Back to Intelligence

ClickFix, LofyStealer, and JINX-0164: OTX Pulse Analysis on Emerging Infostealer & Supply Chain Threats

SA
Security Arsenal Team
June 3, 2026
7 min read

The current threat landscape indicates a aggressive multi-vector campaign focused on credential theft and initial access via supply chain compromise. OTX Pulse data highlights five distinct but related activities:

  1. ClickFix Campaigns: Adversaries are using "BackgroundFix" lures to trick users into copying malicious commands to the clipboard, which are then executed via finger.exe to deliver CastleLoader, NetSupport RAT, and CastleStealer.
  2. LofyStealer (LofyGang): A sophisticated infostealer targeting the gaming sector (Minecraft), utilizing a Node.js loader and memory-resident C++ payload to harvest browser data, cookies, and crypto-wallets.
  3. JINX-0164: A financially motivated actor targeting cryptocurrency software developers via LinkedIn phishing and compromised NPM packages, delivering custom macOS malware (AUDIOFIX, MINIRAT).
  4. Kali365 Expansion: A PhaaS operation now abusing OAuth 2.0 device authorization flows to bypass MFA on platforms like Microsoft 365, Okta, and Xerox DocuShare.
  5. Shai-Hulud Supply Chain: A campaign compromising @redhat-cloud-services npm packages to execute malicious preinstall hooks, harvesting cloud and CI/CD credentials.

Collectively, these threats aim to steal sensitive credentials, hijack developer infrastructure, and establish persistent access via remote administration tools.

Threat Actor / Malware Profile

ClickFix (CastleLoader / NetSupport RAT)

  • Distribution: Social engineering via fake image-editing tools ("BackgroundFix"). Prompts users to "verify they are human" by copying clipboard commands.
  • Payload Behavior: Uses finger.exe to retrieve payloads. Delivers CastleLoader (reflective loader) which drops NetSupport RAT (C2) and CastleStealer (.NET infostealer).
  • C2 Communication: Connects to domains such as trindastal.com and poronto.com.
  • Anti-Analysis: Uses reflective loading techniques to bypass standard file-based detection.

LofyGang (LofyStealer / GrabBot)

  • Distribution: Social engineering targeting Minecraft players.
  • Payload Behavior: Two-stage attack. A 53.5MB Node.js loader (disguised as legitimate libraries) drops a 1.4MB native C++ payload that executes directly in memory.
  • Target: Harvests cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
  • Evasion: Uses syscalls evasion and memory-only execution to avoid disk scanning.

JINX-0164 (AUDIOFIX / MINIRAT)

  • Distribution: LinkedIn phishing (posing as recruiters) and NPM supply chain attacks.
  • Payload Behavior: Delivers AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor) tailored for macOS.
  • Target: Cryptocurrency and Technology sectors.
  • Objective: Theft of source code, cloud credentials, and financial assets via CI/CD hijacking.

Kali365 Operator (EKZ Infostealer)

  • Distribution: Phishing-as-a-Service (PhaaS).
  • Technique: Abuses OAuth 2.0 "device code" flow to intercept authentication tokens, effectively bypassing MFA.
  • Target: Expanded from Microsoft 365 to Okta, AWS, Xerox DocuShare, and MAX Messenger.

Shai-Hulud (TrapDoor)

  • Distribution: Supply chain compromise of npm packages.
  • Behavior: Malicious preinstall hooks execute automatically during package installation.
  • Payload: AES-GCM encrypted payloads and obfuscated JavaScript loaders targeting GitHub Actions secrets, cloud tokens, and SSH keys.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple categories requiring immediate defensive action:

  • Domains & URLs:
    • ClickFix: trindastal.com, poronto.com, brionter.com.
    • JINX-0164: driver-updater.net, live.ong, teams.live.us.org.
    • Kali365: attachedfile.com, securehubcloud.com, greatness-marketing.top.
    • Action: Block these domains at the DNS/Proxy layer. The URL http://89.36.224.5/troubleshoot/mac/install.sh is a critical indicator for the JINX-0164 macOS payload.
  • File Hashes:
    • A mix of MD5, SHA1, and SHA256 hashes are provided for the loaders and payloads (e.g., LofyStealer C++ component, CastleLoader binaries).
    • Action: Load these into EDR solutions for retroactive hunting. The presence of finger.exe executing with network connections is a high-fidelity behavioral IOC even without hash matches.
  • Operationalization:
    • SOC teams should prioritize the domains for blocking, as they represent active C2 and phishing infrastructure.
    • The file hashes should be used to scan user directories (particularly Downloads and AppData) and code repositories for compromised npm packages.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Activity via Finger.exe
id: 91bf1c6a-1a2b-4c5d-9e6f-7g8h9i0j1k2l
date: 2026/06/04
status: experimental
description: Detects suspicious usage of finger.exe often associated with ClickFix campaigns loading payloads via clipboard commands.
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legitimate use of finger.exe (rare in modern environments)
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: Suspicious NPM Preinstall Script Execution
id: a2b3c4d5-e6f7-8a9b-0c1d-2e3f4a5b6c7d
date: 2026/06/04
status: experimental
description: Detects npm processes executing preinstall scripts that spawn shells or download external content, indicative of supply chain attacks like Shai-Hulud.
references:
    - https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\npm.cmd'
        CommandLine|contains: 'preinstall'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\wget.exe'
    condition: selection_parent | by ParentProcessId of selection_child
falsepositives:
    - Legitimate build scripts utilizing external resources
level: high
tags:
    - attack.initial_access
    - attack.t1195.002
---
title: LofyStealer Node.js Loader Activity
id: b3c4d5e6-f7a8-9b0c-1d2e-3f4a5b6c7d8e
date: 2026/06/04
status: experimental
description: Detects Node.js processes spawning suspicious child processes or accessing browser credential files, characteristic of LofyStealer.
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    filter:
        CommandLine|contains: 'npm' # Filter out legitimate npm dev
    condition: selection and not filter
falsepositives:
    - Local web development
level: medium
tags:
    - attack.credential_access
    - attack.t1555.003

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Network IOCs
let Domains = dynamic(['trindastal.com', 'poronto.com', 'brionter.com', 'driver-updater.net', 'attachedfile.com', 'securehubcloud.com', 'greatness-marketing.top', 'live.ong', 'teams.live.us.org']);
DeviceNetworkEvents
| where RemoteUrl in (Domains) or RemoteUrl has '89.36.224.5'
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend Alert = 'Network IOC Connection Detected'
union (DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ 'finger.exe' or ProcessVersionInfoOriginalFileName =~ 'node.exe'
| where InitiatingProcessFileName !in ('node.exe', 'npm.cmd') // Filter parent noise for Node
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend Alert = 'Suspicious Process Execution (ClickFix/Node)')

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for ClickFix, LofyStealer, and associated IOCs.
.DESCRIPTION
    Checks for running suspicious processes (finger.exe) and scans for specific file hashes.
#>

$TargetHashes = @(
    'bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92',
    'ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9',
    '293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881',
    '45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7'
)

Write-Host "[+] Checking for suspicious process activity..."
$Processes = Get-Process -ErrorAction SilentlyContinue | Where-Object {
    $_.ProcessName -eq 'finger' -or 
    ($_.ProcessName -eq 'node' -and $_.Parent.ProcessName -ne 'node' -and $_.Parent.ProcessName -ne 'npm')
}

if ($Processes) {
    Write-Host "[!] WARNING: Suspicious processes found:" -ForegroundColor Red
    $Processes | Format-Table Id, ProcessName, Path, Parent
} else {
    Write-Host "[-] No suspicious processes found."
}

Write-Host "[+] Scanning for malicious file hashes in common directories..."
$Paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP", "C:\ProgramData")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] CRITICAL: Malicious file found at $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses (89.36.224.5) on perimeter firewalls and DNS resolvers.
    • Hunt for and isolate any systems exhibiting finger.exe activity or executing the provided file hashes.
    • Identify and block the malicious npm packages mentioned in the Shai-Hulud pulse.

  • 24 Hours:

    • If credential-stealing malware (LofyStealer, CastleStealer, EKZ) is suspected, force a password reset and MFA re-enrollment for affected users and service accounts.
    • Review GitHub Actions and CI/CD logs for signs of credential theft (Shai-Hulud/JINX-0164) and rotate exposed secrets.

  • 1 Week:

    • Harden software supply chains by implementing dependency verification (SBOM) and requiring code reviews for all preinstall scripts.
    • Conduct security awareness training focusing on LinkedIn recruitment scams (JINX-0164) and "fake tool" social engineering (ClickFix).
    • Evaluate the necessity of OAuth 2.0 device code flows and enforce strict Conditional Access policies to block PhaaS bypass attempts (Kali365).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chaincredential-theftlofystealerclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
ClickFix, LofyStealer, and JINX-0164: OTX Pulse Analysis on Emerging Infostealer & Supply Chain Threats | Security Arsenal | Security Arsenal