LofyGang Returns: Brazilian Cybercriminals Target Minecraft Players with LofyStealer Malware
After a three-year hiatus, the Brazilian cybercrime group known as LofyGang has reemerged, launching a new campaign aimed at Minecraft enthusiasts. This operation introduces a malicious program called LofyStealer, also referred to as GrabBot, which masquerades as a Minecraft hack named ‘Slinky.’ By adopting the official game icon, the malware deceives users into executing it, exploiting the trust of young gamers.
LofyGang’s resurgence has been closely monitored by Brazil-based cybersecurity firm ZenoX. In a detailed report, ZenoX highlighted the group’s tactics, noting that the malware’s disguise as a Minecraft hack leverages the trust of young users in the gaming community.
Historically, LofyGang has been active since late 2021, previously engaging in activities such as distributing malicious packages on the npm registry to steal credit card information and user accounts linked to Discord Nitro, gaming, and streaming services. The group has also been known to advertise their tools and services on platforms like GitHub and YouTube, and under the alias DyPolarLofy, they have leaked thousands of Disney+ and Minecraft accounts on underground forums.
The current campaign specifically targets Minecraft players by distributing a fake ‘Slinky’ hack. Upon execution, this hack initiates a JavaScript loader that deploys LofyStealer (‘chromelevator.exe’) directly into the system’s memory. The malware is designed to harvest a wide array of sensitive data from various web browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser. The stolen data encompasses cookies, passwords, tokens, credit card details, and International Bank Account Numbers (IBANs), which are then transmitted to a command-and-control (C2) server located at 24.152.36[.]241.
Previously, LofyGang’s primary method of attack involved the JavaScript supply chain, utilizing techniques such as NPM package typosquatting, starjacking (fraudulent references to legitimate GitHub repositories to inflate credibility), and embedding payloads in sub-dependencies to evade detection. Their focus was on stealing Discord tokens, modifying Discord clients to intercept credit card information, and exfiltrating data via webhooks that abused legitimate services like Discord, Repl.it, Glitch, GitHub, and Heroku as C2 channels.
The latest campaign signifies a shift in LofyGang’s approach, moving towards a malware-as-a-service (MaaS) model that offers both free and premium tiers. Central to this model is a custom builder called Slinky Cracked, which serves as the delivery mechanism for the stealer malware.
This development underscores a broader trend where cybercriminals exploit the trust associated with platforms like GitHub to host fraudulent repositories that act as lures for various malware families, including SmartLoader, StealC Stealer, and Vidar Stealer. Unsuspecting users are often directed to these repositories through techniques like SEO poisoning.
In some instances, attackers have disseminated Vidar 2.0 through Reddit posts advertising fake Counter-Strike 2 game cheats, redirecting victims to malicious websites that deliver ZIP archives containing the malware.
This infostealer campaign highlights an ongoing security challenge where widely trusted platforms are abused to distribute malicious payloads. By exploiting social trust and common download channels, threat actors can often bypass traditional security solutions.
The findings add to a growing list of campaigns that have leveraged GitHub in recent months, including:
– Targeting developers directly inside GitHub by posting fake Microsoft Visual Studio Code (VS Code) security alerts through Discussions to trick users into installing malware via malicious links.
– Targeting Argentina’s judicial systems using spear-phishing emails to distribute compressed ZIP archives that use intermediate batch scripts to retrieve remote access trojans (RATs) hosted on GitHub.
– Creating GitHub accounts and OAuth applications, followed by opening issues that mention target developers, triggering email notifications that trick them into authorizing the OAuth app, effectively allowing attackers to obtain their access tokens.
– Using fraudulent GitHub repositories to distribute malicious batch script installers masquerading as legitimate IT and security software, leading to the deployment of the TookPS downloader, which initiates a multi-stage infection chain to establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT).
– Using counterfeit GitHub repositories posing as AI tools, game cheats, Roblox scripts, phone number location trackers, and VPN crackers to distribute LuaJIT payloads that function as generic trojans as part of a campaign dubbed TroyDen’s Lure Factory.
The breadth of these lure factories—ranging from gaming cheats to developer tools and phone trackers—suggests that actors are optimizing for volume across diverse audiences rather than precision targeting.
Defenders should treat any GitHub-hosted download that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository appears.
