April 2026 — A Brazil-linked cybercrime group known as LofyGang has resurfaced after a three-year hiatus, launching a new malware campaign aimed at Minecraft players using a credential-stealing tool disguised as a game “hack.”
Security researchers say the group is distributing a new infostealer called LofyStealer (also known as GrabBot) through fake gaming tools designed to trick users—particularly younger players—into executing malicious software.
Fake Minecraft “Hack” Used as Malware Lure
The campaign revolves around a counterfeit cheat tool branded as “Slinky,” which is marketed as a Minecraft enhancement utility. Once downloaded and launched, the file triggers a multi-stage infection chain that installs malware on the victim’s device.
According to Brazil-based cybersecurity firm ZenoX, the malware uses the official Minecraft icon and familiar branding to increase trust and encourage users to run it voluntarily.
The attack primarily targets players of Minecraft, a strategy consistent with the group’s earlier operations dating back to 2022.
LofyGang’s Return and Malware Evolution
The threat actor, known as LofyGang, was previously active in distributing infostealer malware through fake npm packages, Discord scams, and gaming-related lures.
Earlier campaigns focused on stealing:
- Discord account tokens
- Gaming platform credentials
- Streaming service logins
- Payment card data
The group also operated underground channels where they leaked stolen accounts and promoted hacking tools under various aliases.
Security researchers say the latest operation marks a shift toward a malware-as-a-service (MaaS) model, offering both free and paid tiers of their tools, along with a custom builder for generating payloads.
How the LofyStealer Attack Works
Once executed, the fake Minecraft application launches a JavaScript-based loader that deploys the LofyStealer payload (often disguised as a system process such as “chromelevator.exe”).
The malware runs in memory and is designed to silently harvest sensitive data from compromised systems, including:
- Browser stored passwords
- Session cookies and authentication tokens
- Saved payment card details
- Banking information (including IBAN data)
Targeted browsers include Chrome, Edge, Firefox, Brave, Opera, and others.
Stolen data is then transmitted to a command-and-control (C2) server identified as 24.152.36[.]241.
Expanding Use of Social Engineering and Trust Abuse
Researchers say LofyGang continues to rely heavily on social engineering tactics, particularly targeting gaming communities where trust in unofficial modifications is common.
Their earlier operations included:
- Typosquatted npm packages
- Fake GitHub repositories
- “Starjacking” legitimate projects
- Malware hidden in dependencies
These methods are designed to bypass security tools by exploiting user trust rather than technical vulnerabilities.
Growing Trend of GitHub and Gaming Malware Abuse
Security experts warn that LofyGang’s campaign is part of a wider ecosystem of malware distribution that leverages trusted platforms and communities.
Attackers are increasingly using:
- Fake GitHub repositories
- SEO-optimized malware links
- Gaming cheat downloads
- Social media posts on Reddit and Discord
Similar campaigns have distributed well-known infostealers such as Vidar, StealC, and SmartLoader through counterfeit tools and phishing links.
Security Experts Warn of Expanding Threat Landscape
Cybersecurity analysts say the combination of gaming lures and trusted development platforms makes these campaigns especially effective, particularly among younger or less security-aware users.
A key concern is that attackers are now combining social engineering, open-source abuse, and malware-as-a-service models to scale their operations more efficiently than ever before.
Final Outlook
The return of LofyGang underscores a growing trend in cybercrime: highly adaptable groups leveraging popular gaming ecosystems to distribute credential-stealing malware at scale.
Security researchers advise users to avoid unofficial game modifications and to download software only from verified sources, especially when dealing with gaming-related tools and third-party “enhancements.”
