINX-0164: Multi-Vector Credential Theft Campaign Analysis — OTX Pulse Intelligence Pack