Back to Intelligence

Critical Infostealer Surge: ClickFix, LofyStealer, and NPM Supply Chain Attacks Targeting Cloud & Gaming Sectors

SA
Security Arsenal Team
June 2, 2026
5 min read

Recent OTX pulse data indicates a surge in sophisticated credential theft campaigns utilizing diverse initial access vectors ranging from social engineering to supply chain compromises. A common theme across these pulses is the aggressive targeting of developer infrastructure (JINX-0164, Mini Shai-Hulud) and consumer endpoints via fake utilities (ClickFix, LofyStealer).

The ClickFix campaign has evolved, masquerading as the "BackgroundFix" image tool to deliver CastleLoader, which subsequently drops NetSupport RAT and CastleStealer. Simultaneously, the LofyStealer campaign (LofyGang) specifically targets Minecraft players with a complex Node.js/C++ loader to harvest browser credentials and financial data.

On the infrastructure front, threat actor JINX-0164 is actively recruiting cryptocurrency developers via LinkedIn to deliver macOS malware (AUDIOFIX, MINIRAT), while the Mini Shai-Hulud campaign has compromised Red Hat Cloud Services npm packages to siphon CI/CD secrets and cloud credentials. Finally, the GHOST STADIUM operation is leveraging 2026 World Cup hype to deploy Vidar and Lumma stealers via credential phishing.

Threat Actor / Malware Profile

ClickFix / CastleLoader

  • Distribution: Fake image-editing website (BackgroundFix); social engineering prompting users to copy "human verification" commands to the clipboard.
  • Payload Behavior: Uses Windows finger.exe to retrieve the CastleLoader payload. Drops NetSupport RAT for remote access and CastleStealer (.NET) for data exfiltration.
  • Persistence: Likely via scheduled tasks or startup folders facilitated by the RAT component.
  • C2 Communication: HTTP communication to specific domains on non-standard ports (e.g., :688).

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players; malicious Node.js modules disguised as legitimate libraries.
  • Payload Behavior: Two-stage attack: 53.5MB Node.js loader drops a 1.4MB C++ payload that executes entirely in memory to evade disk-based scanning.
  • Target: Extracts cookies, passwords, tokens, and IBANs from 8+ browsers.
  • Anti-Analysis: Uses syscalls evasion and memory-only execution.

Mini Shai-Hulud (NPM Supply Chain)

  • Distribution: Compromised @redhat-cloud-services packages on npm registry.
  • Payload Behavior: Malicious preinstall scripts execute obfuscated JavaScript and AES-GCM encrypted payloads.
  • Target: Harvests GitHub Actions secrets, npm tokens, AWS/Azure/GCP credentials, and crypto-wallet keys.

JINX-0164

  • Distribution: LinkedIn phishing (recruiter/business partner personas).
  • Payload Behavior: Delivers AUDIOFIX (Python RAT/Stealer) and MINIRAT (Go backdoor) targeting macOS.
  • Target: Cryptocurrency organizations and software developers.

IOC Analysis

The provided indicators span multiple categories requiring distinct handling:

  • Domains & URLs: High-confidence indicators of compromise (IoCs) such as trindastal.com, fifa.gold, and driver-updater.net. These should be immediately blocked at the DNS layer and proxied through secure web gateways for analysis.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes for loaders and payloads (e.g., bde21d8be6... for CastleLoader, 293006cec4... for LofyStealer). These must be uploaded to EDR solutions for retrospective hunting.
  • IP Addresses: Specific infrastructure IPs like 148.178.22.16 (Ghost Stadium) should be firewalled.

Operationalization: SOC teams should ingest these IOCs into their SIEM (e.g., Splunk, Sentinel) to correlate against firewall logs, proxy logs, and EDR alerts. The presence of finger.exe in process logs is a high-fidelity behavioral anomaly.

Detection Engineering

YAML
title: Potential ClickFix CastleLoader Activity via finger.exe
id: 36a8a8b0-1b2c-3d4e-5f6a-7b8c9d0e1f2a
description: Detects the execution of finger.exe, which is abused by the ClickFix campaign (BackgroundFix) to retrieve malicious payloads.
status: experimental
date: 2026/06/03
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  condition: selection
falsepositives:
  - Legitimate administration usage (rare)
level: high
tags:
  - attack.initial_access
  - attack.t1189
---
title: Suspicious NPM Preinstall Script Execution (Shai-Hulud)
id: 41a9b9c1-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects npm processes spawning child shells or node processes with arguments indicative of the Mini Shai-Hulud supply chain attack.
status: experimental
date: 2026/06/03
author: Security Arsenal
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    Image|endswith: '/npm'
    CommandLine|contains: 'install'
  selection_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/node'
  condition: selection_parent | selection_child
falsepositives:
  - Legitimate build scripts utilizing shell commands
level: high
tags:
  - attack.supply_chain
  - attack.t1195.001
---
title: Browser Credential File Access by Non-Browser Process
id: 52c0d0e2-3d4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects non-browser processes accessing sensitive browser database files (Login Data, Cookies), common behavior for LofyStealer and CastleStealer.
status: experimental
date: 2026/06/03
author: Security Arsenal
logsource:
  category: file_access
  product: windows
detection:
  selection_target:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Mozilla\Firefox\Profiles\logins.'
  selection_filter:
    Image|notcontains:
      - 'chrome.exe'
      - 'msedge.exe'
      - 'firefox.exe'
      - 'brave.exe'
  condition: selection_target and selection_filter
falsepositives:
  - Backup software
  - Security scanners
level: medium
tags:
  - attack.credential_access
  - attack.t1005


kql
// Hunt for ClickFix and Network IOCs
DeviceNetworkEvents
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "giovettiadv.com", "fifa.gold", "driver-updater.net", "live.ong")
   or RemotePort == 688
   or RemoteIP == "148.178.22.16"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| union DeviceProcessEvents
| where ProcessName contains "finger.exe" or ProcessCommandLine contains "BackgroundFix"
| project Timestamp, DeviceName, ProcessName, ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc


powershell
# IOC Hunter for ClickFix and LofyStealer Hashes
$targetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($drive in $drives) {
    Write-Host "Scanning $drive for malicious file hashes..."
    Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $targetHashes) {
            Write-Warning "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash"
        }
    }
}

# Check for suspicious Node.js processes (LofyStealer)
Get-Process | Where-Object { $_.ProcessName -eq "node" -and $_.WorkingSet -gt 50MB } | Select-Object ProcessName, Id, WorkingSet, Path

Response Priorities

  • Immediate: Block all listed domains and IP addresses at the firewall and proxy level. Quarantine endpoints where the provided file hashes are detected.
  • 24h: Initiate a credential reset and MFA verification campaign for users who may have interacted with phishing lures (Ghost Stadium, ClickFix) or developers who may have pulled compromised npm packages (Shai-Hulud). Rotate GitHub Actions and Cloud API keys.
  • 1 Week: Harden the software supply chain by implementing branch protection rules and requiring manual review for npm package dependency updates. Conduct security awareness training regarding LinkedIn recruiting scams and "too good to be true" utilities.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainclickfixlofystealernpm-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action