Back to Intelligence

ClickFix, LofyStealer & JINX-0164: Multi-Vector Social Engineering & Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
May 30, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated social engineering and supply chain attacks targeting diverse sectors. The collective activity highlights three distinct campaigns:

  • ClickFix (BackgroundFix): A campaign masquerading as a free image-editing tool that abuses finger.exe to retrieve payloads, ultimately delivering CastleLoader, NetSupport RAT, and CastleStealer.
  • LofyStealer (LofyGang): A two-stage infostealer targeting Minecraft players. It utilizes a Node.js-based loader to drop a memory-resident C++ payload designed to siphon browser data and credentials.
  • JINX-0164: A financially motivated actor targeting cryptocurrency development infrastructure via LinkedIn phishing and malicious NPM packages. This campaign delivers macOS-specific malware (AUDIOFIX, MINIRAT) and leverages typosquatting domains.

Collective Objective: Financial gain via credential theft, browser session hijacking, and unauthorized access to cryptocurrency development environments.

Threat Actor / Malware Profile

ClickFix / BackgroundFix

  • Distribution: Social engineering via fake image tools ("BackgroundFix"). Prompts users to copy/paste malicious commands into terminal/run dialog.
  • Payload Chain: Clipboard hijacking -> finger.exe (command invocation) -> CastleLoader (Reflective Loader) -> NetSupport RAT & CastleStealer.
  • Behavior: finger.exe is abused to fetch malicious payloads over the network, bypassing some application control restrictions.

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players (e.g., fake mods/cheats).
  • Architecture: Two-stage; 53.5MB Node.js loader (obfuscated within legitimate libs) -> 1.4MB C++ payload.
  • Behavior: Pure memory execution (fileless). Targets cookies, passwords, crypto wallets, and browser data from 8+ browsers. Uses syscall evasion techniques.

JINX-0164

  • Distribution: LinkedIn phishing (recruiter persona) and compromised NPM packages (supply chain).
  • Malware: AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor).
  • Behavior: Targeting macOS environments within crypto organizations. Uses CI/CD hijacking to inject malicious install.sh scripts.

IOC Analysis

The provided indicators suggest a mix of C2 infrastructure and distribution nodes:

  • Domains & URLs: Several domains act as C2 or payload delivery servers. Notable typosquatting is present (e.g., login.teamicrosoft.com, live.us.org), attempting to impersonate Microsoft services.
  • File Hashes: A high volume of SHA256, MD5, and SHA1 hashes correspond to the droppers (Node.js), loaders (CastleLoader), and final payloads (NetSupport RAT, AUDIOFIX).
  • Operationalization: SOC teams should immediately block the listed domains and IP addresses at the perimeter. EDR solutions should be configured to alert on the execution of files matching the provided SHA256 hashes. The typosquatting domains indicate a need for DNS monitoring solutions capable of detecting slight variations of trusted brands.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix BackgroundFix Activity via Finger.exe
id: 4b0e2d1a-8e4f-4b5a-9c3d-1e2f3a4b5c6d
description: Detects the execution of finger.exe which is used in ClickFix campaigns to retrieve payloads, a rare administrative tool in modern environments.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6676e9a1f8f2c1a1d1b3e4c5
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use (rare)
level: high
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
---
title: Suspicious Node.js Process Spawning Shell (LofyStealer)
id: 5c1f3e2b-9f5a-5c6b-0d4e-2f3g4h5i6j7k
description: Detects Node.js spawning cmd.exe or powershell.exe, indicative of the LofyStealer Node.js loader executing subsequent stages.
status: experimental
date: 2026/05/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6676e9a1f8f2c1a1d1b3e4c6
logsource:
    category: process_creation
    product: windows
detection:
    parent:
        Image|endswith: '\node.exe'
    child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: parent and child
falsepositives:
    - Legitimate developer Node.js scripts
level: medium
tags:
    - attack.execution
    - attack.t1059.003
---
title: JINX-0164 Typosquatting Domain Connection
id: 6d2g4h3c-0a6b-6d7c-1e5f-3g4h5i6j7k8l
description: Detects network connections to known typosquatting domains used by JINX-0164 targeting crypto orgs.
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6676e9a1f8f2c1a1d1b3e4c7
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'teamicrosoft.com'
            - 'live.us.org'
            - 'driver-updater.net'
    condition: selection
falsepositives:
    - None
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix activity and JINX-0164 C2 domains
let IOCs = dynamic(["trindastal.com", "poronto.com", "brionter.com", "driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org", "www.driver-updater.net", "www.live.us.org"]);
let MalwareHashes = dynamic(["bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"]);
// 1. Network Connections to C2
DeviceNetworkEvents
| where RemoteUrl in IOCs or RemotePort has_any (688)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort
| extend AlertDetails = "Potential C2 connection to known malicious domain or port";
// 2. Process Execution of finger.exe (ClickFix)
DeviceProcessEvents
| where FileName == "finger.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertDetails = "Execution of finger.exe - potential ClickFix activity";
// 3. File Hash Matches
DeviceFileEvents
| where SHA256 in MalwareHashes
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| extend AlertDetails = "Malware file hash detected on endpoint";

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for ClickFix, LofyStealer, and JINX-0164 Indicators of Compromise.
.DESCRIPTION
    Checks running processes for known malware hashes and DNS cache for typosquatting domains.
#>

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$MaliciousDomains = @(
    "teamicrosoft.com",
    "driver-updater.net",
    "live.us.org",
    "trindastal.com",
    "poronto.com"
)

Write-Host "[*] Scanning for malicious processes..." -ForegroundColor Cyan

$Processes = Get-Process
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.Path
        if ($FilePath -and (Test-Path $FilePath)) {
            $FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash.ToLower()
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] ALERT: Malicious process detected - PID: $($Proc.Id), Name: $($Proc.ProcessName), Path: $FilePath" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[*] Checking DNS Cache for typosquatting domains..." -ForegroundColor Cyan

$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry.Split('.')[-2..-1] -join '.' -or $_.Entry -match '(teamicrosoft|live.us.org|driver-updater)' }
if ($DnsCache) {
    Write-Host "[!] ALERT: Suspicious DNS entries found:" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, Type
} else {
    Write-Host "[-] No suspicious DNS entries found." -ForegroundColor Green
}

Write-Host "[*] Scanning for 'finger.exe' execution..." -ForegroundColor Cyan
$FingerProc = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($FingerProc) {
    Write-Host "[!] ALERT: finger.exe is currently running. This is highly suspicious (ClickFix)." -ForegroundColor Red
}


---

Response Priorities

  • Immediate:

    • Block all listed IOCs (domains, hashes, IPs) on perimeter firewalls and EDR.
    • Isolate endpoints showing alerts for finger.exe execution or connections to port 688.
    • Kill any processes matching the provided SHA256 hashes.

  • 24 Hours:

    • Initiate credential resets for users identified as potential targets of LofyStealer (gaming environments) or JINX-0164 (LinkedIn/DevOps).
    • Scan developer workstations and build servers (especially macOS) for traces of install.sh scripts associated with JINX-0164.

  • 1 Week:

    • Review and harden CI/CD pipelines to prevent NPM supply chain injection.
    • Implement application allowlisting for Node.js and finger.exe.
    • Conduct security awareness training focused on LinkedIn recruiting scams and "too good to be true" software tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164infostealersupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action