Credential Harvesting Evolved: ClickFix, LofyStealer & Ghost Stadium Campaigns — OTX Pulse Analysis

Active infostealer campaigns (ClickFix, LofyStealer) using fake tools, gaming lures, and FIFA phishing to steal credentials; high urgency.

Threat Summary

The latest OTX pulses reveal a convergence of sophisticated credential theft tactics targeting diverse sectors, from individual gamers to cryptocurrency developers and major event attendees. The common denominator across these campaigns is the aggressive deployment of infostealers—CastleStealer, LofyStealer, AUDIOFIX, and Vidar/Lumma—delivered via social engineering and novel infrastructure evasion techniques.

Key activity includes:

• ClickFix Operations: Malicious "human verification" lures using fake tools (BackgroundFix) to hijack clipboards and execute payloads via finger.exe.
• Targeted Gaming Fraud: The LofyGang utilizing complex Node.js loaders to inject memory-only C++ payloads (LofyStealer) into Minecraft player systems.
• Corporate Supply Chain Attacks: The JINX-0164 actor leveraging LinkedIn recruiting to deliver macOS RATs (AUDIOFIX, MINIRAT) specifically to crypto infrastructure developers.
• Event-Based PhaaS: The "GHOST STADIUM" ecosystem exploiting the 2026 FIFA World Cup hype with over 4,300 fraudulent domains harvesting credentials via pixel-perfect clones.
• Infrastructure Innovation: The use of BNB Smart Chain testnet smart contracts for C2 (EtherHiding) to ensure resilient command and control for ClearFake/SectopRAT operations.

Threat Actor / Malware Profile

ClickFix / CastleLoader

• Distribution: Fake image-editing utilities (e.g., BackgroundFix) prompting browser "verify you are human" pop-ups.
• Payload Behavior: Copies malicious PowerShell/commands to the clipboard; invokes finger.exe to retrieve the CastleLoader.
• Payload Chain: CastleLoader → NetSupport RAT + CastleStealer (custom .NET stealer).
• Objective: Initial access leading to remote control and browser credential exfiltration.

LofyGang (LofyStealer / GrabBot)

• Distribution: Social engineering within the Minecraft community (fake mods/cheats).
• Payload Behavior: Two-stage attack. Stage 1: 53.5MB Node.js loader hidden in legitimate libs. Stage 2: 1.4MB native C++ payload executed reflectively in memory.
• Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers. Uses syscalls evasion.

JINX-0164

• Distribution: LinkedIn social engineering (posing as recruiters), supply chain compromise via malicious NPM packages.
• Malware:
  • AUDIOFIX: Python-based infostealer and RAT for macOS.
  • MINIRAT: Lightweight Go backdoor.
• Objective: Long-term persistence in crypto/DevOps environments to steal code and keys.

GHOST STADIUM

• Distribution: 4,300+ typosquatted domains, Facebook ads, SEO poisoning targeting the 2026 FIFA World Cup.
• Malware: Vidar Stealer, Lumma Stealer.
• Technique: Pixel-perfect cloning of FIFA authentication flows (Phishing-as-a-Service).

ClearFake / EtherHiding

• Distribution: Compromised legitimate websites (initially observed in Switzerland) injected with malicious JS.
• C2 Innovation: Uses BNB Smart Chain (BSC) testnet smart contracts to store payload routing instructions.
• Malware: SectopRAT, ACRStealer.
• Objective: Immutable C2 infrastructure that bypasses traditional domain takedowns.

IOC Analysis

The provided IOCs are split between infrastructure and file-based artifacts.

• Domains & URLs: A high volume of fraudulent domains (e.g., fifa.gold, fifa.tax) and specific loader domains (trindastal.com, poronto.com). SOC teams should immediately block these at the perimeter/DNS level.
• File Hashes: SHA256 and MD5 hashes for the Node.js loaders, C++ payloads, and macOS installers. These should be loaded into EDR alerting and historical hunting queries.
• IP Addresses: Specific C2 IPs (e.g., 148.178.22.16) associated with the Ghost Stadium infrastructure.
• Operationalization:
  • SIEM: Correlate domain connections with user-agent strings indicating browsers or uncommon tools (finger.exe).
  • EDR: Hunt for the specific file hashes provided for LofyStealer and CastleLoader.
  • Network: Use packet inspection (Zeek/Suricata) to detect HTTP traffic to non-standard ports (e.g., :688) or requests to blockchain RPC endpoints from workstations.

Detection Engineering

Sigma Rules

title: Suspicious Finger.exe Execution - Potential ClickFix Activity
id: 9a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
description: Detects the execution of finger.exe, which is abused in ClickFix campaigns to retrieve payloads via clipboard manipulation. Currently rarely used by legitimate users.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\finger.exe'
        OriginalFileName:
            - 'finger.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use (rare)
level: high
---
title: Potential LofyStealer Node.js Loader Activity
date: 2026/06/01
author: Security Arsenal
status: experimental
description: Detects Node.js processes spawning child processes or accessing browser data directories, indicative of the LofyStealer loader.
tags:
    - attack.t1055.002
    - attack.credential_access
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\\node.exe'
    selection_child:
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\rundll32.exe'
    selection_files:
        TargetFilename|contains:
            - '\\Google\\Chrome\\User Data'
            - '\\Mozilla\\Firefox\\Profiles'
    condition: 1 of selection_*
falsepositives:
    - Legitimate web development
level: medium
---
title: Connection to Fraudulent FIFA Domains - Ghost Stadium
date: 2026/06/01
author: Security Arsenal
status: experimental
description: Detects network connections to domains utilizing the FIFA brand with suspicious TLDs associated with the Ghost Stadium campaign.
tags:
    - attack.credential_phishing
    - attack.t1566.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifa.red'
            - 'fifa.fund'
            - 'fifaweb.com'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

// Hunt for ClickFix indicators and Ghost Stadium domains
let IoC_Domains = dynamic(["fifa.gold", "fifa.black", "fifa.tax", "fifa.red", "fifaweb.com", "trindastal.com", "poronto.com", "driver-updater.net"]);
let IoC_IPs = dynamic(["148.178.22.16", "89.36.224.5"]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in~ (IoC_Domains) or RemoteIP in~ (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
    // Process Creation for Finger.exe (ClickFix)
    DeviceProcessEvents
    | where FileName =~ "finger.exe"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath
)
| order by Timestamp desc

PowerShell Hunt Script

<#
.SYNOPSIS
    IOC Hunt for ClickFix, LofyStealer, and JINX-0164 artifacts.
.DESCRIPTION
    Checks for running suspicious processes, presence of known file hashes (simulated via path checks), and recent network connections to malicious domains.
#>

$MaliciousDomains = @("fifa.gold", "fifa.black", "trindastal.com", "poronto.com", "driver-updater.net", "live.ong")
$SuspiciousProcesses = @("finger.exe")

Write-Host "[+] Checking for suspicious process execution (ClickFix - finger.exe)..." -ForegroundColor Cyan
$Processes = Get-Process -ErrorAction SilentlyContinue
foreach ($Proc in $SuspiciousProcesses) {
    if ($Processes.ProcessName -contains $Proc.Trim(".exe")) {
        Write-Host "[!] ALERT: Suspicious process found: $Proc" -ForegroundColor Red
        Get-Process -Name $Proc.Trim(".exe") | Select-Object ProcessName, Id, Path, StartTime
    }
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
$Hits = $DnsCache | Where-Object { $MaliciousDomains -like "*$($_.Entry)*" }
if ($Hits) {
    Write-Host "[!] ALERT: Malicious domain resolution found in DNS Cache." -ForegroundColor Red
    $Hits | Select-Object Entry, Data, TimeToLive
}

Write-Host "[+] Checking for Node.js accessing browser data (LofyStealer Indicator)..." -ForegroundColor Cyan
$NodeProcs = Get-Process -Name "node" -ErrorAction SilentlyContinue
if ($NodeProcs) {
    Write-Host "[!] INFO: Node.exe processes running. Manual review of open handles/files recommended." -ForegroundColor Yellow
    $NodeProcs | Select-Object ProcessName, Id, Path
}

Write-Host "[+] Hunt Complete."

Response Priorities

• Immediate:
  • Block all identified IOCs (domains, IPs, hashes) at the firewall, proxy, and EDR levels.
  • Isolate endpoints showing evidence of finger.exe execution or connections to fika.* domains.
• 24 Hours:
  • Initiate credential resets for any accounts suspected of being compromised by the GHOST STADIUM or LofyStealer campaigns, specifically targeting users with overlap in gaming or personal email usage.
  • Review GitHub/DevOps environments for signs of JINX-0164 supply chain compromise (malicious NPM packages).
• 1 Week:
  • Conduct security awareness training focused on "fake browser update" and "human verification" social engineering (ClickFix).
  • Implement strict egress filtering for non-business applications, specifically targeting blockchain RPC endpoints to workstations to mitigate EtherHiding techniques.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub