Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign
Brazilian threat group LofyGang has resurfaced after three years with a new campaign targeting Minecraft players, distributing a stealer disguised as a fake game hack.
Brazilian cybercrime group LofyGang has resurfaced after more than three years with a new campaign targeting Minecraft players. The group is distributing a stealer called LofyStealer (aka GrabBot) disguised as a fake Minecraft hack named 'Slinky,' using the official game icon to trick users into voluntary execution, according to a report from Brazil-based cybersecurity company ZenoX.
The malware harvests a wide range of sensitive data from multiple web browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser. Captured data includes cookies, passwords, tokens, credit cards, and International Bank Account Numbers (IBANs), which are exfiltrated to a command-and-control server at 24.152.36[.]241.
LofyGang has been active since late 2021, previously leveraging typosquatted packages on the npm registry to push stealer malware targeting credit card data and accounts for Discord Nitro, gaming, and streaming services. The group also advertised tools on GitHub and YouTube and leaked thousands of Disney+ and Minecraft accounts under the alias DyPolarLofy on Cracked.io.
The latest campaign marks a shift in the group's tradecraft from JavaScript supply chain attacks to a malware-as-a-service (MaaS) model with free and premium tiers. The delivery vehicle is a bespoke builder called Slinky Cracked, which deploys the LofyStealer payload directly in memory via a JavaScript loader.
The disclosure comes amid a broader trend of threat actors abusing trusted platforms like GitHub to host malicious repositories. Recent campaigns have used fake GitHub repositories to distribute malware families such as SmartLoader, StealC Stealer, and Vidar Stealer, often through SEO poisoning or social engineering on platforms like Reddit.
ZenoX's analysis highlights the ongoing challenge of widely trusted platforms being abused to distribute malicious payloads, bypassing traditional security solutions. The campaign specifically exploits the trust of young users in the gaming community, making it particularly insidious.