Brazil’s LofyGang Resurfaces After Three Years With Lofystealer’s Minecraft Campaign

An indigenous Brazilian cybercriminal group has re-emerged after more than three years to organize a campaign targeting Minecraft players with a new hack called. The LofyStealer (GrabBot).

“The malware disguises itself as a Minecraft hack called ‘Slinky,'” Brazilian cybersecurity firm ZenoX said in a technical report. “It uses a legitimate game icon to cause voluntary execution, exploiting the trust of young users in the gaming environment.”

This activity is said to be related to the high confidence in a threat actor known as LofyGang, who was observed using typosquatted packages in the npm registry to push a stealth malware in 2022, with the aim of extracting credit card data and user accounts associated with Discord Nitro, games, and streaming services.

The group, which is believed to have been active since late 2021, advertises its tools and services on platforms such as GitHub and YouTube, while also contributing to a hacking community under the name DyPolarLofy to jail thousands of Disney+ and Minecraft accounts.

“Minecraft has been targeted by the LofyGang since 2022,” Acassio Silva, founder and head of threat intelligence at ZenoX, told The Hacker News. “They leaked thousands of Minecraft accounts under the alias DyPolarLofy on Cracked.io. The current campaign is going after Minecraft players directly for hacking a fake ‘Slinky’.”

The attack starts with a Minecraft hack that, when launched, triggers the execution of a JavaScript loader that is ultimately responsible for the distribution of LofyStealer (“chromelevator.exe”) to vulnerable hosts and executes it directly in memory with the aim of harvesting a wide range of sensitive data that takes over multiple web browsers, including Google Chrome, Microsoft Opera, Opera G, Chrome Beta Firefox, and Avast Browser.

Captured data, including cookies, passwords, tokens, cards, and International Bank Account Numbers (IBANs), is transmitted to a command-and-control server (C2) located at 24.152.36[.]241.

“Historically, the group’s main vector was the JavaScript supply chain: NPM package typosquatting, starjacking (faking references to official GitHub repositories to increase credibility), and payloads embedded in minimal dependencies to avoid detection,” ZenoX said.

“The focus was on Discord token theft, modification of the Discord client to block a credit card, and hacking with webhooks that abuse legitimate services (Discord, Repl.it, Glitch, GitHub, and Heroku) like C2.”

The latest development marks a departure from previously seen commercial operations and a shift to a malware-as-a-service (MaaS) model with free and premium tiers, as well as a key developer called Slinky Cracked being used as a stealth malware delivery vehicle.

The disclosure comes as malicious actors increasingly abuse the trust associated with platforms like GitHub by hosting fake repositories that serve as traps for malware families like SmartLoader, StealC Stealer, and Vidar Stealer. Unwary users are directed to these endpoints using techniques such as SEO poison.

In some cases, attackers were found to be spreading Vidar 2.0 via Reddit posts advertising fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivered a ZIP archive containing the malware.

“This infostealer campaign highlights the ongoing security challenge when trusted platforms are misused to distribute malicious payments,” Acronis said in an analysis published last month. “By exploiting public trust and common download channels, malicious actors are often able to bypass traditional security solutions.”

The findings add to a growing list of campaigns that have boosted GitHub in recent months –

• It targeted developers directly within GitHub, using fake Microsoft Visual Studio (VS Code) security alerts posted via Chats to trick users into installing malware by clicking a link. “Because GitHub Discussions initiates email notifications to contributors and viewers, these posts are sent directly to developers’ inboxes,” said Socket. “This extends the campaign’s reach beyond GitHub itself and makes the alerts appear legitimate.”
• It targeted Argentine judicial systems using phishing emails to distribute a compressed ZIP archive using a central batch script to detect a remote access Trojan (RAT) hosted on GitHub.
• Creating GitHub accounts and OAuth applications, followed by opening an issue that addresses the target developers, triggers an email notification, which tricks them into authorizing the OAuth application, effectively allowing the attacker to obtain their access tokens. The issues aim to induce a false sense of urgency, alerting users to unusual access attempts.
• Fraudulent GitHub repositories are used to distribute malicious batch script installers masquerading as legitimate IT and security software, leading to the use of the TookPS downloader, which initiates a multi-stage infection chain to gain continuous remote access using SSH reverse tunnels and RATs such as the MineBridge RAT (aka TeviRAT). Work attributed to Rift Brigantine (aka FIN11, Graceful Spider, and TA505).
• Fake GitHub repositories masquerading as AI tools, game cheats, Roblox scripts, phone number location trackers, and VPN crackers are being used to distribute LuaJIT payloads that act as a standard trojan as part of a campaign called TroyDen’s Lure Factory.

“The breadth of the lure factory – game cheats, developer tools, phone trackers, Roblox scripts, VPN crackers – suggests an actor who amplifies the volume to all audiences rather than targeting precisely,” Netskope said.

“Defenders should treat any GitHub-hosted download that pairs a renamed translator with a flash data file as a high-priority termination candidate, regardless of how legitimate the surrounding repository looks.”