LofyStealer
LofyStealer, also referred to as GrabBot, is a modular infostealer associated with the Brazilian-origin cybercrime group LofyGang. It has been observed in campaigns targeting Minecraft players, where it is distributed through social engineering as a fake Minecraft cheat or hack named “Slinky,” often using the official Minecraft icon to appear legitimate. Reporting links the activity to LofyGang through code artifacts, infrastructure, and C2 branding, and assesses the operation as a malware-as-a-service offering with Free and Premium tiers, a victim management panel, and a builder referred to as “Slinky Cracked.”
The malware uses a two-stage infection chain. A first-stage loader, described as a JavaScript or Node.js-based component and observed as load.exe, deploys a native C++ PE64 payload named chromelevator.exe. The loader identifies installed browsers via Windows registry queries, can launch a target browser in a suspended state, decrypts the payload in memory, and injects it directly into browser processes. The payload resolves low-level functions from ntdll.dll at runtime and uses direct syscalls to evade antivirus and EDR hooks. Reported anti-analysis features include IsDebuggerPresent checks and timing-based sandbox evasion. The malware has also been noted to include dbghelp.dll imports such as MiniDumpWriteDump, indicating process memory dumping capability.
LofyStealer targets browser-stored data from multiple browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser. Reported stolen data includes cookies, saved passwords, tokens, payment card details, active session tokens, and IBANs. The malware can use named pipes for inter-process communication, compress stolen data with hidden PowerShell execution using Compress-Archive, Base64-encode the resulting archives, and exfiltrate them over HTTP POST to the /upload endpoint with Content-Type application/json and User-Agent “GrabBot/1.0.” It also uses a SHA-256-based integrity signature field named “sig,” and /time has been reported as an HTTP GET endpoint used for keepalive or synchronization.
High-confidence infrastructure associated with the malware includes command-and-control communications to 24.152.36.241 over port 8080, with the same host reported to expose a web panel branded “LofyStealer, Advanced C2 Platform V2.0.” Observed indicators and artifacts mentioned in reporting include the filenames load.exe and chromelevator.exe, the fake lure name “Slinky,” the C2 IP 24.152.36.241:8080, the /upload and /time endpoints, hidden PowerShell archive creation, and the User-Agent string “GrabBot/1.0.”
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Brazilian threat group LofyGang has resurfaced to compromise Minecraft players with the novel LofyStealer malware, also known as GrabBot... Intrusions commenced with the deployment of the Minecraft hack dubbed 'Slinky' ... to run a JavaScript loader that led to the injection of LofyStealer.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
Stolen data is compressed using a hidden PowerShell command, encoded in Base64, and sent to the C2 server via an HTTP POST request
Intrusions commenced with the deployment of the Minecraft hack dubbed 'Slinky' ... to run a JavaScript loader that led to the injection of LofyStealer.
Privilege Escalation
3 techniques
Privilege Escalation
The malware bundles a Node.js-based loader with a native C++ payload that is injected directly into live browser memory during execution.
Stealth
7 techniques
Stealth
The payload (chromelevator.exe) ... is decrypted in memory... MITRE ATT&CK Técnica Nome Evidência Binário T1027 Obfuscated Files or Information Payload criptografado, descriptografado em runtime chromelevator
Intrusions commenced with the deployment of the Minecraft hack dubbed 'Slinky', which utilized the official game icon for legitimacy, to run a JavaScript loader that led to the injection of LofyStealer.
The malware bundles a Node.js-based loader with a native C++ payload that is injected directly into live browser memory during execution.
MITRE ATT&CK Técnica Nome Evidência Binário T1055.003 Process Injection: Thread Execution Hijacking Criação de thread remota via syscall direta chromelevator
it queries the Windows registry to locate installed browsers and then launches the identified browser in a suspended state, temporarily halting the process before it becomes fully active. The loader then maps the payload directly into the browser’s memory space
Credential Access
4 techniques
Credential Access
LofyStealer then proceeds to harvest and exfiltrate passwords, tokens, cookies, cards, and International Bank Account Numbers across several web browsers, including Google Chrome, Mozilla Firefox, Brave, and Microsoft Edge.
The malware covers a wide range of targets, hitting eight major browsers including Chrome, Edge, Brave, Opera GX, and Firefox, while extracting cookies, saved passwords, payment card details, active session tokens, and IBANs from each one.
Discovery
4 techniques
Discovery
Once the loader, load.exe, runs on the victim machine, it queries the Windows registry to locate installed browsers
MITRE ATT&CK Técnica Nome Evidência Binário T1057 Process Discovery Detecção de processos de browser em execução load.exe
It also includes anti-analysis mechanisms such as debugger detection and timing checks against sandboxes. Finally, it performs system reconnaissance (hostname, time, environment variables)... MITRE ATT&CK Técnica Nome Evidência Binário T1082 System Information Discovery Coleta de hostname e fingerprint do host chromelevator
Collection
3 techniques
Collection
LofyStealer then proceeds to harvest and exfiltrate passwords, tokens, cookies, cards, and International Bank Account Numbers across several web browsers, including Google Chrome, Mozilla Firefox, Brave, and Microsoft Edge.
Stolen data is compressed using a hidden PowerShell command, encoded in Base64, and sent to the C2 server via an HTTP POST request
After collection, data is compressed using PowerShell in hidden mode... Generated files follow two naming patterns: .grab_<name>.zip and output_YYYYMMDD_HHMMSS.zip... MITRE ATT&CK Técnica Nome Evidência Binário T1560.001 Archive Collected Data: Archive via Utility Compressão ZIP dos dados roubados chromelevator
Command and Control
4 techniques
Command and Control
sent to the C2 server via an HTTP POST request with a SHA-256 integrity signature attached
WinHTTP is the Windows client HTTP library, used here for all communication with the C2 server... WinHttpOpen initializes the HTTP session with the User-Agent “GrabBot/1.0”... MITRE ATT&CK Técnica Nome Evidência Binário T1071.001 Application Layer Protocol: Web Protocols Comunicação C2 via HTTP/JSON ambos
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware used to target Minecraft players. It harvests and exfiltrates passwords, tokens, cookies, payment card data, and International Bank Account Numbers from browsers including Google Chrome, Mozilla Firefox, Brave, and Microsoft Edge.
Infostealer malware operated as a Malware-as-a-Service platform that masquerades as a Minecraft cheat ('Slinky'), uses a Node.js-based loader and a native C++ payload for in-memory browser injection, and steals cookies, saved passwords, payment card details, session tokens, and IBANs from multiple browsers.
An infostealer disguised as a Minecraft hack called 'Slinky' and deployed via a JavaScript loader. It executes in memory and steals sensitive data from multiple browsers, including cookies, passwords, tokens, payment card data, and IBANs, then exfiltrates the data to a C2 server.
A modular two-stage infostealer distributed as a fake Minecraft hack (“Slinky”). It uses a large Node.js-based loader and a native C++ payload injected into browser processes. It steals browser data including cookies, passwords, tokens, cards, and IBANs from multiple browsers, compresses and Base64-encodes the data, and exfiltrates it to a hardcoded C2. The payload uses direct syscalls for process injection and evasion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.