Back to Intelligence

JINX-0164 & GHOST STADIUM: Multi-Vector Credential Theft & Ransomware Delivery Chain — OTX Pulse Analysis

SA
Security Arsenal Team
July 1, 2026
5 min read

Recent OTX pulse data reveals a coordinated surge in credential theft operations facilitating high-value fraud and ransomware deployment. The threat landscape is dominated by distinct yet operationally similar campaigns:

  • SEO Poisoning to Ransomware: Threat actors are abusing search engine optimization (SEO) to distribute trojanized installers for legitimate IT tools (e.g., ManageEngine OpManager, Angry IP Scanner). These installers deliver Bumblebee loaders, which rapidly escalate to Akira ransomware via AdaptixC2.
  • RMM & AI Pipeline Exploitation: A critical vulnerability in SimpleHelp RMM (CVE-2026-48558) is being actively exploited to deploy undocumented Node.js malware (TaskWeaver and Djinn Stealer). Simultaneously, AI development frameworks like Langflow are being targeted via CVE-2026-55255 for botnet deployment and credential theft.
  • Targeted Social Engineering: The JINX-0164 actor group is aggressively targeting the cryptocurrency sector via LinkedIn phishing, delivering custom macOS malware (AUDIOFIX, MINIRAT).
  • Event-Based Phishing: The GHOST STADIUM campaign is exploiting the 2026 FIFA World Cup with over 4,300 fraudulent domains delivering Vidar and Lumma stealers.

Collectively, these campaigns indicate a shift toward multi-vector initial access, all converging on the objective of credential harvesting for financial gain or lateral movement to ransomware.

Threat Actor / Malware Profile

Malware / ActorDistribution MethodPayload BehaviorC2 / Persistence
Bumblebee / AkiraSEO Poisoning (Bing), Trojanized IT InstallersInitial access loader, credential dumping, lateral movementAdaptixC2; Scheduled Tasks / Registry Run Keys
TaskWeaver / Djinn StealerExploit of SimpleHelp RMM (CVE-2026-48558)Heavily obfuscated Node.js loader, encrypted comms, credential theftEncrypted C2 channels; Persistence via Service installation
AUDIOFIX / MINIRAT (JINX-0164)LinkedIn Social Engineering, NPM TrojansPython-based infostealer (macOS), Go backdoor, CI/CD hijackingCustom C2; LaunchAgents (macOS)
GHOST STADIUM (Vidar / Lumma)Phishing-as-a-Service, Facebook Ads, Fake FIFA domainsPixel-perfect credential harvesting, banking info theftDomain generation algorithms (DGAs); Web panel C2

IOC Analysis

The provided IOCs span multiple infrastructure types indicative of a "living-off-the-land" blended with dedicated C2 approach:

  • Domains & Hostnames: A mix of spoofed legitimate infrastructure (opmanager.pro, angryipscanner.org) and fraudulent Lookalike domains (fifa.gold, live.ong, teams.live.us.org). SOC teams should immediately block these at the perimeter and DNS layer.
  • File Hashes (SHA256/MD5): Primarily associated with trojanized installers and loaders. These should be ingested into EDR solutions to prevent execution.
  • IPv4 Addresses: Includes C2 infrastructure (e.g., 172.96.137.160, 96.126.130.126) and exploitation servers.
  • CVEs: Explicit references to CVE-2026-48558 (SimpleHelp) and CVE-2026-55255 (Langflow) suggest immediate patching priorities beyond standard signature blocking.

Operational Guidance:

  • Firewall/Proxy: Block all listed IPs and Domains.
  • EDR: Set hash-based blocklists for the provided MD5/SHA256 values.
  • SIEM: Correlate DNS requests for the listed domains with process execution events to identify the patient zero.

Detection Engineering

Sigma Rules

YAML
---
title: Potential SimpleHelp RMM Exploitation via CVE-2026-48558
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious child processes spawned by SimpleHelp RMM service, indicative of exploitation activity leading to TaskWeaver or Djinn Stealer deployment.
status: experimental
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.48558
logsource:
    product: windows
    category: process_creation
detection:
    parent:
        ParentImage|contains: 'SimpleHelp'
    suspicious_child:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    condition: parent and suspicious_child
falsepositives:
    - Legitimate technician troubleshooting
level: high
---
title: Suspicious Execution of SEO-Poisoned IT Tools
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
description: Detects execution of ManageEngine OpManager or Angry IP Scanner from download directories, common in SEO poisoning campaigns delivering Bumblebee.
status: experimental
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|contains:
            - '\ManageEngine_OpManager.exe'
            - '\angryip.exe'
    directory:
        CurrentDirectory|contains: 'Downloads'
    condition: selection and directory
falsepositives:
    - Valid installations by IT staff
level: medium
---
title: Connection to GHOST STADIUM Phishing Infrastructure
id: c3d4e5f6-a7b8-6c7d-0e1f-2a3b4c5d6e7f
description: Detects network connections to domains associated with the GHOST STADIUM phishing campaign targeting FIFA World Cup 2026.
status: experimental
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifa.red'
            - 'faweb.com'
            - 'fifa-com.shop'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where RemoteUrl in~ ("angryipscanner.org", "opmanager.pro", "fifa.gold", "fifa.black", "fifa.tax", "fifa.red", "faweb.com", "fifa-com.shop", "driver-updater.net", "teams.live.us.org") or RemoteIP in ("172.96.137.160", "96.126.130.126", "45.207.216.55", "89.36.224.5")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for July 2, 2026 Pulse Data
$TargetHashes = @(
    "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
    "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
    "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

Write-Host "Scanning for malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TargetHashes -contains $hash) {
        Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

# Check for network connections to known IOCs
$TargetIPs = @("172.96.137.160", "96.126.130.126", "45.207.216.55", "89.36.224.5")
$Connections = Get-NetTCPConnection -State Established | Where-Object { $TargetIPs -contains $_.RemoteAddress }

if ($Connections) {
    Write-Host "Active connections to malicious IPs detected:" -ForegroundColor Red
    $Connections | Format-Table
} else {
    Write-Host "No active connections to malicious IPs found."
}


# Response Priorities

*   **Immediate:** Block all identified domains and IP addresses at the firewall and proxy. Hunt for the specified file hashes on all endpoints. Patch SimpleHelp RMM instances immediately for CVE-2026-48558.
*   **24h:** Force reset of privileged credentials for IT administrators who may have downloaded trojanized tools. Review authentication logs for access to SimpleHelp and Langflow instances.
*   **1 Week:** Conduct a review of RMM access logs and AI pipeline security. Implement stricter allowlisting for software downloads and enhance email filtering for LinkedIn-based recruitment phishing.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerransomwareseo-poisoningrmm-exploitationcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.