Back to Intelligence

LofyStealer & JINX-0164 Campaigns: OTX Pulse Analysis — Node.js & macOS Supply Chain Threats

SA
Security Arsenal Team
May 29, 2026
7 min read

Recent OTX pulse data reveals a convergence of financially motivated threats targeting specific demographics and industries. Three distinct campaigns have been identified:

  1. LofyStealer (LofyGang): A sophisticated two-stage infostealer targeting Minecraft players via social engineering. The campaign leverages a large Node.js loader to deliver a memory-resident C++ payload designed to harvest browser credentials.
  2. JINX-0164: A nascent but active threat actor focusing on the cryptocurrency sector. Their campaign involves sophisticated supply chain attacks and LinkedIn phishing to deliver custom macOS malware, compromising software development infrastructure.
  3. GHOST STADIUM: While primarily a phishing operation targeting the 2026 World Cup, the scale and sophistication (Phishing-as-a-Service) indicate a broader trend of credential harvesting for financial gain.

Collective Objective: These campaigns are unified by a clear goal: monetary theft. Whether through direct credential harvesting (LofyStealer), compromising development infrastructure for long-term access to crypto assets (JINX-0164), or large-scale fraud (GHOST STADIUM), the adversaries are aggressively targeting high-value digital assets.

Threat Actor / Malware Profile

Threat Actor / MalwareDistribution MethodPayload BehaviorC2 / CommunicationPersistence / Anti-Analysis
LofyStealer (LofyGang)Social engineering, disguised as legitimate Minecraft-related libraries.Two-stage execution: 1. Large (~53.5MB) Node.js loader. 2. Native C++ payload (~1.4MB) executed directly in memory.Exfiltrates stolen data to C2 servers. Details on protocol are pending further analysis.Uses syscalls evasion techniques to bypass security monitoring. The memory-resident nature of the C++ payload helps evade file-based detection.
JINX-0164LinkedIn social engineering (posing as recruiters/business partners), supply chain attack via NPM trojan.Delivers custom macOS malware: AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (lightweight Go backdoor).C2 communication is established by the backdoors for command and control, likely over HTTPS.Targets macOS developers. The use of custom-built malware for macOS suggests evasion of standard, signature-based defenses.
GHOST STADIUMFacebook advertising exploitation, fraudulent domains impersonating FIFA official sites.Operates a "Phishing-as-a-Service" model, harvesting credentials via pixel-perfect clones of the FIFA authentication system.Fraudulent domains act as the collection points for exfiltrated credentials.The sheer volume of domains (4,300+) and the use of a PaaS model make takedown and blocking difficult.

IOC Analysis

The provided IOCs offer a multi-layered view of the threat infrastructure:

  • File Hashes (MD5, SHA1, SHA256): The presence of multiple hash types for LofyStealer components is critical for detection. SOC teams should immediately block these hashes at the endpoint (EDR) and on perimeter gateways. The Node.js loader's large size (53.5MB) can be a heuristic to flag.
  • Domains: The JINX-0164 and GHOST STADIUM campaigns rely heavily on malicious domains for phishing and malware delivery (e.g., driver-updater.net, fifa.gold). These should be added to DNS sinkholes and web proxy blocklists.
  • URLs & Hostnames: Specific URLs like http://89.36.224.5/troubleshoot/mac/install.sh for JINX-0164's MINIRAT are high-fidelity indicators for network detection rules.
  • Operationalization:
    • SIEM: Correlate endpoint process creation events with the provided file hashes. Alert on any network connections to the listed domains/IPs.
    • EDR: Create custom detection rules for processes attempting to access the suspicious domains.
    • Threat Intelligence Platforms: Ingest these IOCs to enrich alerts and automate blocking.

Detection Engineering

Sigma Rules

YAML
title: Potential LofyStealer Node.js Loader Execution
description: Detects the execution of a Node.js process with a command line argument pattern consistent with LofyStealer's large loader or staging behavior.
status: experimental
date: 2026/05/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6537e9f67c6c6
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        CommandLine|contains: 'lofy' # Social engineering lure often in filename
    condition: selection
falsepositives:
    - Legitimate Node.js development (low FP due to specific lure)
level: critical
tags:
    - attack.execution
    - attack.t1059.001
    - lofystealer
    - infostealer
---
title: JINX-0164 macOS Malware C2 Communication
description: Detects network connections from a macOS host to known JINX-0164 C2 infrastructure or download servers.
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6537e9f67c6c7
logsource:
    category: network_connection
    product: macos
detection:
    selection_host:
        DestinationHostname|endswith:
            - '.live.us.org'
            - 'driver-updater.net'
    selection_ip:
        DestinationIp: '89.36.224.5'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001
    - jinx-0164
    - macos-malware
---
title: GHOST STADIUM Phishing Domain Access
description: Detects DNS queries or HTTP requests to domains associated with the GHOST STADIUM FIFA World Cup phishing campaign.
status: experimental
date: 2026/05/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6537e9f67c6c8
logsource:
    category: dns
    product: zeek
detection:
    selection:
        query|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifaweb.com'
            - 'fifa.red'
            - 'fifa.fund'
    condition: selection
falsepositives:
    - Legitimate access to official FIFA sites (e.g., fifa.com), which are not in this list.
level: high
tags:
    - attack.initial_access
    - attack.t1566.002
    - ghost-stadium
    - phishing

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for LofyStealer indicators
let LofyHashes = dynamic(["d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf", "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148", "f9fe23f24d45eae418c60819c523a83ddba4ca50", "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"]);
DeviceProcessEvents
| where SHA256 in (LofyHashes) or MD5 in (LofyHashes) or SHA1 in (LofyHashes)
| project Timestamp, DeviceName, AccountName, FileName, SHA256,FolderPath, InitiatingProcessFileName
| extend Alert = "Potential LofyStealer Execution"

--

// Hunt for network connections to JINX-0164 infrastructure
let JINXDomains = dynamic(["driver-updater.net", "login.teamicrosoft.com", "live.ong", "teams.live.us.org", "www.driver-updater.net", "www.live.us.org"]);
DeviceNetworkEvents
| where RemoteUrl has_any (JINXDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend Alert = "Potential JINX-0164 C2 Communication"

PowerShell IOC Hunt Script

PowerShell
# IOC Hunt Script for LofyStealer and JINX-0164 Activity
# Requires Administrator privileges

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# Define IOCs
$LofyHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148",
    "f9fe23f24d45eae418c60819c523a83ddba4ca50",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

$SuspiciousFiles = @(
    # Common lure paths for LofyStealer, adjust as more intelligence comes in
    "$env:APPDATA\Minecraft\lofy.exe",
    "$env:TEMP\minecraft-loader.exe"
)

# 1. File Hash Scan
Write-Host "Scanning for known malicious file hashes..." -ForegroundColor Yellow
$drive = Get-PSDrive -Name C
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Length -gt 50MB -and $_.Length -lt 60MB -and $_.Extension -eq '.exe' 
    } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash.ToLower()
        if ($LofyHashes -contains $hash) {
            Write-Host "ALERT: LofyStealer file found at $($_.FullName)" -ForegroundColor Red
        }
    }

# 2. Path-based Scan for Suspicious Files
Write-Host "Scanning for suspicious file paths..." -ForegroundColor Yellow
foreach ($file in $SuspiciousFiles) {
    if (Test-Path $file) {
        Write-Host "ALERT: Suspicious file found at $file" -ForegroundColor Red
    }
}

# 3. DNS Cache Scan for JINX-0164 Domains
Write-Host "Scanning DNS cache for JINX-0164 related domains..." -ForegroundColor Yellow
$JINXDomains = @("driver-updater.net", "login.teamicrosoft.com", "live.ong")
Get-DnsClientCache | Where-Object { $JINXDomains -contains $_.Entry.Split(".")[-2] + "." + $_.Entry.Split(".")[-1] } | 
    ForEach-Object { Write-Host "ALERT: DNS cache entry for $($_.Name) found resolving to $($_.Data)" -ForegroundColor Red }

Write-Host "IOC Hunt complete." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block all listed file hashes on endpoints and perimeter devices.
    • Sinkhole or block all malicious domains and IPs identified in the pulses.
    • Initiate a hunt for the LofyStealer Node.js loader using the provided PowerShell script and Sigma rules.

  • 24h:

    • For organizations in the gaming or crypto sectors, actively hunt for signs of LofyStealer or JINX-0164 infection.
    • If credential-stealing malware is suspected (LofyStealer), initiate identity verification and forced password resets for potentially impacted accounts, starting with privileged users and those with access to financial systems.

  • 1 Week:

    • Architecture Hardening: Implement application allowlisting for Node.js and other interpreters in development environments to prevent unauthorized script execution.
    • Supply Chain Security: Review and harden CI/CD pipelines, especially for organizations in the cryptocurrency sector, to mitigate the risk of supply chain attacks like those used by JINX-0164.
    • User Awareness: Conduct targeted phishing awareness training for developers and gaming enthusiasts, highlighting the social engineering tactics (LinkedIn recruitment, in-game scams) used by these actors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlofystealerjinx-0164infostealersupply-chain-attackcryptocurrency

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action