"The malware disguises itself as a Minecraft hack called 'Slinky,'" Brazil-based cybersecurity company ZenoX said in a technical report.
LofyGang returns after three years with a familiar focus
Security researchers have attributed a renewed campaign to a Brazil-origin threat actor known as LofyGang, which ZenoX said resurfaced after more than three years. The group is "believed to be active since late 2021" and, according to ZenoX and reporting in The Hacker News, has a documented history of targeting gaming communities and digital entertainment services. Under the alias DyPolarLofy, the actor previously leaked thousands of Disney+ and Minecraft accounts on Cracked.io, and in 2022 used typosquatted npm packages to distribute stealer malware aimed at siphoning payment and account data.
How LofyStealer (aka GrabBot / chromelevator.exe) infects victims
ZenoX lays out a compact infection chain centered on social engineering of Minecraft players. The attack begins with a fake Minecraft hack called "Slinky" that uses the official game icon to encourage voluntary execution. Launching that hack triggers a JavaScript loader which, in turn, deploys a stealer tracked as LofyStealer (aka GrabBot) — executed on infected systems as "chromelevator.exe" and run directly in memory.
The malware harvests a broad set of credentials and financial artifacts from multiple browsers: Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser. ZenoX reported the captured items include cookies, passwords, tokens, cards, and International Bank Account Numbers (IBANs). Exfiltration is routed to a command-and-control server located at 24.152.36[.]241.
Tradecraft shift: from JavaScript supply-chain abuse to malware-as-a-service
Historically, ZenoX says LofyGang relied on JavaScript supply-chain abuse — npm typosquatting, starjacking to inflate credibility, and payloads embedded in sub-dependencies — with a focus on Discord token theft and client modification to intercept credit card data. Exfiltration was often performed via abused legitimate services, including Discord webhooks, Repl.it, Glitch, GitHub, and Heroku.
The current campaign marks a departure toward a malware-as-a-service (MaaS) model. ZenoX describes free and premium tiers and a bespoke builder called Slinky Cracked that functions as the delivery vehicle for the stealer. That pivot suggests an intent to scale distribution beyond the group's earlier supply-chain techniques.
Platform abuse: GitHub, SEO poisoning, and the broader lure factory
ZenoX and other security vendors emphasize that widely trusted platforms are being repurposed as distribution channels and lures. Acronis warned that "By taking advantage of social trust and common download channels, threat actors are often able to bypass traditional security solutions." The report connects the LofyStealer campaign to a broader trend in which malicious actors host bogus repositories on GitHub, use SEO poisoning to drive victims to those pages, or post fraudulent developer-facing content to reach targets.
Socket described another vector that weaponizes GitHub Discussions: fake Microsoft Visual Studio Code security alerts that trigger email notifications, extending the reach of the posts directly into developers' inboxes. Netskope characterized a "lure factory" of counterfeit GitHub repositories distributing game cheats, AI tools, Roblox scripts, phone trackers, and VPN crackers as an optimization for volume rather than precision, and advised that defenders should "treat any GitHub-hosted download that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository looks."
What this means for Minecraft players, platform maintainers, and security teams
- Minecraft players and general users: The campaign intentionally exploits social trust by packaging the stealer as a game cheat and using the official game icon to prompt downloads. ZenoX's findings show that the immediate risk is credential and payment-data loss across multiple browsers, including cookies, passwords, tokens, cards, and IBANs.
- Platform maintainers (GitHub, npm, hosting services): The incident underlines the recurring abuse of repositories, discussions, and package registries as delivery vectors. Techniques such as typosquatting, starjacking, SEO poisoning, and fraudulent postings to trigger email notifications are present in the public record and merit focused mitigation.
- Security teams and incident responders: The shift toward a MaaS offering and an in-memory loader executing "chromelevator.exe" indicates a need to prioritize detection paths that look for renamed interpreters paired with opaque payloads, unusual outbound contacts like 24.152.36[.]241, and the reuse of legitimate platforms for C2 and exfiltration.
For now, the record is concrete about tactics and targets: a Brazil-based group with a known track record of digital account theft has repackaged its tradecraft to reach Minecraft players directly, deploy an infostealer that runs in memory, and exfiltrate sensitive financial and session data. Whether this iteration expands beyond gaming communities or reverts to the supply-chain vectors the group used previously remains an open operational question; the evidence published by ZenoX and reported by The Hacker News makes one thing clear — trusted platforms and social trust are the attack surface.
