Novel Minecraft-Targeting Stealer Tapped by Reemergent LofyGang

The resurgence of LofyGang underscores a growing trend where cybercriminals exploit the massive user base of online games to harvest high‑value credentials. Minecraft, with over 140 million active players, offers a fertile ground for malicious actors who can piggyback on the game’s mod ecosystem and third‑party launchers. Earlier campaigns by LofyGang in 2022 leveraged compromised JavaScript libraries, but the latest operation marks a more sophisticated approach that blends social engineering with supply‑chain manipulation. By embedding malicious code in a seemingly legitimate “Slinky” hack, the group capitalizes on the trust gamers place in community‑created content.

The core of the attack is LofyStealer, also known as GrabBot, a modular stealer that activates once the JavaScript loader injects it into the victim’s system. It silently harvests authentication tokens, saved passwords, browser cookies, and even payment‑card numbers and International Bank Account Numbers from Chrome, Firefox, Brave and Edge. Because the malware runs under the guise of the official Minecraft icon, many users overlook the warning signs. ZenoX reports that exfiltrated data is routed through encrypted channels to servers controlled by the gang, enabling rapid monetization through credential resale and fraud services.

The campaign’s shift toward a malware‑as‑a‑service (MaaS) model signals that LofyGang is positioning itself as a supplier rather than a lone operator. This evolution lowers the barrier for other criminal groups to launch similar attacks, potentially amplifying the threat landscape across other popular titles. Game developers and platform providers must tighten code‑signing verification, enforce stricter third‑party mod vetting, and educate players about the risks of downloading unofficial hacks. For enterprises, monitoring for leaked Minecraft‑related credentials can serve as an early indicator of broader credential‑stuffing campaigns.