Minecraft enthusiasts are currently facing a significant threat in the form of a deceptive hacking tool named “Slinky.” Marketed as a means to enhance gameplay, this tool is, in reality, a conduit for a potent infostealer known as LofyStealer, also referred to as GrabBot. This malware is linked to the Brazilian cybercrime organization LofyGang, which has been increasingly sophisticated in its operations.
The LofyStealer employs a Node.js-based loader along with an in-memory C++ payload designed to extract sensitive browser data and transmit it to a command-and-control (C2) server located in Brazil. The malicious software is cleverly disguised as a Minecraft hack, complete with the game’s official icon, targeting primarily younger players who may unwittingly execute it in hopes of gaining an advantage in the game.
Initial detection of this campaign occurred through public submissions on the ANY.RUN sandbox, where analysts uncovered suspicious binaries and network activity linked to the IP address 24.152.36.241:8080, revealing an active C2 infrastructure.
C2 panel and Brazilian infrastructure
The malware operates on a modular, two-stage architecture that emphasizes stealth and adaptability. The first stage involves executing a sizable 53.5 MB loader binary named load.exe, which is a Node.js application packaged with the “pkg” tool. This bundling includes the full V8 engine, OpenSSL, and various libraries, allowing it to masquerade as a legitimate runtime and evade detection by signature-based security measures.
Once activated, the loader decrypts and injects a smaller 1.4 MB native C++ payload, chromelevator.exe, directly into browser processes. This method utilizes direct syscalls rather than standard Windows APIs, effectively bypassing common endpoint detection and response (EDR) hooks.
Upon injection into popular browsers such as Chrome, Edge, Brave, Opera, Opera GX, Firefox, and Avast Secure Browser, the payload operates entirely in memory, minimizing forensic traces left on disk. It meticulously targets sensitive information, including cookies, saved passwords, session tokens, credit card details, and even International Bank Account Numbers (IBANs) stored by the victim’s browsers.
The collected data is systematically organized, compressed into ZIP archives, Base64-encoded, and prepared for exfiltration via a structured JSON format. The 53.5 MB binary encompasses the complete Node.js runtime, integrating Google’s V8 engine, libuv for asynchronous I/O, OpenSSL for cryptography, zlib for compression, ICU for internationalization, and llhttp for HTTP parsing, alongside the malicious JavaScript code.
The C2 panel offers a range of features, including victim monitoring, account management, and campaign overview, alongside a builder for generating new malicious executables. This confirms the operation’s alignment with a Malware-as-a-Service (MaaS) model.
Link to LofyGang and risk to players
The C2 infrastructure is hosted by a Brazilian provider, corroborating previous reports linking LofyGang to Brazil. The .text section of the malware accounts for 98.4% of the total file size, exhibiting an entropy level of 7.84, indicative of advanced compilation techniques such as Link-Time Code Generation (LTCG) and potentially inline encrypted data.
This transition from compromised npm packages to a polished, Minecraft-centric MaaS platform illustrates LofyGang’s evolution into a more professional and multi-operator entity. Researchers have attributed this campaign to LofyGang with a high degree of confidence, citing the branding of “LofyStealer,” Brazilian hosting, Portuguese-language artifacts, and the group’s ongoing interest in pilfering Discord, gaming, and streaming accounts.
For Minecraft players, particularly teenagers downloading cheats and cracked tools, the implications are severe. A single download of what appears to be a harmless hack could lead to the complete compromise of browser-stored credentials and financial information across various services.
IOCs
| Indicator | Value |
| C2 IP | 24.152.36.241 |
| Upload endpoint | /upload (HTTP POST) |
| Time endpoint | /time (HTTP GET) |
| User-Agent | GrabBot/1.0 |
| Content-Type | application/json |
| Fallback protocol | WebSocket |
| C2 panel | http://24.152.36.241:8080 (LofyStealer V2.0) |
| Platform name | LofyStealer – Advanced C2 Platform V2.0 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
