Back to Intelligence

LofyStealer, JINX-0164 & GHOST STADIUM: Multi-Vector Infostealer Campaigns Targeting Crypto & Gaming

SA
Security Arsenal Team
May 29, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a surge in sophisticated credential theft campaigns utilizing diverse delivery mechanisms to target the gaming, cryptocurrency, and software development sectors. Key adversaries include LofyGang (LofyStealer), JINX-0164, and GHOST STADIUM. These actors are leveraging social engineering (LinkedIn phishing, Minecraft mods), supply chain compromises (Laravel Lang packages), and novel C2 techniques (smart contracts on BNB Smart Chain) to distribute infostealers like Vidar, Lumma, and GrabBot. The primary objective across these campaigns is financial theft via credential harvesting, session hijacking, and crypto-wallet compromise.

Threat Actor / Malware Profile

LofyStealer (LofyGang)

  • Target: Minecraft players and general consumers.
  • Distribution: Social engineering disguised as legitimate game mods or libraries.
  • Payload: Two-stage malware consisting of a 53.5MB Node.js loader and a 1.4MB C++ payload (GrabBot/Slinky).
  • Behavior: Executes directly in memory to evade disk scanning. Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
  • Persistence: Uses syscalls for evasion; maintains persistence via scheduled tasks or registry run keys common to Node.js applications.

JINX-0164

  • Target: Cryptocurrency organizations and software developers.
  • Distribution: LinkedIn social engineering posing as recruiters; supply chain attacks on npm packages.
  • Payload: Custom macOS malware including AUDIOFIX (Python RAT/Infostealer) and MINIRAT (Go backdoor).
  • Behavior: Remote code execution, keylogging, and clipboard hijacking for crypto-wallet theft.

GHOST STADIUM

  • Target: Football fans and consumers (FIFA World Cup 2026).
  • Distribution: Phishing-as-a-Service (PaaS) via Facebook ads and fraudulent domains (4,300+ identified).
  • Payload: Vidar and Lumma infostealers.
  • Behavior: Pixel-perfect clones of FIFA authentication systems to harvest credentials and banking details.

ClearFake / SectopRAT

  • Technique: "EtherHiding" - utilizing smart contracts on the BNB Smart Chain (BSC) testnet to store C2 routing instructions.
  • Infrastructure: Immutable C2 hosted on blockchain, making takedowns effectively impossible. Uses injected JavaScript on compromised websites to trigger the blockchain lookup.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based indicators:

  • Domains & Hostnames: High-volume phishing domains (e.g., fifa.gold, driver-updater.net) and malicious infrastructure (e.g., .cfd, .lat TLDs associated with SectopRAT).
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes for LofyStealer payloads and Laravel backdoors.
  • Operationalization: SOC teams should block the listed domains at the perimeter. File hashes should be uploaded to EDR detection rules. The "EtherHiding" technique requires hunting for suspicious processes contacting public blockchain RPC nodes (e.g., bsctestnet.com), which is anomalous for non-crypto business endpoints.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Laravel Supply Chain Backdoor Activity
id: 7f8e9d1a-2b3c-4d5e-6f7g-8h9i0j1k2l3m
status: experimental
description: Detects potential activity related to the Laravel Lang supply chain compromise, specifically targeting the creation or modification of the helpers.php file or execution of DebugChromium.
references:
    - https://socket.dev/blog/laravel-lang-compromise
author: Security Arsenal
date: 2026/05/29
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\vendor\laravel-lang\lang\src\helpers.php'
    condition: selection
falsepositives:
    - Legitimate developer activity updating language files
level: high
---
title: Suspicious Node.js Loader Execution (LofyStealer)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects execution patterns associated with LofyStealer, a Node.js-based loader that executes a native C++ payload directly in memory.
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
date: 2026/05/29
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '.exe'
            - '.dll'
        Image|notcontains:
            - 'node_modules'
    filter_legit:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\sh.exe'
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Legitimate Node.js applications spawning build tools
level: medium
---
title: Infostealer Browser Data Access
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects processes accessing browser credential files or cookies, indicative of infostealers like LofyStealer, Vidar, or Lumma.
references:
    - https://www.group-ib.com/blog/ghost-stadium-football-fraud/
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
date: 2026/05/29
tags:
    - attack.credential_access
    - attack.t1005
logsource:
    category: file_access
    product: windows
detection:
    selection_keywords:
        TargetFilename|contains:
            - '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
            - '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
            - '\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db'
            - '\AppData\Local\Microsoft\Edge\User Data\Default\Login Data'
    selection_process:
        Image|notcontains:
            - '\Google\Chrome\Application\'
            - '\Microsoft\Edge\Application\'
            - '\Mozilla Firefox\'
            - '\WindowsApps\'
    condition: selection_keywords and selection_process
falsepositives:
    - Antivirus or backup software scanning browser directories
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for domains associated with JINX-0164, Ghost Stadium, and ClearFake
DeviceNetworkEvents
| where RemoteUrl in~ ("driver-updater.net", "login.teamicrosoft.com", "live.ong", "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund", "flipboxstudio.info")
   or RemoteUrl has ".cfd" or RemoteUrl has ".lat" or RemoteUrl has ".work"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| top 100 by Timestamp desc

PowerShell

PowerShell
# Hunt for LofyStealer artifacts and Laravel compromise indicators

# Check for suspicious Node.js processes (LofyStealer Loader)
$suspiciousProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "node.exe" -and $_.CommandLine -like "*--max-old-space-size*" }
if ($suspiciousProcesses) { Write-Host "Potential LofyStealer Node Loader Found" -ForegroundColor Red }

# Check for Laravel helpers.php backdoor (Path check)
$paths = @("C:\inetpub\wwwroot", "C:\xampp\htdocs", "C:\projects")
foreach ($path in $paths) {
    if (Test-Path $path) {
        $files = Get-ChildItem -Path $path -Recurse -Filter "helpers.php" -ErrorAction SilentlyContinue
        if ($files) {
            Write-Host "Found helpers.php files in web root. Verify integrity: " $files.FullName -ForegroundColor Yellow
        }
    }
}

# Check network connections to known C2 IP addresses
$knownIOCs = @("148.178.22.16", "89.36.224.5")
Get-NetTCPConnection | Where-Object { $knownIOCs -contains $_.RemoteAddress } | Select-Object LocalPort, RemoteAddress, State, OwningProcess

Response Priorities

  • Immediate: Block all listed IOCs (domains, IPs, hashes) at the perimeter and endpoint. Scan web servers for the malicious helpers.php file associated with the Laravel compromise. Block driver-updater.net and related infrastructure.
  • 24h: Conduct identity verification and credential resets for developers and high-privilege users who may have interacted with LinkedIn recruitment scams (JINX-0164) or downloaded Minecraft mods (LofyStealer).
  • 1 Week: Audit supply chain dependencies and CI/CD pipelines. Implement stricter code review policies for language packages. Review network traffic for unauthorized connections to blockchain RPC nodes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chaincredential-theftlofystealerjinx-0164

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action