Brazilian Hackers Return After Three-Year Hiatus to Target Minecraft Gamers
Brazilian LofyGang resurfaces after 3+ years, targeting Minecraft players with LofyStealer malware disguised as a hack. ZenoX reports on tactics and provides protection tips.
After a prolonged silence of more than three years, the Brazilian cybercrime group known as LofyGang has resurfaced with a malicious campaign aimed squarely at the global Minecraft community. In a recent technical report from Brazilian cybersecurity firm ZenoX, researchers revealed that the group is deploying a new information-stealing malware called LofyStealer (also tracked as GrabBot). The attack cleverly disguises the malware as a popular Minecraft hack named “Slinky,” using the game’s official icon to trick players into voluntary execution.
The LofyGang Comeback: What We Know
LofyGang first gained notoriety in the early 2020s for various cybercriminal activities, but then fell off the radar. ZenoX’s analysis indicates that the group has returned with updated tools and tactics. The primary vector for this new campaign is a malicious file masquerading as a Minecraft cheat tool, which unsuspecting players download from unofficial forums, Discord servers, or file-sharing platforms.
Upon execution, LofyStealer silently harvests sensitive data—including credentials, browser cookies, cryptocurrency wallet information, and gaming session tokens. The malware then exfiltrates the stolen data to command‑and‑control (C2) servers operated by the threat actors.
“The malware disguises itself as a Minecraft hack called ‘Slinky,’” the ZenoX report states. “It uses the official game icon to induce voluntary execution.” This social‑engineering tactic capitalizes on the trust players place in familiar game branding, making the attack particularly effective.
How LofyStealer (GrabBot) Works
LofyStealer belongs to the “stealer” family of malware, designed to extract information from infected systems without the user’s knowledge. According to ZenoX, the malware employs techniques such as:
- Process injection to evade antivirus detection.
- Keylogging to capture credentials entered into browsers and applications.
- Clipboard monitoring to intercept cryptocurrency addresses during transactions.
- Cookie and session theft from Chrome, Firefox, and other popular browsers.
The stolen data is packed into encrypted archives before being sent to remote servers. ZenoX noted that the malware also attempts to disable security tools and establish persistence on the victim’s machine.
Minecraft: A Growing Target for Cybercriminals
Minecraft remains one of the most‑played games worldwide, with millions of active users—many of whom are children and teenagers. This large, relatively unsuspecting user base makes it an attractive target for malware campaigns. Cybercriminals often exploit the game’s thriving modding and hack community by distributing “free” cheats, clients, and add‑ons that actually contain malicious code.
Previous campaigns have used fake Minecraft downloaders to deliver ransomware, cryptominers, and remote access trojans (RATs). The LofyStealer campaign adds to this trend, highlighting the need for increased vigilance among players and parents alike.
Protection Tips for Gamers
To avoid falling victim to LofyStealer or similar threats, consider the following precautions:
- Download only from official sources – Use the official Minecraft launcher and reputable mod repositories (e.g., CurseForge, Modrinth).
- Be skeptical of “free” hacks or cheats – If a tool promises unfair advantages, it is likely a trap.
- Keep security software updated – Modern antivirus and anti‑malware tools can detect many stealers.
- Enable multi‑factor authentication (MFA) on gaming accounts and associated email addresses.
- Monitor for unusual account activity – Unexpected logins or lost items can indicate compromise.
Indicators of Compromise (IoCs)
ZenoX shared several IoCs for LofyStealer, including file hashes (MD5, SHA256) of the malicious “Slinky.exe” sample and known C2 domains. Users or IT security teams can check their systems against these indicators. The full list is available in ZenoX’s public report.
Conclusion: A Warning for the Gaming Community
The resurgence of LofyGang after a three‑year absence serves as a stark reminder that cyber threats evolve and that no community—especially one as large and engaged as Minecraft’s—is immune. The use of a well‑known game icon and a tempting cheat tool makes LofyStealer particularly insidious. By staying informed and adopting safe browsing habits, gamers can significantly reduce their risk.
As ZenoX concludes, the LofyGang campaign is a classic example of social engineering combined with stealthy malware.
Awareness is the first line of defense.