A Brazil-linked cybercrime group has resurfaced after more than three years, launching a fresh malware campaign aimed at Minecraft players. The operation introduces a new information-stealing tool known as LofyStealer, also referred to as GrabBot.
Malware Disguised as a Minecraft Tool
According to findings from ZenoX, the malware is distributed under the guise of a Minecraft modification tool named “Slinky.” By using the official game icon and familiar branding, attackers are able to convince users, especially younger gamers, to run the malicious file voluntarily.
Threat Actor Background
The campaign has been linked to a threat group known as LofyGang, which has been active since late 2021. The group previously gained attention for abusing npm packages through typosquatting techniques to distribute malware aimed at stealing financial data and online accounts.
The attackers have also promoted their tools through platforms like GitHub and YouTube, while operating within underground forums using aliases such as DyPolarLofy.
Attack Chain and Execution Flow
The infection process begins when a victim downloads and runs the fake Minecraft hack. This triggers a JavaScript-based loader, which then deploys the LofyStealer payload directly into memory.
Once active, the malware collects sensitive information from multiple browsers, including:
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Opera
- Brave
The stolen data includes cookies, saved passwords, authentication tokens, credit card details, and banking information such as IBANs.
Data Exfiltration and Command Infrastructure
The collected information is transmitted to a remote command-and-control server, allowing attackers to access compromised accounts and sensitive user data.
Historically, LofyGang relied on JavaScript supply chain attacks, including npm typosquatting and fake GitHub popularity tactics, to distribute malware. These techniques helped them evade detection and build credibility.
Shift to Malware-as-a-Service Model
Recent activity suggests that the group has transitioned toward a malware-as-a-service approach. This includes offering both free and paid versions of their tools, along with a custom builder called “Slinky Cracked” used to generate malicious payloads.
Growing Abuse of Trusted Platforms
The campaign also highlights a broader trend where attackers exploit trusted platforms such as GitHub to distribute malware. Fake repositories are used to lure victims, often boosted through SEO manipulation techniques.
Security researchers have observed similar tactics involving other malware families, including SmartLoader, StealC, and Vidar.
Wider Threat Landscape
In recent incidents:
- Fake developer alerts on GitHub have been used to trick users into installing malware
- Phishing campaigns have targeted institutions using malicious files hosted on GitHub
- Attackers have abused OAuth applications to steal developer access tokens
- Fraudulent repositories have been used to distribute remote access trojans and multi-stage malware
These campaigns demonstrate how attackers exploit user trust in well-known platforms to bypass traditional defenses.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
