LofyGang Targets Minecraft Players With LofyStealer Masquerading as Slinky Cheat
The Brazilian cybercrime group LofyGang has resurfaced after more than three years with a malware campaign aimed at Minecraft players, distributing a new infostealer known as LofyStealer or GrabBot through a fake cheat tool called "Slinky." Researchers linked the activity to LofyGang through code artifacts, infrastructure, and command-and-control branding, and said the lure uses the official Minecraft icon and social engineering to trick users into launching the malware. The campaign reflects a shift from the group’s earlier npm typosquatting and software supply-chain activity toward a broader malware-as-a-service operation.
The infection chain uses a JavaScript or Node.js-based loader to deploy a native payload in memory as chromelevator.exe, where it injects into live browser processes to evade conventional antivirus and EDR visibility. The stealer targets at least eight major browsers and harvests cookies, passwords, session tokens, payment card data, and IBANs before compressing and exfiltrating the data to 24.152.36.241:8080. Researchers said the operation includes Free and Premium tiers, a victim dashboard, and a custom builder called Slinky Cracked, while also highlighting the wider abuse of trusted platforms such as GitHub, Reddit, and search results to spread malware through fake repositories, bogus alerts, and gaming-cheat lures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Technical analysis discloses LofyStealer infection chain and data theft behavior
Public reporting revealed that the campaign used a JavaScript or Node.js-based loader to deploy an in-memory stealer payload, including execution as "chromelevator.exe" and browser memory injection to evade detection. The malware was said to target multiple major browsers and exfiltrate cookies, passwords, tokens, payment card data, and IBANs to 24.152.36.241, including traffic on port 8080.
Researchers link LofyStealer to LofyGang and reveal MaaS operation details
Researchers at ZenoX/Zenox.ai identified the malware as LofyStealer, also known as GrabBot, and attributed it to LofyGang based on code artifacts, infrastructure, and C2 branding. They reported that the threat had shifted from the group's earlier npm typosquatting and supply-chain activity to a malware-as-a-service model with free and premium tiers and a builder called "Slinky Cracked."
LofyGang launches LofyStealer campaign targeting Minecraft players
A Brazilian cybercrime group known as LofyGang resurfaced after more than three years with a new campaign aimed at Minecraft players. The operation distributed a fake cheat tool called "Slinky" that used Minecraft branding and social engineering to lure victims into execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Novel Minecraft-targeting stealer tapped by reemergent LofyGang | brief | SC Media
scworld.com
Open sourceMinecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection - Cyber Security News
cybersecuritynews.com
Open sourceBrazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WeedHack MaaS Infected 116,000 Minecraft Players via Malicious Mods
McAfee researchers reported that the **WeedHack** malware-as-a-service operation has infected more than **116,000 systems** by targeting Minecraft players with trojanized mods, clients, cheats, and utilities. The campaign has been active since at least January and is spreading through **YouTube videos**, gaming forums, and **SEO-poisoned** websites that mimic legitimate mod-download pages, often borrowing trust signals such as links to real GitHub repositories and Discord servers. Researchers tracked more than **3,820 malicious JAR files**, over **240 distribution URLs**, and infection volumes of roughly **2,000 to 3,000 systems per day**, with the largest victim concentrations in the **United States, Germany, India, and the UK**. WeedHack is operating openly on the clear web with a free dashboard for viewing stolen data and building payloads, while a premium tier priced at about **$5 per month** adds remote-access and surveillance features. The malware steals **Minecraft session IDs**, browser cookies and passwords, cryptocurrency wallet data, and credentials for services including **Discord, Steam, and Telegram**; paid users can also gain **webcam access, keylogging, reverse shell, screen sharing, and file-management** capabilities. McAfee said the Java-based, multi-stage malware uses **Ethereum-based C2 discovery**, persistence, and Windows Defender evasion, and observed that many customers in its 800-plus-member Telegram community appear to be teenagers or young adults using the service for account theft, harassment, cyberbullying, and webcam spying.
Jun 8, 2026
Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active **Windows-focused malware** operations centered on credential theft and payload delivery. **Socelars** is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting *Facebook Ads Manager* sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a **UAC bypass via COM auto-elevation** before extracting browser session data for exfiltration. Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports **GuLoader (CloudEye)** increasingly abuses legitimate cloud services (e.g., *Google Drive* and *OneDrive*) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of **LummaStealer** despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and **fake CAPTCHA/“ClickFix”** lures) and the use of **CastleLoader** for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on **Muddled Libra (Scattered Spider/UNC3944)** describes a distinct intrusion tradecraft involving unauthorized access to a *VMware vSphere* environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
Mar 21, 2026
Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple **software supply chain-style malware distribution** efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, `@openclaw-ai/openclawai`, masquerading as an *OpenClaw* CLI installer; once executed, it uses a `postinstall` hook to reinstall globally and drop an obfuscated first-stage (`setup.js`) that deploys a multi-stage payload internally identified as **GhostLoader** (campaign tracked as **GhostClaw**). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for **AWS/GCP/Azure**), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material. Separately, Trend Micro reported a large-scale distribution operation for the **BoryptGrab** information stealer via **100+ public GitHub repositories** that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (**TunnesshClient**) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Apr 2, 2026