Cybersecurity threat hunters leveraging the ANY. The RUN interactive sandbox platform have made a significant discovery: an active infostealer campaign that is specifically targeting the gaming community. The malware, known as LofyStealer and also referred to as GrabBot, cleverly masquerades as a Minecraft hack dubbed “Slinky.”
By employing the official game icon, the attackers are able to deceive young gamers into executing the file willingly. This resurgence of the Brazilian cybercrime group LofyGang not only underscores their return but also highlights a notable enhancement in their technical prowess and operational framework.
Advanced Loader and Stealth Payload
The malware operates with a sophisticated, two-stage, modular architecture that is highly evasive. The initial stage involves a substantial 53.5 MB loader file named load.exe. This file is essentially a complete Node.js runtime environment packaged as a standalone application.
By integrating malicious JavaScript with thousands of legitimate system libraries, the attackers effectively obscure malicious signatures, creating a file that is often too large for many automated security sandboxes to analyze. Upon execution, the loader utilizes standard Windows networking libraries to establish connections with the attacker’s server.
Once the loader is active, it decrypts the second stage, which consists of a precise 1.4 MB native C++ payload known as chromelevator.exe. This payload is injected directly into system memory by the loader. To evade detection by endpoint security tools, the payload employs direct system calls to the Windows kernel, circumventing standard monitoring hooks.
This payload is designed to target eight different web browsers, including Chrome, Edge, Brave, and Firefox. It extracts five categories of sensitive information, encompassing cookies, saved passwords, authentication tokens, and financial data. After collecting the data, the malware executes a concealed PowerShell command to compress the files into a ZIP archive. This archive is then secured with SHA-256 cryptography, encoded, and transmitted silently to the attacker’s server.
LofyGang Shifts To Malware-as-a-Service
This campaign exemplifies the professional evolution of LofyGang, a threat group that has been active since 2021. Initially, the group gained notoriety by embedding malicious code into open-source developer packages to pilfer Discord and streaming accounts. They have since transitioned their operations into a comprehensive Malware-as-a-Service platform.
Research from Zenox indicates that network analysis of the malware’s command-and-control server has unveiled a dedicated web panel hosted in a Brazilian data center. This server operates on port 8080 and features a graphical dashboard branded as “LofyStealer V2.0.”
This platform enables multiple cybercriminal operators to monitor their victims in real-time and generate custom executable files. The service is available in both free and premium tiers, showcasing a mature business model.
The LofyStealer campaign serves as a stark reminder of the escalating threats facing the gaming community. Threat actors are increasingly employing enterprise-grade evasion techniques, such as memory injection and Node.js bundling, to compromise unprotected personal computers. Security professionals are advised to monitor network traffic directed at known server infrastructures and to conduct audits for unexpected Node.js or hidden PowerShell executions on endpoints.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
