{"id":743,"date":"2026-04-28T18:00:56","date_gmt":"2026-04-28T18:00:56","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=743"},"modified":"2026-04-28T18:00:56","modified_gmt":"2026-04-28T18:00:56","slug":"brazilian-lofygang-resurfaces-after-three-years-with-minecraft-lofystealer-campaign","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=743","title":{"rendered":"Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign"},"content":{"rendered":"
\n
<\/a><\/div>\n

A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new stealer called LofyStealer<\/strong> (aka GrabBot).<\/p>\n

\u00abThe malware disguises itself as a Minecraft hack called ‘Slinky,'\u00bb Brazil-based cybersecurity company ZenoX said<\/a> in a technical report. \u00abIt uses the official game icon to induce voluntary execution, exploiting the trust of young users in the gaming scene.\u00bb<\/p>\n

The activity has been attributed with high confidence to a threat actor known as LofyGang, which was observed leveraging typosquatted packages on the npm registry to push stealer malware in 2022, specifically with an intent to siphon credit card data and user accounts associated with Discord Nitro, gaming, and streaming services.<\/p>\n

The group, believed to be active since late 2021, advertises their tools and services on platforms like GitHub and YouTube, while also contributing to an underground hacking community under the alias DyPolarLofy to leak thousands of Disney+ and\u00a0 Minecraft accounts.<\/p>\n

\u00abMinecraft has been a LofyGang target since 2022,\u00bb Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News. \u00abThey leaked thousands of Minecraft accounts under the DyPolarLofy alias on Cracked.io. The current campaign goes after Minecraft players directly through a fake ‘Slinky’ hack.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The attack begins with a Minecraft hack that, when launched, triggers the execution of a JavaScript loader that’s ultimately responsible for the deployment of LofyStealer (\u00abchromelevator.exe\u00bb) on compromised hosts and execute it directly in memory with an aim to harvest a wide range of sensitive data spanning multiple web browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser.<\/p>\n

The captured data, which includes cookies, passwords, tokens, cards, and International Bank Account Numbers (IBANs), is exfiltrated to a command-and-control (C2) server located at 24.152.36[.]241.<\/p>\n

\u00abHistorically, the group’s primary vector was the JavaScript supply chain: NPM package typosquatting, starjacking (fraudulent references to legitimate GitHub repositories to inflate credibility), and payloads embedded in sub-dependencies to evade detection,\u00bb ZenoX said.<\/p>\n

<\/p>\n

\u00abThe focus was on Discord token theft, Discord client modification for credit card interception, and exfiltration via webhooks abusing legitimate services (Discord, Repl.it, Glitch, GitHub, and Heroku) as C2.\u00bb<\/p>\n

The latest development marks a departure from previously observed tradecraft and a shift towards a malware-as-a-service (MaaS) model with free and premium tiers, along with a bespoke builder called Slinky Cracked that’s used as a delivery vehicle for the stealer malware.<\/p>\n

\"\"<\/a><\/div>\n

The disclosure comes as threat actors are increasingly abusing the trust associated with a platform like GitHub to host bogus repositories<\/a> that act as lures for malware families<\/a> like SmartLoader, StealC Stealer, and Vidar Stealer. Unsuspecting users are directed to these repositories through techniques like SEO poisoning.<\/p>\n

In some cases, attackers have been found to spread Vidar 2.0 through Reddit posts advertising fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers a ZIP archive containing the malware.<\/p>\n

\u00abThis infostealer campaign highlights an ongoing security challenge where widely trusted platforms are abused to distribute malicious payloads,\u00bb Acronis said<\/a> in an analysis published last month. \u00abBy taking advantage of social trust and common download channels, threat actors are often able to bypass traditional security solutions.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The findings add to a growing list of campaigns that have leveraged GitHub in recent months –<\/p>\n