LofyGang Minecraft LofyStealer campaign
Campaign
Summary
Hide ▲
Show ▼
The LofyGang crew has re-emerged with a Minecraft-player targeting operation that uses LofyStealer (GrabBot), increasing the risk of credential and payment-data theft in the gaming cohort. The lure disguises itself as a fake "Slinky" hack and uses the official game icon to prompt execution. The infection chain starts with a JavaScript loader that deploys chromelevator.exe in memory. Harvested cookies, passwords, tokens, cards, and IBANs are sent to a 24.152.36[.]241 command-and-control server.
Related Happenings
45.207.216[.]55 Langflow IDOR-and-RCE campaign
Campaign
First: 08.07.2026 08:33
Last: 08.07.2026 08:33
Sources 1
About this happening:
A **sustained Langflow exploitation campaign** used **CVE-2026-55255** and **CVE-2026-33017** against an **internet-exposed instance**, combining reconnaissance, flow enumeration,...
45.207.216[.]55 Langflow IDOR-and-RCE campaign
CampaignAbout this happening: A **sustained Langflow exploitation campaign** used **CVE-2026-55255** and **CVE-2026-33017** against an **internet-exposed instance**, combining reconnaissance, flow enumeration,...
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
H score19
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
H score21
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Timeline
-
28.04.2026 20:39 2 articles · 2mo ago
LofyGang resurfaces with Minecraft LofyStealer campaign
Initial DisclosureLofyGang resurfaced after more than three years with a campaign against Minecraft players that used a fake 'Slinky' hack and the official game icon to prompt execution of a JavaScript loader, which deployed LofyStealer (aka GrabBot, 'chromelevator.exe') in memory and exfiltrated cookies, passwords, tokens, cards, and IBANs from browsers including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser to 24.152.36[.]241.
Show sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39