Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

The re‑emergence of LofyGang underscores a growing trend where cybercriminals pivot from traditional phishing to exploiting the trust embedded in popular gaming environments. By packaging the LofyStealer as a seemingly legitimate Minecraft cheat, the group leverages the platform’s massive, youthful user base, turning a hobby into a vector for credential and financial theft. This approach reflects a broader shift toward weaponizing the social capital of gaming communities, where the line between legitimate modding tools and malicious code is increasingly blurred.

Technically, the campaign blends supply‑chain abuse with sophisticated in‑memory execution. The initial JavaScript loader, delivered through a fake "Slinky" hack, bypasses conventional antivirus detection by running entirely in RAM, while the chromelevator.exe component harvests data from a wide array of browsers, including Chrome, Edge, Brave and Firefox. The shift to a malware‑as‑a‑service (MaaS) offering, complete with free and premium tiers, lowers the barrier for less‑skilled actors to launch similar attacks, effectively democratizing high‑impact infostealer capabilities.

For enterprises and security teams, LofyGang’s tactics highlight the urgency of tightening controls around code repositories and third‑party package managers. Organizations should enforce strict verification of npm packages, monitor for typosquatting, and apply runtime protection that can detect anomalous in‑memory payloads. Additionally, educating end‑users—especially younger gamers—about the risks of downloading unofficial game modifications can mitigate the social engineering component that makes these campaigns so effective.