LofyStealer: Malware targeting Minecraft players.
Essential information
- Published
- 29/04/2026 14:09
- Modified
- 30/04/2026 08:17
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser data chromelevator credential theft grabbot infostealer lofystealer minecraft node.js loader slinky syscalls evasion
- Tags
- 2026-04-29 browser data chromelevator credential-theft grabbot infostealer lofystealer minecraft node.js loader slinky syscalls evasion
- Related entities
- 3 indicators, 3 observables, 1 intrusion sets (apt), 20 techniques (mitre), 3 malware
Description
A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.