infostealer Archives

AppWizard

June 3, 2026

Malware campaign targeting Minecraft users infects over 116,000 systems

A recent investigation by McAfee researchers has identified a Malware-as-a-Service (MaaS) operation called WeedHack, which targets Minecraft users. Since its launch in January 2026, WeedHack has compromised over 116,000 systems, with 2,000 to 3,000 new infections daily. The operation uses YouTube and SEO poisoning to distribute malware, promoting Minecraft mods and utilities through videos. WeedHack is accessible for free, with premium features available at low costs. The malware targets Minecraft session IDs, collects system information, and extracts credentials from various platforms. It includes a web-based dashboard for tracking infections and offers tools for injecting malware into legitimate mods. The operation has also been linked to incidents of cyberbullying among its users. McAfee advises caution when engaging with Minecraft-related content on YouTube.

AppWizard

June 3, 2026

Over 116,000 Mincraft systems infected in WeedHack malware campaign

A malware operation called WeedHack has targeted Minecraft players since January, compromising over 116,000 systems with daily infections between 2,000 and 3,000. It primarily distributes malware through malicious mods, clients, cheats, and utilities promoted on YouTube, utilizing SEO poisoning to reach victims. The campaign features polished YouTube videos with embedded download links and targets keywords related to popular Minecraft clients. WeedHack operates as a malware-as-a-service (MaaS) model, offering a free tier that steals Minecraft session IDs, cookies, and passwords across various platforms, and a premium tier with enhanced capabilities. The operation's Telegram channel has over 800 members, mostly teenagers or young adults. Minecraft players are advised to trust only official sources for mods and verify download links to protect against these threats.

Winsage

May 20, 2026

MSHTA abuse helps malware hide in Windows processes

Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.

Tech Optimizer

May 4, 2026

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender mistakenly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, leading to their removal from Windows systems globally. This issue arose after a Defender signature update on April 30th, with affected certificates including 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. The certificates were removed from the AuthRoot store under the Registry key HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates. Microsoft has addressed the issue in Security Intelligence update version 1.449.430.0, which also restored the removed certificates. The false positives were linked to detections related to a recent DigiCert breach, where threat actors obtained valid code-signing certificates used for signing malware. DigiCert revoked 60 code-signing certificates, including those linked to the "Zhong Stealer" malware campaign. The malware utilized certificates issued to companies like Lenovo and Kingston, but the certificates flagged by Microsoft Defender are root certificates and do not correspond to the revoked code-signing certificates.

AppWizard

April 30, 2026

LofyStealer Targets Minecraft Players via Node.js Loader and Browser Injection

Minecraft players are being targeted by a deceptive hacking tool called “Slinky,” which is actually an infostealer known as LofyStealer linked to the Brazilian cybercrime group LofyGang. The malware uses a Node.js-based loader and a C++ payload to extract sensitive browser data, disguising itself as a Minecraft hack. It primarily targets younger players who may unknowingly execute it. The malware operates through a two-stage architecture, with a 53.5 MB loader binary that injects a smaller 1.4 MB payload into browser processes, bypassing detection methods. It collects sensitive information such as cookies, passwords, and credit card details, compressing and encoding the data for exfiltration. The command-and-control (C2) infrastructure is hosted in Brazil, and the malware's design reflects advanced compilation techniques. The campaign is attributed to LofyGang, which has evolved into a more professional entity, posing severe risks to players who download cheats and cracked tools. Indicators of compromise include a specific C2 IP address and associated endpoints.

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

AppWizard

April 30, 2026

Minecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection

A new infostealer malware called LofyStealer is targeting the gaming community, particularly Minecraft players, by disguising itself as a cheat tool named “Slinky.” It employs a two-stage attack to extract sensitive information from eight major web browsers, including Chrome and Firefox, while evading detection by security software. The malware siphons off cookies, saved passwords, payment card information, and session tokens. Researchers at Zenox.ai identified LofyStealer, linking it to the Brazilian cybercrime group LofyGang, which has been active since October 2022. The malware uses social engineering tactics to appear legitimate and operates as a Malware-as-a-Service platform, offering both Free and Premium tiers to buyers. Its technical sophistication is evident in its method of in-memory browser injection, which allows it to bypass security defenses. The stolen data is compressed and sent to a command-and-control server. Users are advised to avoid downloading unofficial game mods and enable multi-factor authentication to reduce the risk of credential theft. Security teams should monitor for specific behavioral indicators related to the malware's operations.

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

Tech Optimizer

April 22, 2026

New STX RAT Uses Hidden Remote Desktop and Infostealer Features to Evade Detection

A newly identified remote access trojan, STX RAT, emerged in 2026, integrating hidden remote desktop access with credential theft features. The name "STX" comes from the Start of Text magic byte x02, which it appends to communications with its command-and-control (C2) server. Initial sightings were reported in late February 2026, when it was delivered via a browser-downloaded VBScript file to a financial organization. By early March, Malwarebytes noted a campaign distributing STX RAT through compromised FileZilla installers. Researchers from eSentire’s Threat Response Unit analyzed the malware, which includes extensive anti-analysis measures and employs techniques like AMSI-ghosting. Once operational, STX RAT connects to a C2 server at 95.216.51.236, transmitting system information securely. It targets saved credentials from applications like FileZilla and includes a Hidden Virtual Network Computing (HVNC) module, allowing attackers to control a victim's machine without detection. Security teams are advised to block the C2 IP and implement detection rules to mitigate the threat.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.