Infostealer Surge: ClickFix, LofyStealer, and GHOST STADIUM Targeting Global Infrastructure

Threat Summary

Recent OTX pulses indicate a convergent surge in infostealer operations utilizing diverse delivery vectors, from social engineering lures to blockchain-based command and control (C2). The threat landscape is dominated by ClickFix campaigns delivering CastleLoader and NetSupport RAT, LofyStealer targeting gaming communities, and JINX-0164 focusing on cryptocurrency infrastructure via LinkedIn recruitment. Additionally, the GHOST STADIUM campaign is exploiting the 2026 FIFA World Cup hype with massive phishing infrastructure, while the ClearFake actor has innovated by using BNB Smart Chain (BSC) testnet smart contracts for resilient C2 communications. Collectively, these actors prioritize credential harvesting, browser data theft, and financial fraud.

Threat Actor / Malware Profile

ClickFix / CastleLoader

Distribution: Fake image-editing tools ("BackgroundFix") prompting users to copy clipboard commands.
Payload Behavior: Uses finger.exe to fetch payloads. Drops CastleLoader, which subsequently deploys NetSupport RAT (remote access) and CastleStealer (.NET stealer).
C2 Communication: Standard HTTP/HTTPS to hardcoded domains; modular loading.

LofyStealer (LofyGang)

Distribution: Social engineering targeting Minecraft players.
Payload Behavior: Two-stage attack: 53.5MB Node.js loader (legitimate library disguise) dropping a 1.4MB memory-only C++ payload. Targets 8+ browsers for cookies, passwords, and crypto wallets.
Anti-Analysis: Uses syscalls evasion and in-memory execution to avoid disk scanning.

JINX-0164

Distribution: LinkedIn social engineering (recruiter personas) and malicious npm packages (supply chain).
Payload Behavior: Custom macOS malware: AUDIOFIX (Python RAT/Infostealer) and MINIRAT (Go backdoor).
Target: Cryptocurrency software developers and infrastructure.

GHOST STADIUM

Distribution: Phishing-as-a-Service (PaaS) ecosystem with over 4,300 spoofed FIFA domains. Facebook ads utilized for traffic.
Payload Behavior: Pixel-perfect FIFA authentication clone. Delivers Vidar and Lumma stealers.
C2 Communication: Distributed across 300+ domains to resist takedown.

ClearFake (Smart Contract C2)

Distribution: Compromised legitimate websites (injected JS).
Payload Behavior: SectopRAT and ACRStealer.
C2 Communication: Queries BNB Smart Chain (BSC) testnet smart contracts (EtherHiding) to retrieve payload URLs, ensuring immutable C2 infrastructure.

IOC Analysis

Domains: High volume of typosquatting (e.g., fifa.gold, fifa.black, trindastal.com) and spoofed infrastructure (login.teamicrosoft.com). SOC teams should prioritize these for DNS sinkholing.
File Hashes: Predominantly SHA256 and MD5 indicators for loaders (Node.js, Python scripts) and final payloads. Operationalize via EDR quarantine and YARA scans.
URLs: Specific ports and paths observed (e.g., :688, /install.sh). Web proxies should be configured to block these specific paths.
Operationalization: IOCs should be fed into SIEM correlation rules for immediate alerting on outbound connections to these domains and file execution events matching the provided hashes.

Detection Engineering

YAML

---
title: Potential ClickFix CastleLoader Activity via Finger.exe
id: 348b172d-6a3e-4f4a-9e5a-5c8b7d6e5f4a
description: Detects the execution of finger.exe invoked by a script or browser, a technique used by ClickFix campaigns to retrieve CastleLoader payloads.
author: Security Arsenal
date: 2026/05/31
status: experimental
references:
    - https://otx.alienvault.com/pulse/667a1b2c3d4e5f6a7b8c9d0e
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    filter:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative use of finger.exe (rare)
level: high
---
title: Suspicious Node.js Loader Executing Native Payloads (LofyStealer)
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects Node.js processes spawning child processes like powershell or cmd, indicative of the LofyStealer Node.js loader executing the C++ payload stage.
author: Security Arsenal
date: 2026/05/31
status: experimental
references:
    - https://otx.alienvault.com/pulse/667a1b2c3d4e5f6a7b8c9d0f
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    parent:
        Image|endswith: '\node.exe'
    child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\regsvr32.exe'
    condition: parent and child
falsepositives:
    - Legitimate Node.js development scripts
level: medium
---
title: ClearFake Blockchain C2 Traffic Pattern
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
description: Detects processes attempting to connect to BNB Smart Chain (BSC) RPC endpoints or specific blockchain testnet nodes, typical of smart contract C2 abuse like ClearFake.
author: Security Arsenal
date: 2026/05/31
status: experimental
references:
    - https://otx.alienvault.com/pulse/667a1b2c3d4e5f6a7b8c9d10
tags:
    - attack.command_and_control
    - attack.c2
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 8545
            - 443
        Initiated: 'true'
    filter_bsc:
        DestinationHostname|contains:
            - 'bsc-testnet'
            - 'binance.org'
            - 'rpc'
    filter_legit:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and filter_bsc and not filter_legit
falsepositives:
    - Legitimate crypto wallets or dApp browsers
level: high


kql
// Hunt for Ghost Stadium and ClickFix Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", 
    "trindastal.com", "poronto.com", "giovettiadv.com",
    "login.teamicrosoft.com", "live.ong", "driver-updater.net"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort, RemoteIP
| order by Timestamp desc

// Hunt for LofyStealer and JINX-0164 Process Execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "finger.exe" or InitiatingProcessFileName =~ "node.exe")
| where (ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoInternalFileName =~ "node")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# IOC Hunt Script for Infostealer Campaigns
# Usage: Run as Administrator

Write-Host "[*] Starting Hunt for Infostealer Artifacts..." -ForegroundColor Cyan

# 1. Check for LofyStealer / Node.js Loader Artifacts
Write-Host "[*] Checking for suspicious Node.js processes..." -ForegroundColor Yellow
$nodeProcs = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "node.exe" -and $_.CommandLine -like "*chromelevator*" -or $_.CommandLine -like "*lofy*" }
if ($nodeProcs) {
    Write-Host "[!] Suspicious Node.js process found!" -ForegroundColor Red
    $nodeProcs | Select-Object ProcessId, CommandLine
} else {
    Write-Host "[-] No suspicious Node.js processes detected." -ForegroundColor Green
}

# 2. Scan for CastleStealer / ClickFix File Hashes (Mockup for specific hashes)
Write-Host "[*] Scanning for ClickFix/CastleLoader Hashes..." -ForegroundColor Yellow
$maliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

# Check common download directories
$paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $maliciousHashes) {
                Write-Host "[!] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 3. Check DNS Cache for Ghost Stadium Domains
Write-Host "[*] Checking DNS Cache for Phishing Domains..." -ForegroundColor Yellow
$phishingDomains = @("fifa.gold", "fifa.black", "faweb.com", "login.teamicrosoft.com")
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $phishingDomains) {
    $hit = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($hit) {
        Write-Host "[!] Phishing domain resolution found: $($domain) -> $($hit.Data)" -ForegroundColor Red
    }
}

Write-Host "[*] Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block all listed IOCs (domains, IPs, hashes) at the firewall, proxy, and EDR levels.
- Isolate endpoints showing finger.exe spawn chains or Node.js loaders with suspicious command lines.
24 Hours:
- Initiate credential rotation for users identified as potentially impacted by infostealers (specifically LofyStealer and CastleStealer targets).
- Review browser extension logs for "Chromelevator" or unauthorized add-ons.
1 Week:
- Implement strict application allowlisting for utilities like finger.exe.
- Conduct security awareness training focused on "ClickFix" social engineering and FIFA World Cup phishing scams.
- Review and patch supply chain dependencies (npm packages) for developer workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub