Minecraft News

Brazilian LofyGang Resurfaces Targeting Minecraft Players With Memory Resident Slinky Stealer

The fake Minecraft hack uses the official game icon to lure users into running malware that silently grabs passwords, credit cards, cookies, tokens and bank details from Chrome, Firefox, Edge and more. It is malware as a service and the demand for cheats keeps the grift alive.

Brazilian LofyGang Resurfaces Targeting Minecraft Players With Memory Resident Slinky Stealer

If you have ever clicked a YouTube link promising god mode or dupes in Minecraft you are exactly who these operators are hunting. On April 28 The Hacker News detailed how the Brazilian crew LofyGang has rebooted operations with LofyStealer, also known as GrabBot.

How The Attack Actually Works

The bait is a fake hack named Slinky complete with the real Minecraft game icon. Victims run the file. A JavaScript loader then drops the stealer directly into memory as chromelevator.exe. No obvious files left on disk makes it harder for basic antivirus to catch. It then rips through browsers including Chrome, Edge, Brave, Opera, Firefox and others pulling saved logins, cookies, payment cards, auth tokens and even IBAN bank data.

  • Exfiltrates everything to C2 server at 24.152.36.241
  • Advertised on GitHub and YouTube as a cracked Minecraft tool
  • Part of a malware as a service model with free and paid builder tiers
  • LofyGang previously leaked thousands of Minecraft accounts under the DyPolarLofy alias
The uncomfortable reality is that the Minecraft hacking and modding ecosystem is a malware buffet. Young players chasing an edge will run almost anything. Creators and repo owners rarely verify what they promote. Mojang can update their usage guidelines and threaten server bans all they want but they cannot stop random EXEs hosted off platform. This is why the same groups keep coming back.

ZenoX threat intelligence co founder Acassio Silva noted that Minecraft has been a focus for this group since 2022. The current wave is more direct: they built the lure specifically for the game. Previous work involved Discord token theft and supply chain attacks on npm packages. Now it is simpler social engineering aimed at the biggest gaming community on the planet.

What This Means For The Average Player

Every “free hack” video or shady GitHub release is a potential vector. The in memory design means traditional scans might miss it until the data is already gone. Banking details and tokens open the door to identity theft and drained accounts. The fact that this is resurfacing now shows the incentives have not changed.

It uses the official game icon to induce voluntary execution, exploiting the trust of young users in the gaming scene.

ZenoX technical report on LofyStealer malware disguised as Slinky Minecraft hack using official game icon
ZenoX report detailing LofyStealer fake mod and official Minecraft icon exploit Source

That quote from the researchers sums it up. Trust is the exploit. The solution is boring but effective: only download mods from established trusted launchers and CurseForge style repositories. Anything promising cheats or hacks from random channels is rolling the dice with your personal data and your Microsoft account.

Bottom line, the multiplayer and creative scenes run on trust that is constantly abused. Until players stop treating every shiny download link as legitimate this cycle will continue. LofyGang knows the audience and they keep delivering exactly what gets clicks.

Other

Minecraft usage guidelines

Other

Safe modding practices

LATEST MINECRAFT NEWS