A resurgence of cybercriminal activity has been observed, with a Brazilian group known as LofyGang re-emerging after a three-year hiatus. This group is now targeting Minecraft players through a new piece of malware dubbed LofyStealer, also referred to as GrabBot. According to a technical report from the Brazil-based cybersecurity firm ZenoX, the malware masquerades as a Minecraft hack called ‘Slinky,’ cleverly utilizing the official game icon to entice young users into executing it voluntarily.
Targeting Young Gamers
The LofyGang has been linked with high confidence to this latest campaign, which exploits the trust that young gamers place in the Minecraft community. Acassio Silva, co-founder and head of threat intelligence at ZenoX, noted that the group has been active since late 2021, previously leaking thousands of Minecraft accounts under the alias DyPolarLofy on platforms like Cracked.io. “Minecraft has been a LofyGang target since 2022,” Silva stated, emphasizing the direct nature of their current approach.
The attack vector begins with the launch of the ‘Slinky’ hack, which triggers a JavaScript loader. This loader is responsible for deploying LofyStealer, identified as “chromelevator.exe,” onto compromised systems. Once executed, it operates in memory to harvest sensitive information from various web browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox. The data collected encompasses cookies, passwords, tokens, credit card information, and International Bank Account Numbers (IBANs), all of which are sent to a command-and-control server.
Evolution of Tactics
ZenoX highlighted a notable shift in the group’s tactics, moving away from their historically favored JavaScript supply chain attacks—such as npm package typosquatting and starjacking—to a more sophisticated malware-as-a-service (MaaS) model. This model offers both free and premium tiers, along with a custom builder named Slinky Cracked, which serves as a delivery mechanism for the stealer malware.
The rise of this campaign underscores a broader trend where threat actors exploit the trust associated with platforms like GitHub. These attackers create bogus repositories that lure users into downloading malware families, including SmartLoader and Vidar Stealer, often using SEO poisoning techniques to direct unsuspecting users to these malicious sites.
Broader Implications
Recent analyses have revealed a concerning pattern in which widely trusted platforms are misused to distribute harmful payloads. Acronis pointed out that by leveraging social trust and common download channels, cybercriminals frequently bypass traditional security measures. This trend is further illustrated by various campaigns that have capitalized on GitHub in recent months:
- Direct targeting of developers within GitHub through fake security alerts for Microsoft Visual Studio Code, tricking users into installing malware.
- Spear-phishing attacks aimed at Argentina’s judicial systems, distributing compressed ZIP archives containing remote access trojans (RATs) hosted on GitHub.
- Creation of counterfeit GitHub accounts and OAuth applications to manipulate developers into authorizing access tokens.
- Distribution of malicious batch script installers disguised as legitimate IT and security software, leading to multi-stage infections.
- Use of fraudulent repositories to spread LuaJIT payloads, functioning as generic trojans in a campaign dubbed TroyDen’s Lure Factory.
The diversity of these tactics—from gaming cheats to developer tools—highlights a strategy focused on volume rather than precision targeting. As such, cybersecurity defenders are advised to treat any GitHub-hosted downloads that pair renamed interpreters with opaque data files as high-priority threats, regardless of the perceived legitimacy of the surrounding repository.
