Ethical Hacking News
Brazilian LofyGang has resurfaced after three years to launch a new campaign targeting Minecraft players, using a sophisticated stealer called LofyStealer (aka GrabBot). The malware masquerades as a Minecraft hack and is designed to steal sensitive data from multiple web browsers. This development marks a significant departure from previously observed tradecraft, as the group has begun using a malware-as-a-service model.
This campaign highlights an ongoing security challenge where widely trusted platforms are being abused to distribute malicious payloads. By utilizing social trust and common download channels, threat actors can often bypass traditional security solutions.
LofyGang, a Brazilian cybercrime group, has resumed its malicious activities with a new stealer called LofyStealer (aka GrabBot) targeting Minecraft users. The malware masquerades as a Minecraft hack to deceive users and harvest sensitive data from multiple web browsers. LofyGang's latest tactics include using a malware-as-a-service (MaaS) model, allowing users to access free and premium tiers of their tools.
A recent resurgence of a Brazilian cybercrime group, known as LofyGang, has been observed in the past few weeks. The group had initially gained notoriety three years ago for launching various malware campaigns targeting unsuspecting users, particularly those involved with Minecraft and Discord platforms. In this latest campaign, they have managed to orchestrate a new stealer called LofyStealer (also referred to as GrabBot), which poses a significant threat to young users who engage in gaming activities.
According to information from Brazil-based cybersecurity firm ZenoX, the malware masquerades itself as a Minecraft hack known as "Slinky." This deception is achieved by utilizing the official game icon to induce voluntary execution among users. The trust placed in this particular campaign stems largely from its reliance on popular platforms and services like Minecraft, which has proven to be an effective vector for spreading malware.
The LofyStealer (aka GrabBot) uses a sophisticated mechanism that exploits JavaScript loaders to execute the malicious software directly within the memory of compromised hosts. This approach allows it to bypass traditional security measures and harvest an extensive range of sensitive data from multiple web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Mozilla Firefox, Avast Browser, and others.
This captured data, which includes cookies, passwords, tokens, credit card numbers (IBANs), and other valuable information, is subsequently transmitted to a command-and-control server located at 24.152.36[.]241. This setup illustrates the extent of LofyGang's technical expertise in crafting malware designed to efficiently exfiltrate sensitive data.
Historically, LofyGang has employed several tactics for infecting users with malware, including:
1. Utilizing JavaScript supply chain attacks by exploiting NPM package typosquatted repositories.
2. Executing fraudulent references to legitimate GitHub repositories to inflate credibility and deceive users into installing malicious payloads.
3. Embedding payloads in sub-dependencies of legitimate applications to evade detection.
These tactics were initially used primarily for targeted phishing campaigns aimed at stealing Discord token credentials and other sensitive information associated with gaming, streaming services, and social media platforms.
However, the latest development marks a significant departure from previously observed tradecraft, as LofyGang has begun using a malware-as-a-service (MaaS) model. This shift allows users to access both free and premium tiers of their tools, as well as an exclusive builder called Slinky Cracked used for delivering the stealer malware.
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams
Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways
Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation
The Hidden Security Risks of Shadow AI in Enterprises
Your MTTD Looks Great. Your Post-Alert Gap Doesn't
Popular Resources
Discover Key AI Security Gaps CISOs Face in 2026
Fix Rising Application Security Risks Driven by AI Development
Automate Alert Triage and Investigations Across Every Threat
How to Identify Risky Browser Extensions in Your Organization
Cybersecurity Webinars
Building Stronger Defenses
Stop Patient Zero Attacks Before They Bypass Detection
Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register
Reduce AppSec Risk
Validate Real Attack Paths Before Attackers Exploit Them
Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation.
Register
Latest News
Cybersecurity Resources
Zscaler ThreatLabz 2026 VPN Risk Report With Cybersecurity Insiders.AI collapsed human response window and turned remote access into fastest path to breach.
Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach.
Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown.
Expert Insights Articles
Videos
CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide
Work Moved Into the Browser. Security Didn't. AI Is Exposing the Gap
Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation
Why Your Backups Might Not Save You When Ransomware Hits
Get Latest News in Your Inbox
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.
Email
Connect with us!
1,110,000 Followers
710,100 Followers
24,800 Subscribers
152,500 Followers
1,990,000 Followers
45,100 Followers
Company
About THN
Advertise with us
Contact
Pages
Webinars
Awards
Privacy Policy
RSS Feeds
Contact Us
Related Information:
https://www.ethicalhackingnews.com/articles/Brazilian-LofyGang-Resurfaces-After-Three-Years-With-Sophisticated-Minecraft-LofyStealer-Campaign-Targeting-Young-Users-ehn.shtml
https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
https://undercodetesting.com/lofystealer-the-memory-resident-malware-silently-draining-minecraft-accounts-video/
https://www.fortinet.com/blog/threat-research/grabbot-is-back-to-nab-your-data
https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/
Published: Tue Apr 28 13:46:49 2026 by llama3.2 3B Q4_K_M
