ZCyberNews
中文
MalwareHigh2 min readLofyGang

LofyGang Returns With Minecraft-Targeted LofyStealer Malware

Brazilian cybercrime group LofyGang resurfaces after three years with LofyStealer, a new info-stealer disguised as a Minecraft hack called 'Slinky' that targets player credentials…

LofyGang Returns With Minecraft-Targeted LofyStealer Malware

Executive Summary

The Brazilian cybercrime group known as LofyGang has resurfaced after a three-year hiatus with a new information-stealing malware campaign targeting Minecraft players. According to a technical report from Brazil-based cybersecurity firm ZenoX, the malware — dubbed LofyStealer (also tracked as GrabBot) — is disguised as a Minecraft hack called 'Slinky' and uses the official game icon to trick users into voluntarily executing it. The campaign marks the group's first known operation since 2023.

Technical Analysis

LofyStealer is distributed as a malicious executable masquerading as a Minecraft modification or cheat tool. ZenoX researchers report that the malware leverages social engineering by adopting the game's official icon to appear legitimate. Once executed, LofyStealer harvests browser-stored credentials, session tokens, and cryptocurrency wallet data from the infected machine. The malware communicates with a command-and-control (C2) infrastructure to exfiltrate stolen data, though ZenoX did not disclose specific C2 IPs or domains in its public report.

The group's return after three years of inactivity is notable. LofyGang was previously active in the Brazilian cybercrime ecosystem, primarily targeting gaming communities and online users with credential stealers. The choice of Minecraft — a game with a massive global player base, including a significant number of younger users — suggests the group is aiming for volume over high-value targets.

Mitigations & Recommendations

Defenders and Minecraft players should treat any third-party mods or cheat tools with extreme skepticism, particularly those hosted on unofficial forums or file-sharing platforms. ZenoX recommends downloading game modifications only from trusted sources such as CurseForge or the official Minecraft Marketplace. Organizations with young gamers on home networks should consider endpoint detection and response (EDR) solutions that can flag executables masquerading as game binaries, and enforce application whitelisting where feasible.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#lofygang#lofystealer#minecraft#info-stealer#brazil#grabbot

Related Articles

73 Fake VS Code Extensions Deliver GlassWorm v2 Info-StealerHIGH
Malware

73 Fake VS Code Extensions Deliver GlassWorm v2 Info-Stealer

Researchers found 73 cloned VS Code extensions on Open VSX, with 6 confirmed malicious, delivering the GlassWorm v2 info-stealer.

2 min readGlassWorm
NGate Malware Trojanizes HandyPay App to Steal Brazilian NFC DataHIGH
Malware

NGate Malware Trojanizes HandyPay App to Steal Brazilian NFC Data

NGate malware, using AI-generated code, has infected the legitimate HandyPay NFC app to steal payment card data and PINs from over 220,000 Android users in Brazil, according to ESET.

3 min readNGate
JanelaRAT Malware Campaign Targets Latin American Financial SectorHIGH
Malware

JanelaRAT Malware Campaign Targets Latin American Financial Sector

A modified version of BX RAT, dubbed JanelaRAT, has been deployed in over 14,000 attacks against banks and financial institutions in Brazil and Mexico, stealing financial data and keystrokes.

3 min read