Find notable cyber news and cases, enriched with sources, timelines, and signals.

LofyGang Minecraft LofyStealer campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The LofyGang crew has re-emerged with a Minecraft-player targeting operation that uses LofyStealer (GrabBot), increasing the risk of credential and payment-data theft in the gaming cohort. The lure disguises itself as a fake "Slinky" hack and uses the official game icon to prompt execution. The infection chain starts with a JavaScript loader that deploys chromelevator.exe in memory. Harvested cookies, passwords, tokens, cards, and IBANs are sent to a 24.152.36[.]241 command-and-control server.

Related Happenings

45.207.216[.]55 Langflow IDOR-and-RCE campaign

Campaign
First: 08.07.2026 08:33 Last: 08.07.2026 08:33 Sources 1

About this happening: A **sustained Langflow exploitation campaign** used **CVE-2026-55255** and **CVE-2026-33017** against an **internet-exposed instance**, combining reconnaissance, flow enumeration,...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
H score19 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

REMUS infostealer browser-session and password-manager collection expansion

Malware Activity
H score21 First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....

Timeline

  1. 28.04.2026 20:39 2 articles · 2mo ago

    LofyGang resurfaces with Minecraft LofyStealer campaign

    Initial Disclosure

    LofyGang resurfaced after more than three years with a campaign against Minecraft players that used a fake 'Slinky' hack and the official game icon to prompt execution of a JavaScript loader, which deployed LofyStealer (aka GrabBot, 'chromelevator.exe') in memory and exfiltrated cookies, passwords, tokens, cards, and IBANs from browsers including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser to 24.152.36[.]241.

    Show sources