LofyStealer Malware Targets Minecraft Players with Advanced In-Memory Browser Injection
A sophisticated malware campaign is currently targeting Minecraft players by disguising itself as a cheat tool named Slinky. This malicious software, known as LofyStealer, employs a two-stage attack to covertly extract sensitive data from popular web browsers, effectively evading standard security measures.
Sophisticated Attack Mechanism
LofyStealer’s operation is notably more advanced than typical gaming malware. It utilizes a Node.js-based loader combined with a native C++ payload, which is injected directly into the memory of active browser processes. This technique allows the malware to remain undetected by conventional antivirus programs. The malware targets eight major browsers, including Chrome, Edge, Brave, Opera GX, and Firefox, extracting cookies, saved passwords, payment card details, active session tokens, and International Bank Account Numbers (IBANs).
Discovery and Attribution
Security researchers at Zenox.ai identified LofyStealer during threat-hunting activities on the ANY.RUN sandbox platform. Their analysis linked the malware to LofyGang, a Brazilian cybercrime group first tracked by Checkmarx in October 2022. Evidence supporting this attribution includes hardcoded Brazilian Portuguese strings within the code, a command-and-control (C2) server hosted in Brazil, and the branding of the C2 panel as LofyStealer, Advanced C2 Platform V2.0.
Distribution via Social Engineering
The malware is disseminated through social engineering tactics. Attackers package the malicious file as a Minecraft cheat called Slinky, complete with the game’s official icon to enhance its legitimacy. This method is particularly effective given Minecraft’s younger user base, which is more likely to download cheats or mods from unofficial sources. Upon execution, the malware operates silently in the background, without any visible warnings to the user.
Malware-as-a-Service Model
LofyStealer functions as a Malware-as-a-Service (MaaS) platform, offering both Free and Premium tiers to criminal clients via a web-based dashboard. Premium users gain access to a victim management panel, a custom executable builder named Slinky Cracked, and real-time monitoring of compromised machines. This structured business model indicates a mature and professional operation, evolving from its origins as a JavaScript supply chain attack distributed through the NPM package registry.
In-Memory Browser Injection Technique
A key technical aspect of LofyStealer is its in-memory browser injection method. After the loader (load.exe) is executed on the victim’s machine, it queries the Windows registry to identify installed browsers and launches them in a suspended state. The loader then maps the payload directly into the browser’s memory space using kernel-level Windows calls. This approach allows the malware to bypass common security tools that monitor disk-based activities, as the malicious code never touches the disk.
Implications and Recommendations
The emergence of LofyStealer underscores the increasing sophistication of malware targeting the gaming community. Players are advised to exercise caution when downloading and installing third-party tools or cheats, especially from unofficial sources. Maintaining up-to-date antivirus software and being vigilant about unusual system behavior can help mitigate the risk of infection.
