Back to Intelligence

LofyStealer, JINX-0164, and GHOST STADIUM: Multi-Vector Stealer Campaigns Targeting Gaming, Crypto, and Sports

SA
Security Arsenal Team
May 29, 2026
7 min read

Threat Summary

Recent OTX pulse data indicates a surge in highly specialized social engineering campaigns utilizing distinct malware families to harvest credentials and financial data. Three separate clusters of activity have been identified:

  1. LofyGang (LofyStealer): A sophisticated operation targeting the gaming sector, specifically Minecraft players, using a Node.js loader to deliver a memory-only C++ infostealer.
  2. JINX-0164: A financially motivated actor targeting the cryptocurrency industry's software development infrastructure. This group leverages LinkedIn social engineering and supply chain attacks via malicious NPM packages to deploy macOS-specific malware (AUDIOFIX, MINIRAT).
  3. GHOST STADIUM: A large-scale phishing ecosystem impersonating the 2026 FIFA World Cup infrastructure to distribute Vidar and Lumma stealers, focusing on ticket fraud and credential harvesting.

While the targets differ, the collective objective is financial theft via credential harvesting and session hijacking. The convergence of social engineering (recruitment, gaming mods, event tickets) with diverse payloads (Node.js, Python, Go) demonstrates a maturing threat landscape where adversaries tailor the delivery mechanism to the victim's psychological profile.

Threat Actor / Malware Profile

LofyGang (LofyStealer / GrabBot)

  • Distribution: Social engineering within gaming communities, likely distributed as fake mods or cheats.
  • Payload Behavior: A two-stage payload. The first stage is a 53.5MB Node.js loader obfuscated within legitimate libraries. The second stage is a 1.4MB native C++ payload that executes directly in memory (fileless).
  • C2 Communication: Exfiltrates browser data (cookies, passwords, credit cards, IBANs) to actor-controlled infrastructure.
  • Persistence: Uses Node.js for initial execution; relies on system-level injection via the C++ payload.
  • Anti-Analysis: Uses syscalls evasion techniques and hides inside legitimate Node.js libraries to bypass static analysis.

JINX-0164 (AUDIOFIX / MINIRAT)

  • Distribution: LinkedIn phishing (posing as recruiters) and supply chain compromise via trojanized NPM packages.
  • Payload Behavior:
    • AUDIOFIX: Python-based infostealer and RAT targeting macOS.
    • MINIRAT: Lightweight Go backdoor for macOS.
  • C2 Communication: Connects to hardcoded domains (e.g., driver-updater.net) to receive commands and exfiltrate data.
  • Persistence: Likely utilizes LaunchAgents or Daemons on macOS.
  • Anti-Analysis: Cross-platform compilation (Go/Python) and sophisticated CI/CD hijacking to mask malicious infrastructure.

GHOST STADIUM (Vidar / Lumma)

  • Distribution: Phishing-as-a-Service (PaaS) via Facebook ads and fraudulent domains impersonating FIFA 2026 World Cup ticketing.
  • Payload Behavior: Deploys established info-stealers like Vidar and Lumma to harvest system fingerprints and browser credentials.
  • C2 Communication: Exfiltration to commercial stealer C2 panels.
  • Persistence: Standard persistence mechanisms associated with Vidar/Lumma (scheduled tasks, registry run keys).
  • Anti-Analysis: Uses "pixel-perfect" clones of legitimate sites to bypass user heuristics and email filters.

IOC Analysis

The provided IOCs include:

  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with the LofyStealer Node.js loader and C++ payload, as well as the JINX-0164 macOS installers. These should be blocked on endpoints and used to hunt for historical execution.
  • Domains & Hostnames: A list of typosquatting domains (e.g., fifa.gold, fifa.black) used for the World Cup campaign, and specific C2/supply chain domains for JINX-0164 (driver-updater.net, teams.live.us.org). DNS sinks and web proxy blocks are critical.
  • IP Addresses: Specific IPv4 addresses (e.g., 148.178.22.16) serving malicious content.
  • URLs: Direct download links for scripts (e.g., /troubleshoot/mac/install.sh).

SOC Operationalization:

  • SIEM: Ingest hashes and domains into threat intelligence feeds (e.g., Anomali, Splunk ES) for alert correlation.
  • EDR: Configure "block file" policies for the SHA256 hashes provided.
  • Network: Add identified domains to DNS Firewall (Cisco Umbrella) and Secure Web Gateway (Zscaler/SSE) blocklists.

Detection Engineering

Sigma Rules

YAML
title: Potential LofyStealer Node.js Loader Activity
id: 8f2a3b1c-6d4e-4f9a-8b1c-2d3e4f5a6b7c
description: Detects the execution of a Node.js process spawning a native C++ child process, characteristic of the LofyStealer loader behavior.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '.exe'
            - '.dll'
    filter_legit:
        - Image|contains: 'Program Files'
        - Image|contains: 'Windows'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Node.js applications spawning native utilities
level: high
tags:
    - attack.execution
    - attack.t1059.005
---
title: JINX-0164 macOS Malware C2 Communication
id: 9c3b4d2e-7e5f-0a1b-9c2d-3e4f5a6b7c8d
description: Detects macOS processes attempting to connect to known JINX-0164 infrastructure domains or suspicious driver-update domains.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
logsource:
    category: network_connection
    product: macos
detection:
    selection_domains:
        InitiatorProcessName|contains:
            - 'python'
            - 'node'
        DestinationHostname|contains:
            - 'driver-updater.net'
            - 'live.us.org'
            - 'teamicrosoft.com'
    condition: selection_domains
falsepositives:
    - Legitimate driver updates (unlikely on macOS)
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001
---
title: GHOST STADIUM FIFA World Cup Phishing Domain Access
id: 0d4e5f3a-8f6b-1c2d-0e3f-4a5b6c7d8e9f
description: Detects attempts to access known fraudulent domains associated with the GHOST STADIUM FIFA World Cup campaign.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://www.group-ib.com/blog/ghost-stadium-football-fraud/
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.fifa.gold'
            - '.fifa.black'
            - '.fifa.tax'
            - '.fifaweb.com'
            - '.fifa.red'
            - '.fifa.fund'
            - '.fifa-com.shop'
    condition: selection
falsepositives:
    - None (Legitimate FIFA traffic uses fifa.com)
level: high
tags:
    - attack.initial_access
    - attack.t1566.002

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for LofyStealer File Hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, SHA256
;

// Hunt for GHOST STADIUM and JINX Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red",
    "driver-updater.net", "live.us.org", "teamicrosoft.com"
) or RemoteIP == "148.178.22.16"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

PowerShell Hunt Script

PowerShell
# IOC Hunter for LofyStealer and JINX-0164 Payloads
# Requires Administrator Privileges

$TargetHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "[*] Scanning for LofyStealer/JINX-0164 IOCs..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            $MD5Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            
            if ($TargetHashes -contains $FileHash -or $TargetHashes -contains $MD5Hash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
                Write-Host "    SHA256: $FileHash" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "[*] Scan Complete." -ForegroundColor Cyan

Response Priorities

Immediate (0-4 Hours)

  1. Block IOCs: Push all provided domains (fifa.*, driver-updater.net) and IP addresses (148.178.22.16) to firewalls, Secure Web Gateways, and DNS resolvers.
  2. Hunt Compromise: Execute the provided PowerShell script across endpoints to detect the presence of LofyStealer or JINX-0164 payloads.
  3. Isolate: Isolate any endpoints returning positive hits for the file hashes or suspicious Node.js/macOS process chains.

24 Hours

  1. Credential Audit: If indicators of LofyStealer, Vidar, or Lumma are found, initiate a forced password reset for affected users and invalidate session tokens for critical applications (SaaS, Email, Banking).
  2. Developer Check: For JINX-0164, audit developer workstations (specifically macOS) for the presence of the AUDIOFIX or MINIRAT payloads and scan npm cache for malicious packages.
  3. Network Telemetry: Review proxy logs for successful connections to the listed fraudulent domains to identify potential victims who may have entered credentials.

1 Week

  1. Architecture Hardening: Implement strict allow-listing for Node.js execution in user directories. Restrict the use of personal GitHub/NPM repositories in corporate build pipelines.
  2. User Awareness: Deploy targeted security awareness training regarding "too good to be true" offers (Minecraft mods, World Cup tickets) and LinkedIn recruitment scams targeting technical staff.
  3. Supply Chain Review: Enforce SBOM (Software Bill of Materials) validation for all third-party libraries entering the development environment.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlofystealerjinx-0164ghost-stadiuminfostealersupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action