Back to Intelligence

ClickFix, LofyStealer, and JINX-0164: OTX Pulse Analysis — Credential Theft & Supply Chain Attacks

SA
Security Arsenal Team
June 3, 2026
7 min read

Excerpt: Active campaigns involving ClickFix, LofyStealer, and JINX-0164 targeting general users, gamers, and crypto sectors via social engineering and supply chain attacks. High urgency.

Threat Summary

Recent OTX pulses reveal a convergence of sophisticated threat activity spanning credential theft, remote access trojans (RATs), and supply chain compromises.

  1. ClickFix (BackgroundFix): A social engineering campaign masquerading as a free image-editing tool. It leverages clipboard hijacking to invoke finger.exe, a Living-Off-The-Land (LOLBin), for payload retrieval, ultimately delivering CastleLoader, NetSupport RAT, and CastleStealer.
  2. LofyStealer: A two-stage infostealer specifically targeting Minecraft players. It utilizes a large Node.js loader (53.5MB) to obfuscate a 1.4MB C++ memory-only payload designed to siphon browser credentials and financial data.
  3. JINX-0164: A financially motivated actor active since mid-2025, targeting the cryptocurrency industry. They employ LinkedIn phishing and typosquatting (e.g., teamicrosoft.com) to distribute macOS malware (AUDIOFIX, MINIRAT) via compromised npm packages.

Collectively, these campaigns demonstrate a heavy reliance on social engineering to bypass technical controls, abusing legitimate tools (finger.exe, node.exe) and trusted platforms (LinkedIn, npm) to establish persistence and exfiltrate sensitive data.

Threat Actor / Malware Profile

Threat Actor / FamilyDistribution MethodPayload BehaviorC2 / Persistence
ClickFix / BackgroundFixFake "BackgroundFix" image tool; prompts user to verify humanity via clipboard copy.Uses finger.exe to fetch CastleLoader. Drops NetSupport RAT (C2) and CastleStealer (data theft).CastleLoader acts as a reflective loader; NetSupport RAT provides remote access.
LofyStealer (LofyGang)Social engineering within Minecraft communities; disguised as legitimate libraries.53.5MB Node.js loader spawns 1.4MB C++ payload directly in memory (fileless).Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
JINX-0164LinkedIn recruitment phishing; compromised npm packages (supply chain).Delivers AUDIOFIX (Python RAT/Stealer) and MINIRAT (Go backdoor) on macOS.Focuses on hijacking CI/CD infrastructure and cryptocurrency wallets.

IOC Analysis

The provided indicators span multiple infection vectors and infrastructure types:

  • Domains & Typosquatting: High-confidence indicators include trindastal.com (ClickFix) and login.teamicrosoft.com (JINX-0164). SOC teams should immediately block these at the DNS layer and inspect web proxy logs for any historical access.
  • File Hashes: A mix of SHA256 (CastleLoader/Stealer), MD5 (LofyStealer), and SHA1 hashes are provided. These should be imported into EDR solutions for retrospective hunting. The LofyStealer's large Node.js loader size (~53MB) is a unique heuristic for behavioral hunting.
  • URLs & Scripts: JINX-0164 utilizes installation scripts (e.g., install.sh on port 80/HTTP). Network detection rules should flag non-HTTPS downloads of shell scripts or executable content from unexpected IPs like 89.36.224.5.
  • Operationalization: Focus on detecting the abuse of finger.exe for ClickFix and the process injection capabilities of the Node.js loader for LofyStealer.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix BackgroundFix Activity via Finger.EXE
id: 7a8b9c0d-1e2f-3a45-6b7c-8d9e0f1a2b3c
description: Detects the execution of finger.exe with network connections or arguments indicative of the ClickFix BackgroundFix campaign which uses it to retrieve malicious payloads.
status: stable
author: Security Arsenal
date: 2026/06/03
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate use of finger client (rare in modern environments)
level: high
---
title: Suspicious Node.js Process Executing Native Payload (LofyStealer)
id: b9c0d1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects a Node.js process spawning or interacting with native processes, characteristic of the LofyStealer Node.js loader executing a C++ in-memory payload.
status: stable
author: Security Arsenal
date: 2026/06/03
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '.exe'
            - '.dll'
    filter_legit:
        Image|contains:
            - '\node_modules\'
            - '\Program Files\nodejs\'
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Legitimate Node.js applications spawning child processes
level: medium
---
title: JINX-0164 Typosquatting Domain Connection
id: c0d1e2f3-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects network connections to known typosquatting domains associated with the JINX-0164 threat actor targeting cryptocurrency infrastructure (e.g., teamicrosoft.com, live.ong).
status: stable
author: Security Arsenal
date: 2026/06/03
references:
    - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'teamicrosoft.com'
            - 'live.ong'
            - 'driver-updater.net'
            - 'live.us.org'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Activity - Finger.exe execution
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == "finger.exe" or FileName == "finger.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| union (
    DeviceNetworkEvents
    | where RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org", "www.driver-updater.net", "www.live.us.org", "giovettiadv.com")
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP, LocalPort, RemotePort
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for ClickFix, LofyStealer, and JINX-0164
# Requires Administrator privileges

$IOC_Hashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$IOC_Domains = @(
    "trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com",
    "driver-updater.net", "login.teamicrosoft.com", "live.ong",
    "teams.live.us.org", "www.driver-updater.net", "www.live.us.org"
)

Write-Host "[*] Starting IOC Hunt..." -ForegroundColor Cyan

# 1. Check for Finger.exe Usage in Event Logs (Security/Process Creation)
Write-Host "[*] Checking Event Logs (ID 4688) for Finger.exe execution..." -ForegroundColor Yellow
try {
    $fingerEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\finger.exe']]" -ErrorAction Stop
    if ($fingerEvents) {
        Write-Host "[!] ALERT: Finger.exe execution detected in Security Logs:" -ForegroundColor Red
        $fingerEvents | Select-Object TimeCreated, Message | Format-List
    } else {
        Write-Host "    No Finger.exe execution events found." -ForegroundColor Green
    }
} catch {
    Write-Host "    Error reading Security Logs or no events found." -ForegroundColor DarkYellow
}

# 2. Check DNS Cache for Malicious Domains
Write-Host "[*] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow
$dnsCache = Get-DnsClientCache | Where-Object { $IOC_Domains -contains $_.Entry }
if ($dnsCache) {
    Write-Host "[!] ALERT: Suspicious DNS Cache entries found:" -ForegroundColor Red
    $dnsCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "    No suspicious entries in DNS cache." -ForegroundColor Green
}

# 3. Scan %TEMP% and Downloads for File Hashes (Quick Scan)
Write-Host "[*] Scanning user temp and download folders for known malicious hashes..." -ForegroundColor Yellow
$pathsToScan = @("$env:TEMP", "$env:USERPROFILE\Downloads")
foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($IOC_Hashes -contains $fileHash) {
                Write-Host "[!] ALERT: Malicious file found at $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Hunt complete. Review findings immediately." -ForegroundColor Cyan

Response Priorities

  • Immediate (0-24h):

    • Block all listed domains and IP addresses at the firewall, proxy, and DNS layers.
    • Initiate a hunt for finger.exe execution events across all endpoints (ClickFix).
    • Isolate any endpoints with confirmed matches to the provided file hashes.

  • Short Term (24-48h):

    • Identity Verification: Given the presence of NetSupport RAT and LofyStealer, perform forced password resets and MFA challenges for users in high-risk groups (e.g., developers, finance) and those with potential browser credential exposure.
    • Web Filtering: Update secure web gateways to block categories typically associated with the delivery vectors (e.g., file sharing, software cracks).

  • Medium Term (1 week):

    • Architecture Hardening: Implement application control (AppLocker) to restrict the execution of unauthorized binaries like finger.exe and unsigned Node.js modules.
    • Supply Chain Security: For organizations utilizing npm or similar package managers, audit dependency trees for the typosquatted packages referenced in the JINX-0164 campaign and enforce signed repository policies.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164castleloadersupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action