A Brazilian hacking group known as LofyGang has re-emerged after a hiatus of over three years, launching a new campaign targeting Minecraft players. This operation employs a malicious tool dubbed LofyStealer, which masquerades as a Minecraft cheat called ‘Slinky’. According to cybersecurity firm ZenoX, the malware utilizes the official Minecraft icon to deceive users, mainly targeting younger players familiar with the gaming community.
LofyGang’s Cyber Tactics and History
LofyGang, active since late 2021, has been observed using typosquatting techniques on the npm registry to distribute malware. Their objective is to harvest credit card details and user data from platforms like Discord Nitro, gaming, and streaming services. The group promotes its hacking tools on platforms such as GitHub and YouTube, and under the alias DyPolarLofy, they have leaked thousands of compromised Disney+ and Minecraft accounts.
Acassio Silva, co-founder at ZenoX, noted that Minecraft has been a consistent target for LofyGang since 2022. The group has reportedly leaked numerous Minecraft accounts on forums like Cracked.io, with the current campaign directly aiming to compromise players through the fake ‘Slinky’ hack.
How LofyStealer Operates
The attack commences when the fake Minecraft hack is executed, triggering a JavaScript loader that deploys the LofyStealer malware, identified as “chromelevator.exe”. This malware is designed to extract sensitive information from various web browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox, among others. The stolen data, such as cookies, passwords, and credit card details, is sent to a command-and-control server for further exploitation.
ZenoX reports that the group’s primary method involves targeting the JavaScript supply chain through tactics like npm package typosquatting. They have also used fraudulent references to inflate credibility and embedded payloads in sub-dependencies to avoid detection. The current campaign marks a shift towards a malware-as-a-service model, featuring both free and premium tiers and a custom builder known as Slinky Cracked.
Broader Implications and Ongoing Challenges
This resurgence of LofyGang coincides with a broader trend of threat actors exploiting trusted platforms such as GitHub to distribute malware. Techniques like SEO poisoning and misleading repository names lure users into downloading malicious software. Some attackers have used platforms like Reddit to spread malware by advertising fake game cheats, redirecting users to malicious websites containing harmful files.
Recent analyses indicate that widely trusted platforms are being manipulated to distribute malicious payloads. This campaign underscores the challenge of safeguarding trusted channels from abuse. Security experts advise treating any GitHub-hosted download that pairs renamed interpreters with opaque data files as potentially harmful.
As cyber threats continue to evolve, it remains crucial for developers and users to remain vigilant against these sophisticated attacks. The rise of malware-as-a-service models and the exploitation of social trust pose significant challenges to conventional security measures, necessitating continued vigilance and innovation in cybersecurity practices.
