A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new stealer called LofyStealer (aka GrabBot).
“The malware disguises itself as a Minecraft hack called ‘Slinky,'” Brazil-based cybersecurity company ZenoX said in a technical report. “It uses the official game icon to induce voluntary execution, exploiting the trust of young users in the gaming scene.”
The activity has been attributed with high confidence to a threat actor known as LofyGang, which was observed leveraging typosquatted packages on the npm registry to push stealer malware in 2022, specifically with an intent to siphon credit card data and user accounts associated with Discord Nitro, gaming, and streaming services.
The group, believed to be active since late 2021, advertises their tools and services on platforms like GitHub and YouTube, while also contributing to an underground hacking community under the alias DyPolarLofy to leak thousands of Disney+ and Minecraft accounts.
“Minecraft has been a LofyGang target since 2022,” Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News. “They leaked thousands of Minecraft accounts under the DyPolarLofy alias on Cracked.io. The current campaign goes after Minecraft players directly through a fake ‘Slinky’ hack.”
The attack begins with a Minecraft hack that, when launched, triggers the execution of a JavaScript loader that’s ultimately responsible for the deployment of LofyStealer (“chromelevator.exe”) on compromised hosts and execute it directly in memory with an aim to harvest a wide range of sensitive data spanning multiple web browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser.
The captured data, which includes cookies, passwords, tokens, cards, and International Bank Account Numbers (IBANs), is exfiltrated to a command-and-control (C2) server located at 24.152.36[.]241.
“Historically, the group’s primary vector was the JavaScript supply chain: NPM package typosquatting, starjacking (fraudulent references to legitimate GitHub repositories to inflate credibility), and payloads embedded in sub-dependencies to evade detection,” ZenoX said.
“The focus was on Discord token theft, Discord client modification for credit card interception, and exfiltration via webhooks abusing legitimate services (Discord, Repl.it, Glitch, GitHub, and Heroku) as C2.”
The latest development marks a departure from previously observed tradecraft and a shift towards a malware-as-a-service (MaaS) model with free and premium tiers, along with a bespoke builder called Slinky Cracked that’s used as a delivery vehicle for the stealer malware.
The disclosure comes as threat actors are increasingly abusing the trust associated with a platform like GitHub to host bogus repositories that act as lures for malware families like SmartLoader, StealC Stealer, and Vidar Stealer. Unsuspecting users are directed to these repositories through techniques like SEO poisoning.
In some cases, attackers have been found to spread Vidar 2.0 through Reddit posts advertising fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers a ZIP archive containing the malware.
“This infostealer campaign highlights an ongoing security challenge where widely trusted platforms are abused to distribute malicious payloads,” Acronis said in an analysis published last month. “By taking advantage of social trust and common download channels, threat actors are often able to bypass traditional security solutions.”
The findings add to a growing list of campaigns that have leveraged GitHub in recent months –
- Targeting developers directly inside GitHub, using fake Microsoft Visual Studio Code (VS Code) security alerts posted through Discussions to trick users into installing malware by clicking on a link. “Because GitHub Discussions trigger email notifications for participants and watchers, these posts are also delivered directly to developers’ inboxes,” Socket said. “This extends the reach of the campaign beyond GitHub itself and makes the alerts appear more legitimate.”
- Targeting Argentina’s judicial systems using spear‑phishing emails to distribute a compressed ZIP archive that uses an intermediate batch script to retrieve a remote access trojan (RAT) hosted on GitHub.
- Creating GitHub accounts and OAuth applications, followed by opening an issue that mentions a target developer, triggering an email notification that, in turn, tricks them into authorizing the OAuth app, effectively allowing the attacker to obtain their access tokens. The issues aim to induce a false sense of urgency, warning users of unusual access attempts.
- Using fraudulent GitHub repositories to distribute malicious batch script installers masquerading as legitimate IT and security software, leading to the deployment of the TookPS downloader, which then initiates a multi-stage infection chain to establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT). The activity has been attributed to Rift Brigantine (aka FIN11, Graceful Spider, and TA505).
- Using counterfeit GitHub repositories posing as AI tools, game cheats, Roblox scripts, phone number location trackers, and VPN crackers to distribute LuaJIT payloads that function as a generic trojan as part of a campaign dubbed TroyDen’s Lure Factory.
“The breadth of the lure factory – gaming cheats, developer tools, phone trackers, Roblox scripts, VPN crackers – suggests an actor optimizing for volume across audiences rather than precision targeting,” Netskope said.
“Defenders should treat any GitHub-hosted download that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository looks.”
