Back to Intelligence

Multi-Front Credential Theft: LofyStealer, JINX-0164, and Ghost Stadium Supply Chain Analysis

SA
Security Arsenal Team
May 29, 2026
6 min read

Recent OTX pulses reveal a coordinated surge in financially motivated credential theft campaigns spanning multiple vectors and sectors. Threat actors are increasingly leveraging supply chain compromises and novel infrastructure to bypass traditional defenses.

  • LofyGang is actively targeting the gaming sector (Minecraft players) with LofyStealer, a sophisticated two-stage malware utilizing a Node.js loader and memory-resident C++ payload to harvest extensive browser data.
  • JINX-0164 has emerged as a distinct threat to the cryptocurrency industry, employing LinkedIn-based social engineering to deliver custom macOS malware (AUDIOFIX, MINIRAT) specifically designed for developer infrastructure compromise.
  • The GHOST STADIUM operation demonstrates the scale of credential phishing, leveraging over 4,300 domains to impersonate the 2026 FIFA World Cup, utilizing pixel-perfect cloning for credential harvesting.
  • Technical innovation is evident in the ClearFake campaign, which utilizes the BNB Smart Chain testnet for immutable C2 infrastructure, and the Laravel Lang compromise, which backdoored widely used developer packages with RCE capabilities.

Collectively, these campaigns indicate a shift toward resilient infrastructure (blockchain), trusted dependency abuse (Laravel, NPM), and highly targeted social engineering to maximize credential yield.

Threat Actor / Malware Profile

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players; disguised as legitimate libraries within a 53.5MB Node.js loader.
  • Payload Behavior: Executes a 1.4MB native C++ payload directly in memory to evade disk-based scanning.
  • Capabilities: Extracts cookies, passwords, tokens, credit cards, and IBANs from 8 different browsers.
  • Evasion: Utilizes syscalls evasion and memory-only execution techniques.

JINX-0164

  • Distribution: LinkedIn phishing posing as recruiters; supply chain attacks via NPM; CI/CD hijacking.
  • Malware:
    • AUDIOFIX: Python-based infostealer and RAT for macOS.
    • MINIRAT: Lightweight Go backdoor for macOS.
  • Targets: Cryptocurrency organizations and software developers.

GHOST STADIUM

  • Distribution: Facebook advertising exploitation and over 4,300 typosquatted domains (e.g., fifa.gold, fifa.tax).
  • Technique: Phishing-as-a-Service (PaaS) using pixel-perfect clones of FIFA authentication systems.
  • Objective: Credential harvesting and fraud related to World Cup ticketing.

ClearFake (Blockchain C2)

  • Infrastructure: Uses EtherHiding to store C2 instructions in smart contracts on the BNB Smart Chain testnet.
  • Malware: Delivers SectopRAT and ACRStealer.
  • Advantage: Immutable C2 infrastructure that resists takedown.

IOC Analysis

The provided IOCs represent a high-confidence set of artifacts covering the attack lifecycle:

  • File Hashes (MD5/SHA1/SHA256): Associated with LofyStealer payloads, JINX-0164 installers, and macOS binaries. SOC teams should prioritize these for EDR correlation and historical hunts.
  • Domains & Hostnames: Include typosquatting domains for FIFA (Ghost Stadium) and spoofed Microsoft services (JINX-0164). These should be added to DNS blocklists immediately.
  • URLs: Include malicious scripts (e.g., install.sh) and payload delivery servers used in supply chain attacks.
  • Operationalization:
    • EDR: Hunt for process execution matching the file hashes.
    • Network: Block all listed domains and IPs; inspect DNS logs for resolutions to fifa.* TLD variations.
    • SIEM: Correlate outbound connections to BSC Testnet RPC endpoints (ClearFake) from non-developer workstations.

Detection Engineering

Sigma Rules

YAML
title: Suspicious DebugChromium Execution - Laravel Compromise
id: 4a8b12c9-7d1e-4f3a-9c5e-6d7f8a9b0c1d
description: Detects execution of DebugChromium.exe, a payload associated with the Laravel Lang supply chain compromise (RCE Backdoor).
status: experimental
date: 2026/05/29
author: Security Arsenal
references:
    - https://socket.dev/blog/laravel-lang-compromise
tags:
    - attack.supply_chain
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DebugChromium.exe'
    condition: selection
falsepositives:
    - Legitimate Chromium debugging (unlikely in prod environment)
level: critical
---
title: LofyStealer Node.js Loader Activity
date: 2026/05/29
id: 5b9c23d0-8e2f-5g4b-0d6f-7e8g0a1c2d3e
description: Detects Node.js processes spawning non-Node child processes, indicative of the LofyStealer loader executing a native C++ payload.
status: experimental
author: Security Arsenal
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\node.exe'
    selection_child:
        - Image|endswith: \\cmd.exe'
        - Image|endswith: '\powershell.exe'
        - Image|endswith: '\rundll32.exe'
    filter_legit_dev:
        CommandLine|contains:
            - 'npm'
            - 'yarn'
            - 'webpack'
            - 'vite'
    condition: selection_parent and selection_child and not filter_legit_dev
falsepositives:
    - Legitimate development build scripts
level: high
---
title: macOS Suspicious Python Network Connection (JINX-0164)
id: 6c0d34e1-9f3g-6h5c-1e7g-8f9h1b2d3e4f
date: 2026/05/29
description: Detects Python interpreter making network connections, potentially associated with AUDIOFIX RAT activity on macOS.
status: experimental
author: Security Arsenal
references:
    - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        Image|endswith: '/python' or Image|endswith: '/python3'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate developer tooling
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Ghost Stadium and JINX-0164 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fifa.gold", "fifa.tax", "fifa.red", "live.us.org", "driver-updater.net", "teamicrosoft.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend TailIndicator = "Phishing/Fraud Infrastructure"


kql
// Hunt for Laravel Backdoor Execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "DebugChromium.exe"
| project Timestamp, DeviceName, AccountName, FolderPath, SHA256
| extend TailIndicator = "Supply Chain Backdoor"

PowerShell Hunt Script

PowerShell
# LofyStealer & Laravel Compromise IOC Hunter
$TargetHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190", # LofyStealer MD5
    "fb203c0ac030a97281960d7c28d86ebf", # LofyStealer MD5
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", # LofyStealer SHA256
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"  # LofyStealer SHA256
)

Write-Host "[+] Scanning for LofyStealer artifacts..." -ForegroundColor Cyan

# Scan C: Drive for specific hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer -and $_.Length -gt 1mb -and $_.Length -lt 60mb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] THREAT DETECTED: " $_.FullName -ForegroundColor Red
        }
    }

Write-Host "[+] Scanning for Laravel Backdoor (DebugChromium.exe)..." -ForegroundColor Cyan
$process = Get-Process | Where-Object { $_.ProcessName -eq "DebugChromium" }
if ($process) {
    Write-Host "[!] THREAT DETECTED: DebugChromium.exe running with PID " $process.Id -ForegroundColor Red
    $process.Path
} else {
    Write-Host "[-] No active DebugChromium processes found." -ForegroundColor Green
}

Response Priorities

  • Immediate:

    • Block all domains and IOCs listed in the Pulse data at the perimeter firewall and proxy.
    • Scan endpoints for the SHA256 hashes associated with LofyStealer and JINX-0164.
    • Isolate any systems found running DebugChromium.exe or node.exe with suspicious child processes.

  • 24 Hours:

    • Initiate credential resets and identity verification for users in the Hospitality, Finance, and Gaming sectors who may have interacted with FIFA-related or Minecraft-related sites recently.
    • Review developer access logs for CI/CD pipelines and NPM package usage (specifically Laravel Lang packages).

  • 1 Week:

    • Harden software supply chain policies: implement package-lock verification and require code review for all dependency updates.
    • Update awareness training to include LinkedIn recruitment scams and "too good to be true" offers for gaming/crypto/ticketing.
    • Configure network monitoring to alert on anomalous connections to blockchain testnet RPC endpoints from user endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attacklofystealerjinx-0164ghost-stadium

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action