A Brazil-based cybercrime group has returned after more than three years, launching a campaign aimed at Minecraft players using a new piece of malware called LofyStealer (also known as GrabBot).
“The malicious software poses as a Minecraft cheat tool named ‘Slinky,'” reported ZenoX, a cybersecurity firm located in Brazil. “It mimics the game’s official icon to trick younger players into running it willingly, taking advantage of their trust within the gaming community.”
This campaign has been confidently linked to an individual or group operating under the name LofyGang. Back in 2022, they were observed using misspelled, imitation packages on the npm registry to distribute stealing malware designed to steal credit card details and user accounts tied to Discord Nitro, gaming, and streaming platforms.
The group has reportedly been active since late 2021. They promote their tools and services on sites like GitHub and YouTube, while also participating in an underground hacking community under the alias DyPolarLofy, leaking thousands of Disney+ accounts and Minecraft logins.
“Minecraft has been one of LofyGang’s primary targets since 2022,” stated Acassio Silva, co-founder and head of threat intelligence at ZenoX, in an interview with The Hacker News. “They released thousands of stolen Minecraft accounts under the name DyPolarLofy on Cracked.io. Their latest operation directly targets Minecraft users through a fake cheat called ‘Slinky.'”
The attack starts when a victim downloads the bogus Minecraft hack. Once run, it activates a JavaScript loader which then deploys the core malware file, “chromelevator.exe,” onto the infected machine. Crucially, the malware executes directly in the computer’s memory to avoid detection, aiming to gather a wide range of sensitive data from numerous web browsers. Targeted browsers include: Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser.
The stolen information—comprising browser cookies, saved passwords, authentication tokens, credit card numbers, and International Bank Account Numbers (IBANs)—is sent back to a control server located at 24.152.36[.]241.
“Previously, the group mainly attacked the JavaScript supply chain: posting fake NPM packages with common typos, using ‘starjacking’ (creating fake links to popular GitHub projects to seem trustworthy), and hiding malicious code inside secondary dependencies to avoid being caught,” explained ZenoX.
“Their main goals were stealing Discord tokens, modifying the Discord app to intercept credit card entries, and sending stolen data out through webhooks that exploited legitimate services (Discord, Repl.it, Glitch, GitHub, and Heroku) as their control servers.”
This latest activity represents a major change in their methods and a move toward a “Malware-as-a-Service” (MaaS) business model, offering both free and paid versions. Central to this is a custom tool called “Slinky Cracked,” which is used as the primary method to spread the information-stealing virus.
This news emerges as hackers increasingly misuse the trust people place in platforms like GitHub. They set up fake repositories to act as bait for malware families including SmartLoader, StealC Stealer, and Vidar Stealer. Unwitting users are often lured to these sites via tactics like search engine poisoning.
In certain instances, attackers were found promoting fake Counter-Strike 2 cheats on Reddit, directing victims to a dangerous website that downloads a ZIP file containing the malware.
“This infostealer operation underscores a recurring security problem: widely trusted online platforms are being exploited to spread malicious software,” noted Acronis in a report published last month. “By leveraging social trust and common download methods, attackers can frequently circumvent standard security defenses.”
The report adds to a growing pattern of recent campaigns abusing GitHub for distribution:
- Targeting developers directly on GitHub by posting fake Microsoft Visual Studio Code (VS Code) security warnings in Discussions, tricking developers into installing malware via a provided link. “Since GitHub Discussions send email notifications to participants and followers, these deceptive posts also land directly in developers’ email inboxes,” warned Socket. “This expands the attack beyond the GitHub platform and makes the fake warnings appear more authentic.”
- Targeting Argentina’s court systems by sending spear-phishing emails containing a compressed ZIP archive. The archive uses a batch script to download a remote access trojan (RAT) stored on GitHub.
- Creating GitHub accounts linked to OAuth apps, then filing an issue that mentions a specific developer. This triggers an email alert, which in turn tricks the developer into approving the OAuth app, giving the attacker access their private tokens. The issues are crafted to create a false sense of urgency, warning of supposed unusual login activity.
- Using fake GitHub repositories posing as genuine IT and security software to distribute malicious batch file installers. This leads to the installation of the TookPS downloader, which then begins a complex infection chain to establish long-term remote access using SSH reverse tunnels and RATs like MineBridge RAT (also called TeviRAT). This activity is linked to the group Rift Brigantine (also tracked as FIN11, Sleek Spider, and TA505).
- Setting up bogus GitHub repositories pretending to be AI tools, game cheats, Roblox scripts, phone number locator services, and VPN cracks. These distribute LuaJIT payloads that act as generic trojans in an operation codenamed “TroyDen’s Lure Factory.”
“The wide variety of baits used in the ‘lure factory’—game cheats, developer tools, phone locators, Roblox scripts, VPN cracks—indicates an attacker focused on casting a wide net to hit many people rather than targeting specific victims,” commented Netskope.
“Security teams should treat any download from GitHub that combines a renamed program interpreter with an unreadable data file as a top priority for investigation, no matter how legitimate the source repository might appear.”
