LofyGang

LofyGang is a Brazilian-origin cybercrime threat group publicly tracked since 2022 for software supply-chain abuse and credential theft. Reporting links the group to Brazilian Portuguese-language artifacts, aliases such as ConsoleLofy and DyPolarLofy, and repeated use of npm packages to distribute malware. The group was first documented by Checkmarx and Sonatype in 2022 as a Brazilian Portuguese-speaking operation abusing npm, including typosquatted and malicious packages. Checkmarx linked nearly 200 malicious npm packages to LofyGang and reported that the campaign persisted for more than a year. Those packages were used to infect downstream applications and steal end-user payment card data and credentials, including Discord Nitro, gaming, and streaming-service accounts. Reporting also states the group traded stolen credit cards and streaming-service credentials via a Discord forum and developed or distributed in-house hacking tools on GitHub. More recent reporting attributes additional npm activity in 2026 to LofyGang, including packages such as undicy-http and separadordeinfocc published by the npm maintainer consolelofy. JFrog attributed this activity to LofyGang based on the author name, hardcoded strings such as "Lofygang Started," and Portuguese-language code artifacts. The packages delivered a Node.js remote access trojan and a native Windows stealer, including chromelevator.exe, with capabilities including persistence, anti-analysis checks, remote shell execution, screen streaming, webcam and microphone access, and theft of browser credentials, cookies, session tokens, payment card data, IBANs, Discord tokens, and cryptocurrency wallet data. Reporting states exfiltration occurred through Discord webhooks and a Telegram bot. LofyGang has also been linked with a campaign targeting Minecraft players using LofyStealer, also known as GrabBot. ZenoX attributed this activity with high confidence to LofyGang and described it as a Brazilian-origin cybercrime operation. In this campaign, the malware was disguised as a fake Minecraft hack named Slinky using the official Minecraft icon as a lure. The infection chain used a JavaScript loader to deploy the stealer, which harvested passwords, tokens, cookies, payment card data, and IBANs from multiple browsers including Chrome, Firefox, Brave, Edge, Opera, Opera GX, Chrome Beta, and Avast Browser. Reporting describes this campaign as a shift from the group’s earlier JavaScript supply-chain tradecraft toward a malware-as-a-service model with free and premium tiers and a builder called Slinky Cracked. Across reporting, LofyGang is consistently described as a financially motivated cybercrime group focused on credential theft, payment data theft, browser and Discord token theft, and malware distribution through npm and social-engineering lures. Known aliases and related names directly mentioned in reporting include LofyGang, ConsoleLofy, and DyPolarLofy. Malware and tooling directly associated in the reporting include LofyStealer/GrabBot, NYX, chromelevator.exe, and the Slinky lure.