Back to Intelligence

OTX Pulse Analysis: Laravel Supply Chain, LofyStealer & Crypto-Fraud Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
May 29, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a surge in multi-vector credential theft campaigns targeting distinct demographics: gamers (Minecraft), software developers (Crypto/Laravel), and event attendees (FIFA World Cup). The common thread is the aggressive deployment of information stealers (LofyStealer, Vidar, Lumma, ACRStealer) often delivered via supply chain compromises (Laravel Lang, npm) or sophisticated social engineering (LinkedIn phishing, fake FIFA domains).

Notably, adversaries are evolving C2 infrastructure, utilizing BNB Smart Chain testnet smart contracts (EtherHiding) for ClearFake to ensure resiliency against takedowns. The JINX-0164 actor demonstrates a shift towards targeting development infrastructure specifically within the cryptocurrency sector using macOS-native payloads (AUDIOFIX, MINIRAT).

Threat Actor / Malware Profile

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players; often disguised as legitimate game mods or libraries.
  • Payload: Two-stage malware comprising a 53.5MB Node.js loader and a 1.4MB memory-only C++ payload.
  • Behavior: Steals cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers. Uses syscalls evasion.

JINX-0164

  • Distribution: LinkedIn phishing (recruiter persona), supply chain attacks via npm trojans.
  • Payload: Custom macOS malware including AUDIOFIX (Python RAT/Infostealer) and MINIRAT (Go backdoor).
  • Target: Cryptocurrency organizations and software developers.

GHOST STADIUM

  • Distribution: 4,300+ fraudulent domains (FIFA clones), Facebook advertising exploitation.
  • Payload: Vidar and Lumma Stealers.
  • Objective: Credential harvesting and financial fraud related to the 2026 World Cup.

Laravel Lang Compromise

  • Distribution: Supply chain attack on community-maintained Laravel packages (laravel-lang/lang, etc.).
  • Payload: RCE backdoor in helpers.php and DebugChromium.exe stealer.
  • Impact: Affects over 700 versions; suggests credential compromise at repository level.

IOC Analysis

The indicators provided span multiple categories requiring different handling:

  • Domains (High Priority): A large volume of typosquatting domains (e.g., fifa.gold, fifa.black, driver-updater.net, teams.live.us.org). These should be immediately blocked at the perimeter and DNS sinkholed.
  • File Hashes: MD5, SHA1, and SHA256 hashes for Node.js loaders, C++ payloads, and macOS binaries. SOC teams should hunt for these hashes in EDR telemetry and SIEM logs.
  • URLs: Installation scripts (e.g., http://89.36.224.5/troubleshoot/mac/install.sh) and payload dropzones (flipboxstudio.info). These URLs should be categorized as malicious in web proxies.
  • Operationalization: Automated blocklists should be updated with the domains. File hashes should be loaded into EDR isolation rules. The flipboxstudio.info domain is specifically tied to the Laravel exfiltration.

Detection Engineering

Sigma Rules

YAML
title: Potential Laravel Lang Supply Chain RCE
id: 8a7c2d1e-5f3a-4b6c-9e1d-2f4a5b6c7d8e
description: Detects suspicious child processes spawned by Composer or PHP processes potentially indicating the execution of the helpers.php backdoor or DebugChromium stealer.
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://socket.dev/blog/laravel-lang-compromise
tags:
    - attack.supply_chain
    - attack.execution
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\composer.exe'
            - '\php.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\DebugChromium.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate developer build scripts
level: high
---
title: LofyStealer Node.js Loader Activity
description: Detects Node.js processes accessing browser credential stores or spawning suspicious native binaries, indicative of LofyStealer activity.
id: b8d3e4f5-6g7h-8i9j-0k1l-2m3n4o5p6q7r
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\node.exe'
        TargetImage|contains:
            - '\Google\Chrome\User Data\'
            - '\AppData\Local\BraveSoftware\'
            - '\AppData\Local\Yandex\'
    condition: selection
falsepositives:
    - Legitimate browser automation tools
level: high
---
title: JINX-0164 macOS Malware Execution
description: Detects execution of known JINX-0164 payloads or access to suspicious install scripts associated with crypto-targeting campaigns.
id: c9e4f5g6-7h8i-9j0k-1l2m-3n4o5p6q7r8s
status: experimental
date: 2026/05/30
author: Security Arsenal
references:
    - https://www.wiz.io/blog/threat-actors-target-crypto-orgs
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        Image|contains:
            - 'python' # AUDIOFIX is Python-based
            - 'minirat'  # Known binary name
    selection_cli:
        CommandLine|contains:
            - 'install.sh'
            - 'troubleshoot/mac'
    condition: 1 of selection*
falsepositives:
    - Legitimate python scripts
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Ghost Stadium and JINX-0164 Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund", "driver-updater.net", "live.us.org", "teams.live.us.org", "flipboxstudio.info")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoCType = "Domain/URL"

// Hunt for LofyStealer and Laravel Payload File Hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", 
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName
| extend IoCType = "FileHash"

PowerShell Hunt Script

PowerShell
# IOC Hunt for LofyStealer and Laravel Artifacts
# Requires Admin Privileges for system-wide scan

$TargetHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

$SuspiciousPaths = @(
    "$env:USERPROFILE\AppData\Local\Temp\node.exe",
    "$env:USERPROFILE\AppData\Roaming\DebugChromium.exe",
    "$env:LOCALAPPDATA\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState"
)

Write-Host "[*] Scanning for specific file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

Write-Host "[*] Checking for suspicious Laravel artifacts..." -ForegroundColor Cyan
foreach ($path in $SuspiciousPaths) {
    if (Test-Path $path) {
        Write-Host "[!] Suspicious file detected at: $path" -ForegroundColor Yellow
    }
}

Write-Host "[*] Checking DNS Cache for C2 domains..." -ForegroundColor Cyan
$Domains = @("fifa.gold", "driver-updater.net", "flipboxstudio.info")
$DnsCache = Get-DnsClientCache
foreach ($dom in $Domains) {
    if ($DnsCache.Name -like "*$dom*") {
        Write-Host "[!] C2 Domain found in DNS Cache: $dom" -ForegroundColor Red
    }
}

Response Priorities

  • Immediate:

    • Block all fifa.* typosquatting domains and flipboxstudio.info at the proxy and DNS level.
    • Isolate any endpoints triggering alerts on the provided MD5/SHA256 hashes (LofyStealer/Laravel payloads).
    • Kill any process matching DebugChromium.exe or unexpected Node.js processes spawning from user directories.

  • 24 Hours:

    • Verify the integrity of all laravel-lang packages in development environments. Revert to known safe commits prior to May 22, 2026.
    • Conduct credential audits for developers who may have interacted with compromised Laravel repos or LinkedIn messages from JINX-0164.
    • Hunt for evidence of helpers.php modification in web directories.

  • 1 Week:

    • Review supply chain security policies; implement pinned dependencies and integrity checks (npm audit, composer verify).
    • Enforce MFA for all developer accounts and crypto-wallet access.
    • Add BSC testnet RPC endpoints to monitoring for anomalous outbound traffic (potential ClearFake C2).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainlofystealerlaravel-rcecrypto-fraud

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action