For years, the cybercrime underground has operated on a certain predictability. Groups would establish their beachhead, develop a modus operandi, and then, often, fade into obscurity or rebrand. So, when LofyGang, a notorious Brazilian outfit known for its supply chain attacks and data siphoning, resurfaced after a three-year silence, the expectation was likely a return to familiar hunting grounds: typosquatted npm packages or similarly arcane digital alleys. That expectation, however, has been thoroughly shattered.
Instead of rehashing old tricks, LofyGang has pivoted sharply, launching a campaign that directly targets the massive, and often young, Minecraft player base with a new piece of malware dubbed LofyStealer. This isn’t just a minor iteration; it’s a strategic overhaul that suggests a sophisticated understanding of market dynamics and user psychology. They’ve learned that sometimes, the most effective path isn’t the most technically convoluted, but the most socially engineered.
The ‘Slinky’ Bait-and-Switch
ZenoX, a Brazilian cybersecurity firm, flagged the operation, noting that the malware masquerades as a Minecraft hack called ‘Slinky.’ This isn’t accidental. By using the official game icon, they’re not just hiding malicious code; they’re weaponizing trust. For many young gamers, the allure of an in-game advantage outweighs caution, and LofyGang is exploiting precisely that. It’s a textbook example of social engineering at scale, preying on the vulnerabilities of an audience that, while digitally savvy, may lack the maturity to discern genuine threats from tempting digital shortcuts.
The group, believed to have been active since late 2021, has a history. They were previously observed leveraging typosquatted packages on the npm registry in 2022, aiming to steal credit card data and user accounts for services like Discord Nitro, gaming platforms, and streaming services. They’ve also been active on platforms like GitHub and YouTube, even contributing to underground hacking communities under the alias DyPolarLofy, where they’ve leaked thousands of Disney+ and Minecraft accounts. This new campaign isn’t their first rodeo with Minecraft; it’s an escalation of a prior interest.
Acassio Silva, co-founder and head of threat intelligence at ZenoX, highlighted this continuity: “Minecraft has been a LofyGang target since 2022.” He elaborated on their past activities, mentioning the leak of thousands of Minecraft accounts under the DyPolarLofy alias on Cracked.io. The current campaign, however, represents a direct evolution, going after players with a fake ‘Slinky’ hack. It’s less about broad infrastructure compromise and more about a focused, high-volume assault.
From Supply Chain to Malware-as-a-Service
What makes this resurgence particularly noteworthy is the evolution in their business model. Historically, LofyGang’s primary vector was the JavaScript supply chain, involving NPM package typosquatting, starjacking on GitHub (inflating repository credibility with fake references), and embedding payloads in sub-dependencies to evade detection. Their focus was on Discord token theft, client modification for credit card interception, and exfiltrating data via webhooks, often abusing legitimate services like Discord, Repl.it, Glitch, GitHub, and Heroku as command-and-control (C2) infrastructure.
This latest development marks a significant departure. The group is now shifting towards a malware-as-a-service (MaaS) model. This isn’t just about selling access; it’s about offering tiered services, with both free and premium options available. Coupled with this is a bespoke builder called ‘Slinky Cracked,’ which acts as the delivery vehicle for the stealer malware. This is a critical strategic pivot. By offering a builder and tiered services, they’re lowering the barrier to entry for other aspiring cybercriminals, effectively amplifying their reach and impact without needing to execute every attack themselves.
The GitHub Gambit and The Trust Deficit
This pivot aligns with a broader trend of threat actors increasingly abusing platforms like GitHub. It’s become a go-to for hosting bogus repositories that lure victims into downloading malware families like SmartLoader, StealC Stealer, and Vidar Stealer. Techniques like SEO poisoning direct unsuspecting users to these deceptive sites. We’ve seen this pattern play out in various ways: fake security alerts for VS Code, spear-phishing emails leading to RATs hosted on GitHub, and even malicious OAuth applications designed to trick developers into granting access to their accounts.
“This infostealer campaign highlights an ongoing security challenge where widely trusted platforms are abused to distribute malicious payloads.”
Acronis accurately summarized this persistent issue: “By taking advantage of social trust and common download channels, threat actors are often able to bypass traditional security solutions.” LofyGang’s current strategy, with its direct social engineering approach within a popular gaming environment, is a prime example. They’re not just exploiting technical vulnerabilities; they’re exploiting human vulnerabilities, amplified by the digital spaces where trust is often assumed.
Why This Matters for Minecraft Players
For the millions of individuals who engage with Minecraft, this represents a heightened risk. The malware, once executed, deploys LofyStealer (disguised as ‘chromelevator.exe’) and runs it directly in memory. Its aim is to harvest a wide array of sensitive data across multiple web browsers—Chrome, Edge, Brave, Opera, Firefox, and even Avast Browser. This includes cookies, passwords, tokens, credit card details, and International Bank Account Numbers (IBANs), all of which are exfiltrated to a C2 server located at 24.152.36[.]241. The potential for identity theft and financial fraud is substantial.
LofyGang’s return, marked by a significant strategic shift from supply chain attacks to direct social engineering and a MaaS model, underscores the dynamic and often unpredictable nature of the cybercrime landscape. What was once a group known for one type of attack is now a more adaptable and potentially more dangerous entity. The days of relying solely on traditional signature-based detection against them are over; understanding their evolving tactics is now paramount.
🧬 Related Insights
- Read more: [10 Threats] A Week in Security: Fake Claude Malware to Killer Robots
- Read more: Multi-OS Attacks Hit 65% of Breaches—SOCs’ 3-Step Fix
Frequently Asked Questions
What is LofyStealer? LofyStealer is a new malware developed by the Brazilian cybercrime group LofyGang. It is designed to steal sensitive data from compromised computers, including browser cookies, passwords, and financial information.
How does LofyStealer spread? LofyStealer is being distributed through a fake Minecraft hack called ‘Slinky.’ The malware uses the official game icon to trick unsuspecting users into voluntarily executing it.
What kind of data does LofyStealer steal? The malware targets a wide range of sensitive information, including browser cookies, passwords, security tokens, credit card details, and International Bank Account Numbers (IBANs) from various web browsers.
