Back to Intelligence

Multi-Vector Infostealer Surge: ClickFix, LofyStealer & npm Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
June 2, 2026
6 min read

Recent OTX pulses from 2026-06-02 reveal a coordinated surge in credential theft and infostealer activity leveraging diverse attack vectors. The "ClickFix" campaign continues to evolve, utilizing fake image-editing tools (BackgroundFix) to trick users into copying malicious commands that invoke finger.exe for payload retrieval, ultimately dropping NetSupport RAT and CastleStealer.

Simultaneously, the "LofyGang" is targeting gamers via LofyStealer, a sophisticated Node.js and C++ infostealer disguised as legitimate Minecraft libraries. On the software supply chain front, the "Mini Shai-Hulud" campaign has compromised @redhat-cloud-services npm packages, employing preinstall hooks to harvest CI/CD secrets and cloud credentials. Additionally, the "GHOST STADIUM" actor is exploiting the 2026 FIFA World Cup hype with phishing-as-a-service (PaaS) operations delivering Vidar and Lumma stealers, while "JINX-0164" targets cryptocurrency developers via LinkedIn phishing with macOS-specific payloads (AUDIOFIX).

Collectively, these campaigns emphasize a shift toward social engineering and supply chain compromises to bypass traditional perimeter defenses, focusing heavily on harvesting cryptocurrency wallets, browser credentials, and cloud infrastructure keys.

Threat Actor / Malware Profile

1. ClickFix / CastleLoader / CastleStealer

  • Distribution: Fake image-editing tools distributed via social engineering lures (e.g., BackgroundFix). Users are prompted to verify humanity by copying clipboard content.
  • Payload Behavior: Uses finger.exe to fetch the next stage. Delivers CastleLoader, which drops NetSupport RAT (remote access) and CastleStealer (credential theft).
  • C2 Communication: Communicates over HTTP on non-standard ports (e.g., 688) to domains like trindastal.com.
  • Persistence: Likely achieved via scheduled tasks or registry run keys established by the loader.

2. LofyGang (LofyStealer / GrabBot)

  • Distribution: Malicious Minecraft mods and game cheats distributed through social engineering.
  • Payload Behavior: Two-stage execution: a 53.5MB Node.js loader (disguised as libraries) loading a 1.4MB in-memory C++ payload. Evades analysis using syscalls manipulation.
  • Targeted Data: Cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.

3. JINX-0164 (AUDIOFIX / MINIRAT)

  • Distribution: LinkedIn recruiting spoofing targeting crypto organizations.
  • Payload Behavior: Python-based infostealer (AUDIOFIX) and Go backdoor (MINIRAT) specifically designed for macOS.
  • Objective: Initial access to development environments for long-term espionage or financial theft.

4. Mini Shai-Hulud (Shai-Hulud / TrapDoor)

  • Distribution: Compromised npm packages (@redhat-cloud-services scope).
  • Payload Behavior: Malicious scripts executed via preinstall hooks. Uses AES-GCM encrypted payloads and obfuscated JavaScript.
  • Objective: Theft of GitHub Actions secrets, npm tokens, cloud credentials (AWS/Azure/GCP), and SSH keys.

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Domains: High volume of typosquatting and fraud domains (e.g., fifa.gold, driver-updater.net, trindastal.com). These should be blocked at the DNS resolver and proxy level.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes for Node.js loaders, C++ payloads, and npm package install scripts. These should be integrated into EDR and antivirus detection engines.
  • URLs & IPs: Specific C2 infrastructure including HTTP ports (e.g., :688) and IPv4 addresses (148.178.22.16) associated with the GHOST STADIUM campaign.

Operational Guidance: SOC teams should prioritize domain blocking for the FIFA-related typosquats and the specific C2 domains. The file hashes provided for LofyStealer and Shai-Hulud are critical for hunting; however, the polymorphic nature of the Shai-Hulud obfuscation requires behavioral hunting (detecting npm processes spawning shells) in addition to hash matching.

Detection Engineering

YAML
title: Suspicious finger.exe Execution (ClickFix Activity)
id: 55d7c123-88a1-4b3c-9a5d-6b8f9e0a1c2d
status: experimental
description: Detects the execution of finger.exe, which is abused in ClickFix campaigns to retrieve malicious payloads via clipboard commands.
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/663c9f2e5dc4f1a8e6b8c9d0
date: 2026/06/02
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  condition: selection
falsepositives:
  - Legitimate administrative use (rare)
level: high
---
title: NPM Preinstall Script Execution (Shai-Hulud Supply Chain)
id: 88a1d4e5-2b3c-4f5e-8a9b-1c2d3e4f5a6b
status: experimental
description: Detects execution of shell scripts via npm preinstall hooks, indicative of the Mini Shai-Hulud supply chain attack targeting Red Hat packages.
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/663c9f2e5dc4f1a8e6b8c9d5
date: 2026/06/02
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/npm'
    CommandLine|contains: 'preinstall'
  condition: selection
falsepositives:
  - Legitimate package installation scripts
level: high
---
title: Node.js Spawning Native Processes (LofyStealer Loader)
id: 99b2e5f6-3c4d-5g6h-7i8j-9k0l1m2n3o4p
status: experimental
description: Detects Node.js processes spawning native executables, a technique used by LofyStealer to load its C++ payload in memory.
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/663c9f2e5dc4f1a8e6b8c9d1
date: 2026/06/02
tags:
  - attack.defense_evasion
  - attack.t1055.012
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\node.exe'
    Image|endswith:
      - '.exe'
      - '.dll'
  filter:
    Image|contains:
      - '\node_modules\'
  condition: selection and not filter
falsepositives:
  - Legitimate Node.js application behavior
level: medium


kql// Hunt for ClickFix C2 Domains and Finger.exe usage
DeviceNetworkEvents
| where RemoteUrl in ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com") or RemotePort == 688
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort
| union (
    DeviceProcessEvents
    | where FileName =~ "finger.exe"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
)
| order by Timestamp desc


powershell# IOC Hunt Script for LofyStealer and Shai-Hulud Hashes
$TargetHashes = @(    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35",
    "ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6"
)

Write-Host "Scanning for LofyStealer and Shai-Hulud artifacts..." -ForegroundColor Yellow

# Scan fixed drives for files matching the hashes
Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 } | ForEach-Object {
    $Drive = $_.Root
    Write-Host "Scanning drive $Drive..." -ForegroundColor Cyan
    
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5, SHA256 -ErrorAction SilentlyContinue | ForEach-Object {
        if ($TargetHashes -contains $_.Hash.ToLower()) {
            Write-Host "[MATCH] Malicious file detected: $($_.Path) | Hash: $($_.Hash) | Algorithm: $($_.Algorithm)" -ForegroundColor Red
        }
    }
}

Write-Host "Scan complete. If matches are found, isolate the endpoint immediately." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all listed IOCs (domains, IPs, hashes) at perimeter controls (firewall, proxy, DNS) and endpoints (EDR).
    • Isolate any endpoints with confirmed finger.exe execution or npm preinstall anomalies.
  • 24h:
    • Initiate credential resets for users and service accounts associated with infected endpoints, particularly those with access to cryptocurrency wallets or cloud infrastructure (AWS/Azure/GCP).
    • Investigate GitHub Actions and CI/CD pipelines for unauthorized access using the stolen secrets mentioned in the Shai-Hulud pulse.
  • 1 Week:
    • Review and harden npm and software supply chain policies (e.g., implementing dependency pinning and private registries).
    • Conduct security awareness training focused on "fake browser update" and "game mod" social engineering vectors.
    • Audit LinkedIn accounts for recruitment-based phishing attempts targeting technical staff.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainclickfixlofystealershai-hulud

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action