Recent OTX pulses indicate a convergence of social engineering tactics used by distinct threat actors to deliver Remote Access Trojans (RATs) and information stealers.
- ClickFix Campaign: A "BackgroundFix" lure is tricking users into verifying their humanity by copying malicious commands to the clipboard. These commands invoke
finger.exe, a legacy Windows utility, to fetch payloads, leading to the deployment of CastleLoader, NetSupport RAT, and CastleStealer. - LofyStealer (LofyGang): Targeting the gaming community (specifically Minecraft), this operation uses a sophisticated Node.js loader (disguised as legitimate libraries) to drop a C++ infostealer in memory. It targets browser credentials and session data.
- JINX-0164: A financially motivated actor targeting the cryptocurrency sector. They utilize LinkedIn social engineering and typosquatting domains (e.g.,
login.teamicrosoft.com) to deliver AUDIOFIX (Python RAT) and MINIRAT (Go backdoor), likely via compromised NPM packages or CI/CD pipelines.
Collectively, these campaigns demonstrate a shift away from traditional phishing emails towards lure-based technical deception (clipboard hijacking) and professional platform abuse (LinkedIn recruiting).
Threat Actor / Malware Profile
ClickFix / CastleLoader
- Distribution: Fake image-editing tools ("BackgroundFix") utilizing "ClickFix" templates—HTML pages forcing users to copy-paste PowerShell/Bash commands.
- Behavior: Uses
finger.exe(often overlooked by EDR) for initial payload retrieval. Drops CastleLoader, which acts as a conduit for NetSupport RAT (remote control) and CastleStealer (data theft). - Persistence: Standard RAT persistence mechanisms (registry run keys, scheduled tasks via NetSupport).
LofyGang / LofyStealer
- Distribution: Social engineering targeting gamers (Minecraft mods/cheats).
- Behavior: Two-stage payload. Stage 1 is a 53.5MB Node.js loader. Stage 2 is a 1.4MB native C++ payload executed entirely in memory to evade disk-based scanning.
- Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers. Uses syscall evasion to bypass sandbox analysis.
JINX-0164
- Distribution: LinkedIn phishing (recruiter personas), supply chain compromise (NPM trojan), and CI/CD hijacking.
- Behavior: Deploys AUDIOFIX (Python-based stealer/RAT) and MINIRAT (Go-based backdoor). Focuses on macOS environments common in crypto/DevOps sectors.
- C2 & Infrastructure: Uses lookalike domains mimicking Microsoft services to bypass initial visual checks.
IOC Analysis
The provided indicators include:
- Domains: Typosquatted infrastructure (e.g.,
login.teamicrosoft.com,live.us.org) and specific C2 domains (e.g.,trindastal.com,driver-updater.net). - File Hashes: SHA256 and MD5 hashes for the Node.js loaders, C++ payloads, and Python/Go binaries.
- URLs: Specific ports (688) and script paths (
/troubleshoot/mac/install.sh) used for payload delivery.
Operational Guidance:
- Blocklist: Immediately block all listed domains and hostnames at the perimeter firewall and DNS resolvers.
- EDR Telemetry: Search for the specific SHA256 hashes on disk. hunt for processes spawning
finger.exeornode.exewith suspicious child processes. - Network Monitoring: Alert on outbound connections to non-standard ports (e.g., 688) and connections to the listed typosquatted domains.
Detection Engineering
Sigma Rules
YAML
title: Potential ClickFix Activity via Finger.exe
id: 4a8b1c9d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the suspicious use of finger.exe to download content, a behavior associated with the ClickFix campaign and CastleLoader delivery.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/667a6e8f8e9f9c0d1e2f3a4b
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
filter:
CommandLine|contains:
- 'http'
- '.exe'
- '.ps1'
condition: selection and filter
falsepositives:
- Legitimate use of finger.exe (rare in modern environments)
level: high
---
title: JINX-0164 Typosquatting Domain Connection
id: 5b9c2d0e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
description: Detects network connections to known typosquatted domains used by JINX-0164 for phishing and C2 infrastructure.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/667a6e8f8e9f9c0d1e2f3a4c
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'teamicrosoft.com'
- 'live.us.org'
- 'driver-updater.net'
condition: selection
falsepositives:
- None
level: critical
---
title: Suspicious Node.js Loader Pattern (LofyStealer)
id: 6c0d3e1f-7g8b-6c9d-0e1f-2a3b4c5d6e7f
description: Detects Node.js processes spawning suspicious child processes like PowerShell or Cmd, indicative of loader activity seen in LofyStealer campaigns.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/667a6e8f8e9f9c0d1e2f3a4d
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
parent:
Image|endswith: '\node.exe'
child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
condition: parent and child
falsepositives:
- Legitimate Node.js development tooling
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Finger.exe activity and Domain connections
let IOCs = dynamic(["trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org", "www.live.us.org"]);
let MaliciousHashes = dynamic(["bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb", "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"]);
// Check for Network Events
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemotePort == 688
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort
| union (
DeviceProcessEvents
| where ProcessVersionInfoSHA256 in (MaliciousHashes) or (FolderPath endswith "\\finger.exe" and ProcessCommandLine contains "http")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
)
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunt Script for ClickFix, LofyStealer, and JINX-0164.
.DESCRIPTION
Scans the file system for known malicious hashes and checks for the presence of suspicious processes like finger.exe.
#>
$MaliciousSHA256 = @(
"bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
"ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
"f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
"45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
"b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
$DrivesToScan = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $DrivesToScan) {
try {
$Files = Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue -File
foreach ($File in $Files) {
$Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $MaliciousSHA256) {
Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
}
}
} catch {
# Ignore access errors
}
}
Write-Host "[+] Checking for suspicious 'finger.exe' execution..." -ForegroundColor Cyan
$Processes = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($Processes) {
Write-Host "[!] WARNING: finger.exe is currently running. This is highly suspicious in modern environments." -ForegroundColor Red
foreach ($Proc in $Processes) {
Write-Host " PID: $($Proc.Id), Path: $($Proc.Path)"
}
} else {
Write-Host "[-] No finger.exe processes detected."
}
Write-Host "[+] Hunt Complete."
# Response Priorities
* **Immediate**:
* Block all domains and hostnames listed in the IOC Analysis at the network perimeter.
* Scan endpoints for the specific file hashes associated with CastleLoader, LofyStealer, and JINX-0164 payloads.
* Kill any instances of `finger.exe` not initiated by a verified system administrator.
* **24 Hours**:
* Initiate credential resets for developers or users in the Finance/Crypto sectors if credential theft is suspected (LofyStealer/AUDIOFIX).
* Review LinkedIn messages for recruitment-themed phishing targeting your organization's technical staff.
* **1 Week**:
* Implement application control policies to restrict the usage of `finger.exe` and unsigned Node.js executables in user environments.
* Conduct security awareness training focused on "Clipboard Hijacking" and technical support scams.
* Audit software supply chains and verify the integrity of NPM packages used in development environments.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptclickfixlofystealerjinx-0164infostealerrat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.