Back to Intelligence

Infostealer Surge: ClickFix, Lumma, and JINX-0164 Targeting Crypto & Enterprise — OTX Pulse Analysis

SA
Security Arsenal Team
May 31, 2026
6 min read

Recent OTX Pulse data reveals a convergence of sophisticated credential theft campaigns targeting high-value sectors including cryptocurrency, software development, and major event spectators (FIFA World Cup 2026). The campaigns are driven by distinct threat actors—ClickFix, LofyGang, JINX-0164, and GHOST STADIUM—utilizing diverse delivery vectors ranging from social engineering and fake browser updates to blockchain-based command-and-control (C2) infrastructure.

Collectively, these campaigns aim to harvest sensitive credentials, session tokens, and financial data. Notably, the JINX-0164 actor has shifted focus to software supply chain attacks and macOS platforms, while ClickFix continues to innovate with "BackgroundFix" lures using legitimate Windows utilities like finger.exe to deploy payloads. Additionally, the GHOST STADIUM operation leverages Phishing-as-a-Service (PaaS) infrastructure to exploit ticket demand for the 2026 World Cup, distributing Vidar and Lumma stealers.

Threat Actor / Malware Profile

Actor / MalwareDistribution MethodPayload BehaviorC2 & PersistenceAnti-Analysis
ClickFix (CastleLoader, NetSupport RAT)Fake "BackgroundFix" image tool; social engineering prompting users to copy clipboard commands.Uses finger.exe to retrieve payloads; Drops NetSupport RAT and CastleStealer (.NET).HTTP/HTTPS connections to domains on non-standard ports (e.g., :688).Reflective loading; masquerades as legitimate image editing utility.
GHOST STADIUM (Vidar, Lumma)Phishing-as-a-Service; 4,300+ fraudulent domains; Facebook ads; pixel-perfect FIFA clones.Steals credentials, crypto wallet data, and 2FA sessions.Phishing kits exfiltrate data to actor-controlled servers.Domain generation algorithms; high volume of lookalike domains.
LofyGang (LofyStealer/GrabBot)Targeted social engineering of Minecraft players; Trojanized libraries.Node.js loader drops C++ payload; In-memory execution; steals browser data (cookies, passwords, crypto).Custom C2 protocols; exfiltration to attacker servers.Syscalls evasion; Memory-only payload to avoid disk scanning.
JINX-0164 (AUDIOFIX, MINIRAT)LinkedIn recruiting scams; NPM trojan packages; Supply chain compromise.Python-based infostealer (AUDIOFIX) and Go backdoor (MINIRAT) targeting macOS.HTTP/HTTPS C2; CI/CD pipeline hijacking.Targeting macOS to evade traditional Windows-centric defenses.
ClearFake (SectopRAT, ACRStealer)Compromised websites; injected JavaScript.Queries BNB Smart Chain (BSC) testnet smart contracts for payload routing.Blockchain-based C2 (Immutable infrastructure).Uses EtherHiding to store C2 coords in smart contracts.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators essential for detection and blocking:

  • Domains & URLs: A significant number of lookalike domains (e.g., fifa.gold, fifaweb.com) and suspicious delivery domains (e.g., trindastal.com, driver-updater.net). URLs often utilize non-standard HTTP ports (e.g., :688) to bypass egress filtering.
  • File Hashes: SHA256 and MD5 hashes for loaders (CastleLoader, Node.js loaders) and final payloads (NetSupport RAT, MINIRAT).
  • Operationalization:
    • SOC Teams: Ingest domains into DNS Firewall/Proxy SGs immediately. Block the specific IP 148.178.22.16 associated with GHOST STADIUM.
    • EDR: Hunt for the specific SHA256 hashes (e.g., bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92) in user temp directories and AppData folders.
    • Network: Correlate traffic to BSC Testnet endpoints (IPs in 148.178.0.0/16 or similar ranges) from non-developer workstations as potential ClearFake activity.

Detection Engineering

YAML
---
title: Potential ClickFix BackgroundFix Activity via Finger.EXE
id: 4a7b8c9d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
description: Detects the execution of finger.exe spawning a shell or downloading content, a specific behavior associated with the ClickFix campaign delivering CastleLoader.
status: experimental
author: Security Arsenal
date: 2026/06/01
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection_finger:
    Image|endswith: '\finger.exe'
  selection_spawn:
    ParentImage|endswith: '\finger.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\curl.exe'
  condition: 1 of selection*
falsepositives:
  - Legitimate use of finger.exe (rare in modern environments)
level: high
---
title: Potential LofyStealer Node.js Loader Activity
id: 5b8c9d0e-2f3g-4b5c-6d7e-8f9a0b1c2d3e
description: Detects Node.js processes spawning command shells or PowerShell, characteristic of the LofyStealer Node.js loader initiating the C++ payload.
status: experimental
author: Security Arsenal
date: 2026/06/01
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\node.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\cscript.exe'
  filter_legit:
    CommandLine|contains:
      - 'npm'
      - 'node_modules'
      - 'yarn'
  condition: selection_parent and selection_child and not filter_legit
falsepositives:
  - Legitimate development scripts running npm builds
level: medium
---
title: ClearFake EtherHiding Network Activity
id: 6c9d0e1f-3g4h-5c6d-7e8f-9a0b1c2d3e4f
description: Detects browser processes connecting to high-numbered ports or known BSC Testnet infrastructure, indicative of smart contract-based C2 communication used by ClearFake.
status: experimental
author: Security Arsenal
date: 2026/06/01
logsource:
  category: network_connection
  product: windows
detection:
  selection_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\brave.exe'
  selection_ports:
    DestinationPort:
      - 688
      - 8545
  selection_suspicious_ips:
    DestinationIp|startswith:
      - '148.178.'
      - '89.36.'
  condition: selection_browsers and 1 of selection_*
falsepositives:
  - Users interacting with legitimate Web3 dApps
level: medium


kql
// Hunt for ClickFix and JINX-0164 Indicators
// Focus on Finger.exe abuse and file hash presence
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("finger.exe", "install.sh") or ProcessCommandLine contains "finger.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| extend SuspiciousActivity = iff(FileName == "finger.exe", "Potential ClickFix", "Unknown")

// Hunt for specific IOCs from Ghost Stadium and LofyStealer
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", 
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, AdditionalFields

// Hunt for network connections to non-standard ports used by ClickFix
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (688, 8545)
| summarize Count() by DeviceName, RemoteUrl, RemotePort, InitiatingProcessFileName


powershell
# PowerShell IOC Hunt Script for ClickFix and LofyStealer
# Requires Admin privileges for full file system scan

$MaliciousHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

Write-Host "[+] Scanning for ClickFix Finger.exe processes..." -ForegroundColor Cyan
$FingerProc = Get-Process -Name "finger" -ErrorAction SilentlyContinue
if ($FingerProc) {
    Write-Host "[ALERT] Finger.exe process found! PID: $($FingerProc.Id)" -ForegroundColor Red
    $FingerProc | Select-Object ProcessName, Id, Path, StartTime
} else {
    Write-Host "[-] No finger.exe processes detected." -ForegroundColor Green
}

Write-Host "[+] Scanning user directories for known malicious hashes..." -ForegroundColor Cyan
$PathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for suspicious Node.js parent processes..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match 'ParentProcessName.*node\.exe' -and $_.Message -match 'NewProcessName.*(cmd|powershell)\.exe' } |
    Select-Object TimeCreated, Message | Format-List

Response Priorities

  • Immediate:

    • Block all domains and IPs listed in the IOC Analysis at the perimeter firewall and proxy.
    • Isolate endpoints identified as running finger.exe or matching the provided file hashes.
    • Kill any processes associated with finger.exe spawning child shells.

  • 24 Hours:

    • Conduct a credential audit for users who may have interacted with phishing sites (specifically checking for FIFA-related login attempts or LinkedIn recruitment scams).
    • Force reset of passwords and tokens for accounts accessed from infected endpoints.
    • Review browser history on infected machines for visits to fifa.* domains or driver update scams.

  • 1 Week:

    • Implement application control to block finger.exe for non-admin users.
    • Enforce macro and script execution policies (e.g., PowerShell Constrained Language Mode) to impede Node.js loaders.
    • Enhance email filtering to block LinkedIn-themed recruitment lures from external domains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerclickfixvidarjinx-0164infostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action