Full Report
A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new stealer called LofyStealer (aka GrabBot). "The malware disguises itself as a Minecraft hack called 'Slinky,'" Brazil-based cybersecurity company ZenoX said in a technical report. "It uses the official game icon to induce voluntary execution,
Analysis Summary
# Threat Actor: LofyGang
## Attribution & Identity
* **Actor Name:** LofyGang
* **Aliases:** DyPolarLofy (used on underground forums like Cracked.io)
* **Origin:** Brazil
* **Associations:** Linked to a broader underground hacking community; currently evolving into a Malware-as-a-Service (MaaS) provider.
## Activity Summary
LofyGang has resurfaced after a three-year hiatus (active since late 2021) to launch a new campaign targeting the Minecraft gaming community. The current operation uses a fake Minecraft game modification/hack called "Slinky" to distribute a new information stealer dubbed **LofyStealer** (also known as **GrabBot**). The group has shifted from its previous focus on supply chain attacks to direct-to-user social engineering and a tiered MaaS business model.
## Tactics, Techniques & Procedures
* **Social Engineering:** Disguising malware as legitimate game "hacks" or cheats, employing the official Minecraft icon to gain user trust.
* **Supply Chain Attacks (Historical):** Typosquatting npm registry packages, "starjacking" (faking GitHub repository popularity), and embedding payloads in sub-dependencies.
* **Defense Evasion:** Executing payloads ("chromelevator.exe") directly in memory to avoid disk-based detection.
* **Malware Distribution:** Using a bespoke builder called "Slinky Cracked" to generate infectious payloads.
* **Infrastructure Abuse:** Historically leveraged legitimate services including Discord webhooks, Repl.it, Glitch, GitHub, and Heroku for C2 and data exfiltration.
* **Credential Stuffing/Leaking:** Posting stolen account databases (Disney+, Minecraft) on community forums.
## Targeting
* **Sectors:** Gaming, Software Development (via npm/GitHub), and General Consumers.
* **Geography:** Global (with a strong presence/origin in Brazil).
* **Victims:** Specifically Minecraft players, Discord users (targeting Nitro accounts), and users of streaming services like Disney+.
## Tools & Infrastructure
* **Malware Families:**
* **LofyStealer (GrabBot):** An infostealer targeting browser data (Chrome, Edge, Brave, Opera, Firefox, Avast).
* **Slinky Cracked:** A bespoke malware builder.
* **Infrastructure:**
* **C2 IP Address:** 24.152.36[.]241
* **Exfiltration Channels:** Historically Discord webhooks.
* **Hosting:** GitHub and YouTube for advertising and tool hosting.
## Implications
LofyGang represents a persistent threat that has successfully transitioned from niche supply chain attacks to a organized Malware-as-a-Service model. Their ability to weaponize social trust among younger demographics (gamers) and developers indicates a high level of adaptability. The shift to memory-resident execution suggests an increased technical sophistication intended to bypass standard antivirus solutions.
## Mitigations
* **User Education:** Warn users against downloading "cracks," "cheats," or "hacks" for video games from unofficial sources (GitHub, YouTube links, or forums).
* **Browser Security:** Implement strict policies regarding browser extension installations and enforce multi-factor authentication (MFA) to mitigate the impact of stolen cookies and passwords.
* **Network Monitoring:** Monitor for unauthorized outbound traffic to known exfiltration points or the identified C2 IP (24.152.36[.]241).
* **Supply Chain Controls:** For developers, implement dependency scanning and verify npm package signatures to prevent typosquatting infections.