A Brazilian cybercrime group known as LofyGang has resurfaced after more than three years with a Minecraft-targeting campaign that delivers a new infostealer called LofyStealer (also known as GrabBot). The malware disguises itself as a Minecraft hack named “Slinky” and uses the official game icon to entice users to run it, with ZenoX describing the approach as exploiting young gamers’ trust in the scene.
The campaign marks a shift towards a malware-as-a-service model, incorporating a bespoke builder called Slinky Cracked used to deliver the stealer, and the group is linked to prior activity including typosquatted npm packages and large-scale account leaks under the DyPolarLofy alias. The loader is deployed in memory to harvest data from multiple browsers, with cookies, passwords, tokens, cards and IBANs exfiltrated to a C2 server at 24.152.36[.]241, according to ZenoX.
Acassio Silva of ZenoX notes that Minecraft accounts were leaked previously under DyPolarLofy, and the current operation targets players directly through the fake Slinky hack.