Back to Intelligence

ClickFix, LofyStealer & JINX-0164: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 31, 2026
5 min read

Active OTX pulses reveal campaigns by ClickFix, LofyGang, and JINX-0164 utilizing social engineering, fake utilities, and supply chain attacks to steal credentials and target crypto infrastructure.

Threat Summary

Recent OTX submissions highlight a convergence of sophisticated social engineering and supply chain compromises targeting diverse sectors. The "ClickFix" campaign (CastleLoader/NetSupport RAT) masquerades as image-editing software to hijack clipboards. Simultaneously, "LofyGang" targets gamers via a complex Node.js/C++ infostealer (LofyStealer). Most critically, the "JINX-0164" actor is actively compromising cryptocurrency development infrastructure through LinkedIn phishing and malicious npm packages, delivering custom macOS malware (AUDIOFIX, MINIRAT). Collectively, these threats emphasize the shift towards abusing legitimate tools (finger.exe, Node.js) and trusted platforms (LinkedIn, npm) to bypass traditional defenses.

Threat Actor / Malware Profile

ClickFix (BackgroundFix)

  • Distribution: Fake "BackgroundFix" image editing tool promoted via social engineering.
  • Behavior: Victims copy malicious commands to the clipboard. The malware uses finger.exe (Living off the Land binary) to reach C2 and retrieve payloads.
  • Payloads: CastleLoader -> NetSupport RAT (Remote Access), CastleStealer (Data Theft).
  • Persistence: Established via RAT mechanisms.

LofyGang (LofyStealer/GrabBot)

  • Distribution: Social engineering targeting Minecraft players.
  • Behavior: Two-stage loader. Stage 1: 53.5MB Node.js file (legitimate library obfuscation). Stage 2: 1.4MB C++ payload executes directly in memory to evade disk-based scanning.
  • Capabilities: Steals cookies, passwords, credit cards from 8 browsers (Chromelevator component).

JINX-0164

  • Distribution: LinkedIn social engineering (recruiter persona), compromised npm packages, CI/CD hijacking.
  • Targets: Cryptocurrency organizations, Software Developers (macOS heavy).
  • Payloads: AUDIOFIX (Python RAT/Stealer), MINIRAT (Go Backdoor).
  • Infrastructure: Uses typosquatted domains (e.g., login.teamicrosoft.com) and suspicious TLDs (.ong).

IOC Analysis

The provided IOCs range from file hashes to network infrastructure.

  • Domains: Several domains (trindastal.com, driver-updater.net, live.ong) should be immediately blocked at the DNS level.
  • Hostnames: Typosquatting is evident in JINX-0164 indicators (e.g., login.teamicrosoft.com), necessitating certificate transparency monitoring and strict DNS filtering.
  • File Hashes: Multiple SHA256, MD5, and SHA1 hashes are provided for the loaders and payloads. These must be uploaded to EDR allowlist/blocklist configurations.
  • Network: ClickFix activity observed on non-standard port 688 (HTTP) requires deep packet inspection or firewall rules to block high ports used by malware C2.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix BackgroundFix Activity
id: 8a3b1c9d-5e4f-4a2b-9c1d-8e7f6a5b4c3d
description: Detects the use of finger.exe associated with ClickFix campaigns to retrieve payloads.
status: experimental
date: 2026/06/01
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use of finger.exe (rare)
level: high
tags:
    - attack.defense_evasion
    - attack.t1218
---
title: Suspicious Node.js Loader - LofyStealer Pattern
id: 7b2a0c8e-4d3f-3b1a-8b0c-7d6e5a4c3b2a
description: Detects Node.js processes spawning non-node binaries, a pattern associated with the LofyStealer Node.js loader.
status: experimental
date: 2026/06/01
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'node.exe'
        Image|endswith: '.exe'
        Image|notcontains: 'node.exe'
    condition: selection
falsepositives:
    - Legitimate Node.js development workflows
level: medium
tags:
    - attack.execution
    - attack.t1059
---
title: JINX-0164 macOS Suspicious Installer Execution
id: 6c1a9b7d-3c2e-2a0c-9a1b-6c5f4e3d2c1b
description: Detects execution of curl or sh scripts associated with JINX-0164 infrastructure on macOS.
status: experimental
date: 2026/06/01
author: Security Arsenal
logsource:
    category: process_creation
    product: macos
detection:
    selection_curl:
        Image|endswith: '/curl'
        CommandLine|contains: 'install.sh'
    selection_domains:
        CommandLine|contains:
            - 'driver-updater.net'
            - 'live.ong'
            - 'teamicrosoft.com'
    condition: 1 of selection*
falsepositives:
    - Legitimate software installation scripts
level: high
tags:
    - attack.initial_access
    - attack.t1190

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix finger.exe activity and network connections
DeviceProcessEvents
| where FileName =~ "finger.exe"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine
| join kind=inner (DeviceNetworkEvents 
    | where RemoteUrl in ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com") 
    or RemotePort == 688) on DeviceName, Timestamp
| distinct Timestamp, DeviceName, RemoteUrl, RemotePort, ProcessCommandLine

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt for ClickFix and JINX-0164 domains in hosts file and running processes.
#>

$MaliciousDomains = @(
    "trindastal.com",
    "poronto.com", 
    "brionter.com",
    "driver-updater.net",
    "live.ong",
    "teamicrosoft.com",
    "login.teamicrosoft.com"
)

$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"

Write-Host "[+] Checking Hosts file for malicious domain mappings..."
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($domain in $MaliciousDomains) {
        if ($HostsContent -match $domain) {
            Write-Host "[!] ALERT: Domain found in hosts file: $domain" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for active network connections to malicious domains..."
$Connections = Get-NetTCPConnection | Select-Object -ExpandProperty RemoteAddress
$DNSCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }

if ($DNSCache) {
    Write-Host "[!] ALERT: DNS Cache hit for malicious domains:" -ForegroundColor Red
    $DNSCache | Format-Table Entry, Data -AutoSize
}

Write-Host "[+] Checking for finger.exe process..."
$FingerProcess = Get-Process -Name finger -ErrorAction SilentlyContinue
if ($FingerProcess) {
    Write-Host "[!] ALERT: finger.exe is running (PID: $($FingerProcess.Id))" -ForegroundColor Red
}

Response Priorities

  • Immediate: Block all listed domains and IP addresses at the perimeter. Scan endpoints for the provided file hashes (SHA256/MD5). Kill any finger.exe processes not initiated by administrators.
  • 24h: If credential-theft malware (LofyStealer/CastleStealer) is suspected, force reset of passwords and tokens for impacted users. Audit LinkedIn connections for developer accounts targeted by JINX-0164.
  • 1 Week: Implement strict allow-listing for Node.js execution in user directories. Review and harden CI/CD pipelines against npm supply chain poisoning. Enforce MFA verification for all recruitment-related communications.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164supply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action