LofyGang Returns with Minecraft-Themed LofyStealer Campaign Targeting Gamers
Summary
Hide ▲
Show ▼
The Brazilian cybercrime group LofyGang has re-emerged after a three-year hiatus with a targeted campaign against Minecraft players using a new infostealer named LofyStealer (also tracked as GrabBot). The campaign leverages a trojanized Minecraft hack tool called 'Slinky' to deliver the stealer, which masquerades as the official game’s icon to deceive victims, particularly young users familiar with the gaming ecosystem. Once executed, LofyStealer (chromelevator.exe) is deployed in memory and harvests sensitive data from multiple browsers, including stored passwords, cookies, tokens, credit card details, and International Bank Account Numbers (IBANs). The exfiltrated data is sent to a command-and-control (C2) server located at 24.152.36[.]241. The group’s tactics have evolved to include a malware-as-a-service (MaaS) model with free and premium tiers, alongside a custom builder (Slinky Cracked) for payload delivery. This shift marks a significant departure from their historical focus on JavaScript supply chain attacks, such as npm package typosquatting and dependency hijacking, which previously targeted Discord tokens and gaming-related credentials.
Timeline
-
28.04.2026 20:39 1 articles · 2h ago
LofyStealer Campaign Targets Minecraft Players via Trojanized 'Slinky' Hack Tool
LofyGang has resumed operations after a three-year hiatus with a campaign distributing LofyStealer (chromelevator.exe) to Minecraft players. The attack begins with a trojanized Minecraft hack tool named 'Slinky,' which uses the official game’s icon to deceive victims. Upon execution, a JavaScript loader delivers the stealer payload in memory, harvesting sensitive data from multiple browsers. The malware exfiltrates collected data to a C2 server at 24.152.36[.]241. The campaign introduces a MaaS model with free and premium tiers and a custom builder (Slinky Cracked) for payload delivery.
Show sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
Information Snippets
-
LofyGang’s LofyStealer targets Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser to extract cookies, passwords, tokens, credit card data, and IBANs.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
-
The malware is delivered via a fake Minecraft hack tool named 'Slinky,' which uses the official game icon to increase credibility and induce voluntary execution.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
-
Exfiltrated data is sent to a C2 server at 24.152.36[.]241, with previous campaigns using legitimate services (Discord, Repl.it, Glitch, GitHub, Heroku) as intermediary C2 channels.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
-
LofyGang has historically used npm package typosquatting, starjacking, and dependency hijacking to distribute malware, focusing on Discord token theft and credit card interception via client modifications.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
-
The group has advertised tools and services on GitHub and YouTube, while also leaking thousands of Minecraft and Disney+ accounts under the alias DyPolarLofy on platforms like Cracked.io.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39
-
The current campaign introduces a MaaS model with free and premium tiers, along with a bespoke builder named Slinky Cracked for deploying the stealer.
First reported: 28.04.2026 20:391 source, 1 articleShow sources
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign — thehackernews.com — 28.04.2026 20:39