The reappearance of LofyGang and LofyStealer an infostealer disguised as a Minecraft cheat that drives malware as a service

The reappearance of a group of Brazilian cybercrime known as LofyGang requires a serious risk that combines social engineering aimed at young players and increasingly industrial distribution techniques: the campaign detected by ZenoX uses a new infostealer called LofyStealer(also identified as GrabBot) and camouflage it as a supposed Minecraft cheat called "Slinky," taking advantage of the official game icon to induce the voluntary execution of a malicious file.

The remarkable thing is not just the malware itself, but the change in the economy and logistics of the attack. After years focused on the JavaScript supply chain - typosquating in npm, starjacking in GitHub and sub- dependencies with hidden payloads - the actor has evolved towards a similar model to malware-as-a-service, with free and paid tiers and a builder ("Slinky Cracked") that facilitates the delivery of the stealer. The execution starts with a JavaScript loader that unfolds an executable referred to as "chromelevator.exe" and runs the code in memory to collect cookies, credentials, tokens, cards and up to IBANS, which are then exfiltered to a command and control server (C2) identified in 24.152.36 [.] 241.

This tactic exploits two sociotechnical vectors: confidence in the brand (Minecraft) and the predisposition of young audiences to download hacks or cheats. When the hook combines legitimate appearance and an apparently harmless installer, many traditional security solutions can fail, especially if the manager loads code in memory or uses legitimate services as intermediaries to exfilter data. In addition, the professionalization of operations - with builders, markplaces and support - reduces the entry barrier for other criminals seeking to monetize game credentials, streaming accounts and cards.

For players and parents, the first lesson is practical and urgent: do not download or run hacks, cracks or tools that promise advantages in games from unverified sources. If an offer seems too good or requires disable system protections to be installed, it is a clear risk signal. The accounts of Minecraft, Discord and associated platforms should have activated multifactor authentication, active sessions and devices should be reviewed from the security panels of each service and suspicious tokens revoked immediately.

In domestic equipment and networks it is recommended not to use accounts with administrative privileges to play; run the game on a restricted user or even on a virtual machine reduces the impact of an infection. In the face of the suspicion of a stealer infection, it is wise to isolate the network equipment, change credentials from a clean device and monitor bank movements, cards and any fraudulent use of services. Tools like VirusTotal can offer a first check of suspicious files, although attackers who run code in memory can evade many static analyses.

For developers, repository administrators and platform advocates the lesson is that there is no implicit trust in a repository or an executable just because it is housed in GitHub or another popular platform. The attackers abuse legitimate functions - issues, discussions that generate email notifications, OAuth and apparently legitimate accounts - to expand their reach. It is essential to strengthen unit review processes, enable typosquating monitoring and automate alerts for unusual changes in packages or in account activity that contribute to popular projects.

Organizations should complement digital hygiene with technical protections: EDR and detection solutions with memory performance visibility, domain filtering and reputation to block communications to known C2, lock policies for renowned executables that launch interpreters from opaque files and OAuth reviews to avoid unnoticed authorizations that grant permanent tokens. In addition, code signing and integrity verification reduce the risk that a legitimate binary will be supplanted or distributed with additional payloads.

On a broader level, the phenomenon illustrates why trust in centralized platforms should be combined with technical controls and literacy: code repositories and public forums are powerful tools for collaboration, but they have also become distribution vectors for malware families like SmartLoader, StealC, Vidar and now LofyStealer. The companies operating these platforms, together with the security community, should accelerate detection and mediation of malicious content, improve confidence signals and facilitate effective reporting mechanisms.

In order to deepen the implications of these campaigns and how to protect themselves, it is useful to consult journalistic analysis and security guides; general sources of reference include reports and specialized news such as the The Hacker News and documentation of good practice on development platforms such as GitHub Code Security. Community security resources and organisations such as OWASP to understand specific mitigation controls.

The reappearance of LofyGang reminds us that the threat is both technical and human: combating it requires updating tools, hardening processes and, above all, educating the communities of players and developers so that they do not normalize the download of software from dubious sources. In cybersecurity, the combination of technical prevention and social awareness remains the most effective defence.