LofyGang Minecraft LofyStealer campaign
Campaign
Summary
Hide ▲
Show ▼
The LofyGang crew has re-emerged with a Minecraft-player targeting operation that uses LofyStealer (GrabBot), increasing the risk of credential and payment-data theft in the gaming cohort. The lure disguises itself as a fake "Slinky" hack and uses the official game icon to prompt execution. The infection chain starts with a JavaScript loader that deploys chromelevator.exe in memory. Harvested cookies, passwords, tokens, cards, and IBANs are sent to a 24.152.36[.]241 command-and-control server.
Related Happenings
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
DEEP#DOOR Python backdoor framework
Malware Activity
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
Timeline
-
28.04.2026 20:39 2 articles · 29d ago
LofyGang resurfaces with Minecraft LofyStealer campaign
Initial DisclosureLofyGang resurfaced after more than three years with a campaign against Minecraft players that used a fake 'Slinky' hack and the official game icon to prompt execution of a JavaScript loader, which deployed LofyStealer (aka GrabBot, 'chromelevator.exe') in memory and exfiltrated cookies, passwords, tokens, cards, and IBANs from browsers including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser to 24.152.36[.]241.
Show sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39