A Brazil-origin cybercrime group known as LofyGang has resurfaced after more than three years to target Minecraft players with a new stealer called LofyStealer (aka GrabBot) disguised as a fake “Slinky” hack. The campaign uses a JavaScript loader to deploy “chromelevator.exe” in memory to harvest cookies, passwords, tokens, cards and IBANs for exfiltration to a C2 at 24.152.36[.]241, and the group is shifting toward a malware-as-a-service model with the Slinky Cracked builder. #LofyStealer #LofyGang
Keypoints
- LofyGang has returned to target Minecraft players using a fake “Slinky” hack to deliver LofyStealer.
- The attack launches a JavaScript loader that drops and executes “chromelevator.exe” in memory to avoid detection.
- Harvested data includes cookies, passwords, tokens, credit cards and IBANs, exfiltrated to 24.152.36[.]241.
- The group previously used npm typosquatting and GitHub lures and now offers a MaaS model with free and premium tiers via Slinky Cracked.
- Threat actors continue to abuse GitHub, SEO poisoning and fake repositories to distribute families like Vidar, SmartLoader and StealC.
Read More: https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html