LofyGang Returns: Brazilian Hackers Target Minecraft Players with New 'LofyStealer' Malware

Introduction

After a three-year silence, the Brazilian cybercrime group known as LofyGang has resurfaced with a targeted campaign aimed squarely at Minecraft enthusiasts. The group is deploying a new information-stealing malware called LofyStealer, also referred to as GrabBot, which masquerades as a popular game modification. Security researchers at Brazil-based ZenoX have detailed how the malware exploits the trust players place in unofficial mods to infiltrate systems and harvest sensitive data.

A Three-Year Hiatus Ends

The re-emergence of LofyGang marks the end of a prolonged period of inactivity. The group was last observed in 2020, when they were known for distributing banking trojans and other malicious tools across Latin America. Now, they have pivoted to target the massive gaming community surrounding Minecraft, the sandbox game that boasts hundreds of millions of active players worldwide. This shift reflects a broader trend among cybercriminals to exploit the popularity of gaming mods, particularly those that promise enhanced gameplay features or cheats.

How LofyStealer Works

LofyStealer is a stealer-type malware designed to extract credentials, cryptocurrency wallets, and other valuable information from infected machines. The infection chain is deceptively simple and relies on social engineering.

Disguised as a Popular Minecraft Hack

The malware is packaged as a file named "Slinky," which is a fake Minecraft hack or cheat utility. To make the bait more convincing, the attackers use the official Minecraft game icon as the file icon. This trick induces voluntary execution: victims who download the file believing it is a harmless mod will double-click it, unaware that they are launching a malicious executable. ZenoX’s technical report highlights that the icon and filename are deliberately chosen to blend in with legitimate game files.

Stealing Credentials and Data

Once executed, LofyStealer (or GrabBot) begins its data-gathering routine. It targets saved passwords from web browsers, session tokens, cryptocurrency wallet applications, and even FTP client credentials. The malware also captures screenshots and logs keystrokes, allowing it to intercept two-factor authentication codes and other sensitive inputs. All stolen information is exfiltrated to a command-and-control server controlled by the attackers. The group likely monetizes this data through account takeovers, cryptocurrency theft, or sale on underground forums.

The Minecraft Connection

Why target Minecraft players specifically? The game has a massive modding community, and players often download third-party modifications to enhance graphics, add new features, or enable cheats in multiplayer servers. Many of these mods are obtained from unofficial websites, which are notorious for hosting malware. By piggybacking on the popularity of Minecraft hacks, LofyGang increases the likelihood of infection among a demographic that may not be as security-conscious as typical corporate users. Moreover, many Minecraft players store valuable cryptocurrency wallets or use the same passwords across gaming accounts, making them lucrative targets.

Protecting Against LofyStealer

Users can safeguard themselves by following these best practices:

• Only download mods from official sources – Use platforms like CurseForge or the official Minecraft Marketplace. Avoid third-party sites that offer hacks or cracked versions.
• Verify file integrity – Check file hashes and read community reviews before installing any mod.
• Use antivirus and endpoint protection – Modern security solutions can detect LofyStealer and similar stealers.
• Enable multi-factor authentication – Even if credentials are stolen, MFA can prevent account takeover.
• Keep software updated – Regular updates patch vulnerabilities that malware might exploit.

For organizations, educating employees about the risks of downloading unauthorized gaming software on work devices is essential. Network monitoring and strict application control policies can also minimize exposure.

Conclusion

The return of LofyGang with a Minecraft-themed stealer serves as a reminder that cybercriminals constantly adapt to popular trends. While the group was dormant for years, their new campaign shows they have not lost their ability to deceive and compromise victims. The use of a familiar game icon and the promise of an easy hack is a potent lure. As Minecraft continues to dominate the gaming world, players and security teams alike must remain vigilant. By staying informed and practicing safe downloading habits, the impact of threats like LofyStealer can be significantly reduced.

This article is based on findings from ZenoX's technical report on the LofyGang campaign.