Back to Intelligence

Supply Chain Assault & Credential Harvesting: ClickFix, LofyStealer, JINX-0164, Kali365, and Shai-Hulud Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
June 3, 2026
10 min read

Threat Summary

Recent OTX pulse data reveals a coordinated wave of credential theft campaigns spanning supply chain compromises, social engineering, and OAuth abuse. Five distinct threat actors—ClickFix, LofyGang (LofyStealer), JINX-0164, Kali365 operators, and unknown Shai-Hulud perpetrators—are actively targeting enterprise cloud infrastructure, development environments, and end-user credentials through sophisticated multi-stage attack chains.

Collective Attack Patterns:

  • Supply Chain Compromise: @redhat-cloud-services npm packages (Shai-Hulud), driver-updater.net domains (JINX-0164)
  • Social Engineering Lures: Fake image editors targeting general users (ClickFix), Minecraft-themed attacks against gamers (LofyStealer), LinkedIn recruiter impersonation (JINX-0164)
  • OAuth 2.0 Device Authorization Abuse: Kali365 platform bypassing MFA across Microsoft 365, Okta, and Xerox platforms
  • Multi-Stage Payload Delivery: Node.js loaders, reflective loaders, AES-GCM encrypted payloads
  • C2 Infrastructure: Diverse domains including securehubcloud.com, poronto.com, and driver-updater.net

The unified objective across these campaigns is credential and token theft—harvesting cloud credentials, GitHub Actions secrets, npm tokens, browser sessions, and cryptocurrency keys—enabling lateral movement, financial theft, and persistent access to victim environments.

Threat Actor / Malware Profile

ClickFix / CastleLoader

  • Distribution Method: Disguised as "BackgroundFix" free image-editing tool, prompts users to "verify humanity" by copying malicious commands to clipboard
  • Payload Behavior: Invokes finger.exe to retrieve CastleLoader, which drops NetSupport RAT and CastleStealer (.NET stealer)
  • C2 Communication: trindastal.com, poronto.com, brionter.com on port 688
  • Persistence Mechanism: Unknown (likely scheduled tasks or registry modifications)
  • Anti-Analysis Techniques: Reflective loading, obfuscated .NET payload

LofyStealer (GrabBot/Slinky)

  • Distribution Method: Social engineering targeting Minecraft players through game-related lures
  • Payload Behavior: Two-stage architecture—53.5MB Node.js loader disguised in legitimate libraries, 1.4MB C++ payload executing in memory
  • C2 Communication: Not disclosed in IOCs, likely HTTP/HTTPS to dynamic domains
  • Persistence Mechanism: Browser extension injection, scheduled tasks
  • Anti-Analysis Techniques: Syscalls evasion, in-memory execution, Chromelevator browser manipulation

JINX-0164

  • Distribution Method: LinkedIn-based social engineering (recruiter/business partner impersonation), npm trojan distribution
  • Payload Behavior: AUDIOFIX (Python-based infostealer/RAT), MINIRAT (lightweight Go backdoor)
  • C2 Communication: driver-updater.net, teams.live.us.org, live.ong
  • Persistence Mechanism: Launch agents/daemons (macOS), CI/CD pipeline persistence
  • Anti-Analysis Techniques: Supply chain camouflage via legitimate-looking infrastructure

Kali365 Operator

  • Distribution Method: Phishing-as-a-Service platform, impersonating MAX Messenger and legitimate services
  • Payload Behavior: EKZ Infostealer targeting OAuth tokens and session cookies
  • C2 Communication: securehubcloud.com infrastructure (panel.securehubcloud.com, api.securehubcloud.com)
  • Persistence Mechanism: OAuth refresh token abuse, session token persistence
  • Anti-Analysis Techniques: OAuth 2.0 device authorization flow abuse to bypass MFA detection

Shai-Hulud

  • Distribution Method: Compromised @redhat-cloud-services npm packages with malicious preinstall hooks
  • Payload Behavior: AES-GCM encrypted payloads, obfuscated JavaScript loaders stealing cloud credentials and Git secrets
  • C2 Communication: Not disclosed in IOCs, likely exfiltration via HTTP(S) to C2
  • Persistence Mechanism: None (one-time execution during npm install)
  • Anti-Analysis Techniques: Payload encryption, code obfuscation, CI/CD camouflage

IOC Analysis

Indicator Types Present:

Domains (10):

  • C2 infrastructure: trindastal.com, poronto.com, brionter.com, driver-updater.net, live.ong
  • Phishing panels: securehubcloud.com, attachedfile.com, greatness-marketing.top
  • Lookalike domains: teams.live.us.org, login.teamicrosoft.com

File Hashes (17):

  • MD5: d21a5d08b4614005c8fcd9d0068f0190, fb203c0ac030a97281960d7c28d86ebf, febb622cd9eeb5c8860dcef4cbfd4b74, 2bec18af5f0f9cbe8949cc2bf5466dc6, d07ec47042a05fe3d684f72d2155d180
  • SHA1: 9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148, f9fe23f24d45eae418c60819c523a83ddba4ca50, 6894a51278ec89118276c2dd2dc36e6f9ea2790a
  • SHA256: bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 (CastleLoader), ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9, f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb, 293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881, 45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7, b6cab0b3aa8e563ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881 (Shai-Hulud), 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35, 21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4, 88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9, ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6, ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362

URLs (4):

Operationalization Guidance:

Immediate SOC Actions:

  1. Add all domains to DNS sinkhole/blocking lists
  2. Deploy file hashes to EDR quarantine rules
  3. Configure NDR to alert on outbound connections to IOC URLs on non-standard ports (688)
  4. Enrich domains with passive DNS to identify associated infrastructure

Tooling Recommendations:

  • Threat Intelligence Platforms: MISP, OpenCTI, ThreatConnect for IOC management
  • EDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint for hash matching
  • NDR: Darktrace, Corelight for network-based C2 detection
  • SIEM: Splunk, Microsoft Sentinel for log correlation and alerting

Detection Engineering

Sigma Rules

YAML
---
title: ClickFix BackgroundFix Clipboard Manipulation and finger.exe Execution
id: 1a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
description: Detects ClickFix campaign behavior where finger.exe is executed with command-line arguments suggesting payload retrieval, often preceded by clipboard manipulation events
author: Security Arsenal
status: experimental
date: 2026/06/03
references:
  - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  filter:
    CommandLine|contains:
      - 'http://'
      - 'http%3A%2F%2F'
  condition: selection and filter
falsepositives:
  - Legitimate finger.exe usage (rare in modern environments)
level: critical
---
title: LofyStealer Node.js Loader Suspicious Process Chain
description: Detects LofyStealer execution pattern involving Node.js processes spawning suspicious child processes, indicative of the two-stage loader architecture targeting browser credentials
author: Security Arsenal
status: experimental
date: 2026/06/03
references:
  - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
  - attack.execution
  - attack.privilege_escalation
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    Image|endswith:
      - '\node.exe'
      - '\npm.cmd'
  child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\rundll32.exe'
  suspicious_flags:
    CommandLine|contains:
      - 'chromelevator'
      - 'node_modules'
      - 'slinky'
  condition: parent and child and suspicious_flags
falsepositives:
  - Legitimate Node.js development workloads
level: high
---
title: Shai-Hulud npm Package Preinstall Hook Execution
description: Detects execution of npm preinstall scripts from packages with names matching @redhat-cloud-services or suspicious patterns indicative of the Shai-Hulud supply chain campaign
author: Security Arsenal
status: experimental
date: 2026/06/03
references:
  - https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
tags:
  - attack.initial_access
  - attack.supply_chain
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\npm.cmd'
    CommandLine|contains: 'preinstall'
  redhat_scope:
    CommandLine|contains: '@redhat-cloud-services'
  suspicious_package_names:
    CommandLine|contains:
      - 'redhat'
      - 'cloud-services'
  obfuscated_patterns:
    CommandLine|contains:
      - 'eval('
      - 'atob('
      - 'Buffer.from('
  condition: selection and (redhat_scope or suspicious_package_names) and obfuscated_patterns
falsepositives:
  - Legitimate npm package installations with preinstall scripts
level: critical

KQL Hunt Queries (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix C2 connections on port 688
DeviceNetworkEvents
| where RemotePort == 688
| where RemoteUrl in ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for LofyStealer-related Node.js processes spawning suspicious child processes
DeviceProcessEvents
| where InitiatingProcessFileName has "node.exe" or InitiatingProcessFileName has "npm.cmd"
| where FileName in ("cmd.exe", "powershell.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("chromelevator", "slinky", "minecraft", "grabbot")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, SHA256
| order by Timestamp desc

// Hunt for OAuth device code flow abuse (Kali365 pattern)
AADSignInEvents
| where AppDisplayName in ("Microsoft 365", "Okta", "Xerox") or AppDisplayName contains "MAX Messenger"
| where AuthenticationRequirement == "multiFactorAuthentication"
| where ConditionalAccessStatus == "success"
| where TokenIssuerType == "AzureAD"
| project Timestamp, UserId, UserPrincipalName, AppDisplayName, IPAddress, DeviceDetail, Location
| order by Timestamp desc

// Hunt for compromised npm package execution (Shai-Hulud)
DeviceProcessEvents
| where ProcessCommandLine contains "@redhat-cloud-services" and ProcessCommandLine contains "preinstall"
| where ProcessCommandLine has_any ("eval(", "atob(", "Buffer.from(")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

// Hunt for JINX-0164 macOS malware indicators
DeviceProcessEvents
| where OSPlatform == "macOS"
| where ProcessCommandLine has_any ("driver-updater.net", "teams.live.us.org", "live.ong")
| where FileName in ("python", "python3") or ProcessCommandLine has "install.sh"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for ClickFix, LofyStealer, JINX-0164, and Shai-Hulud
# Run with elevated privileges

# Define IOC sets
$ClickFixHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb"
)

$LofyStealerHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148",
    "f9fe23f24d45eae418c60819c523a83ddba4ca50",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7"
)

$ShaiHuludHashes = @(
    "2bec18af5f0f9cbe8949cc2bf5466dc6",
    "d07ec47042a05fe3d684f72d2155d180",
    "0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35",
    "21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4",
    "88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9",
    "ac2a2208e1726e008be6c73dc0872d9bba163319259dff1b62055ac933ca46b6",
    "ee262510cb246d2b904991aee7fc61162bdae34463439ec6383bd5356479d362"
)

$SuspiciousDomains = @(
    "trindastal.com", "poronto.com", "brionter.com", "driver-updater.net",
    "live.ong", "securehubcloud.com", "attachedfile.com", "greatness-marketing.top"
)

# Function to check file hashes
function Test-FileHashes {
    param($Hashes)
    $matches = @()
    Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        if (-not $_.PSIsContainer) {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $Hashes) {
                $matches += [PSCustomObject]@{
                    File = $_.FullName
                    Hash = $hash
                    Detected = $true
                }
            }
        }
    }
    return $matches
}

# Check for ClickFix indicators
Write-Host "[+] Checking for ClickFix indicators..." -ForegroundColor Yellow
$clickFixMatches = Test-FileHashes -Hashes $ClickFixHashes
if ($clickFixMatches) {
    Write-Host "[!] ClickFix malware files found:" -ForegroundColor Red
    $clickFixMatches | Format-Table -AutoSize
} else {
    Write-Host "[*] No ClickFix files detected" -ForegroundColor Green
}

# Check for LofyStealer indicators
Write-Host "[+] Checking for LofyStealer indicators..." -ForegroundColor Yellow
$lofyMatches = Test-FileHashes -Hashes $LofyStealerHashes
if ($lofyMatches) {
    Write-Host "[!] LofyStealer malware files found:" -ForegroundColor Red
    $lofyMatches | Format-Table -AutoSize
} else {
    Write-Host "[*] No LofyStealer files detected" -ForegroundColor Green
}

# Check for Shai-Hulud indicators
Write-Host "[+] Checking for Shai-Hulud indicators..." -ForegroundColor Yellow
$shaiMatches = Test-FileHashes -Hashes $ShaiHuludHashes
if ($shaiMatches) {
    Write-Host "[!] Shai-Hulud malware files found:" -ForegroundColor Red
    $shaiMatches | Format-Table -AutoSize
} else {
    Write-Host "[*] No Shai-Hulud files detected" -ForegroundColor Green
}

# Check for suspicious network connections
Write-Host "[+] Checking for connections to C2 domains..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection | Where-Object { 
    $SuspiciousDomains -contains (Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue | Select-Object -ExpandProperty NameHost)
}
if ($connections) {
    Write-Host "[!] Suspicious network connections found:" -ForegroundColor Red
    $connections | Format-Table -AutoSize
} else {
    Write-Host "[*] No suspicious connections detected" -ForegroundColor Green
}

# Check for npm package cache compromise
Write-Host "[+] Checking npm cache for @redhat-cloud-services packages..." -ForegroundColor Yellow
$npmCachePath = "$env:APPDATA\npm-cache"
if (Test-Path $npmCachePath) {
    $redHatPackages = Get-ChildItem -Path $npmCachePath -Recurse -Filter "*@redhat-cloud-services*" -ErrorAction SilentlyContinue
    if ($redHatPackages) {
        Write-Host "[!] Found @redhat-cloud-services packages in cache:" -ForegroundColor Red
        $redHatPackages | Format-Table FullName, LastWriteTime -AutoSize
    } else {
        Write-Host "[*] No @redhat-cloud-services packages found" -ForegroundColor Green
    }
}

# Check for finger.exe usage (ClickFix)
Write-Host "[+] Checking for recent finger.exe execution..." -ForegroundColor Yellow
$fingerEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; Path='finger.exe'} -ErrorAction SilentlyContinue | 
Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(24) }
if ($fingerEvents) {
    Write-Host "[!] Recent finger.exe execution detected:" -ForegroundColor Red
    $fingerEvents | Format-Table TimeCreated, Message -AutoSize
} else {
    Write-Host "[*] No recent finger.exe activity" -ForegroundColor Green
}

Write-Host "[+] IOC Hunt Complete" -ForegroundColor Cyan

Response Priorities

Immediate (0-12 hours):

  • Block all IOC domains at DNS and network perimeter levels
  • Scan all endpoints for malware file hashes using EDR solutions
  • Isolate compromised systems immediately upon detection
  • Block port 688 outbound traffic from corporate network (ClickFix C2)
  • Disable compromised npm packages: Remove @redhat-cloud-services packages from all build environments
  • Hunt for OAuth device code abuse: Review sign-in logs for suspicious device authorization flows

24 hours:

  • Credential rotation: Reset passwords for accounts with suspected credential theft (LofyStealer, Kali365 targets)
  • Secret rotation: Rotate GitHub Actions secrets, npm tokens, and cloud credentials (AWS, Azure, GCP) potentially exposed by Shai-Hulud
  • Investigate npm package usage history: Identify all projects using compromised packages
  • Review LinkedIn connections: Identify potential JINX-0164 recruiting impersonation attempts
  • Browser session invalidation: Force logout from all Microsoft 365, Okta, and Xerox sessions for affected users

1 week:

  • Supply chain hardening: Implement software bill of materials (SBOM) validation for npm packages
  • OAuth monitoring enhancement: Deploy alerts for device code flow usage outside expected regions
  • Developer awareness: Conduct security training on supply chain attacks and LinkedIn social engineering
  • npm security controls: Implement npm audit and package integrity verification in CI/CD pipelines
  • DNS filtering enhancement: Deploy category-based blocking for newly registered domains and typosquatting
  • Zero-trust network access: Implement micro-segmentation to limit lateral movement from compromised endpoints

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attackcredential-theftoauth-abusenpm-compromise

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action