{"id":236785,"date":"2026-04-28T13:39:00","date_gmt":"2026-04-28T17:39:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/28\/brazilian-lofygang-resurfaces-after-three-years-with-minecraft-lofystealer-campaign\/"},"modified":"2026-04-28T17:40:09","modified_gmt":"2026-04-28T21:40:09","slug":"brazilian-lofygang-resurfaces-after-three-years-with-minecraft-lofystealer-campaign","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/28\/brazilian-lofygang-resurfaces-after-three-years-with-minecraft-lofystealer-campaign\/","title":{"rendered":"Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/brazilian-lofygang-resurfaces-after.html\">Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/brazilian-lofygang-resurfaces-after.html\">https:\/\/thehackernews.com\/2026\/04\/brazilian-lofygang-resurfaces-after.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-28 13:39:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new stealer called <strong>LofyStealer<\/strong> (aka GrabBot).<\/p>\n<p>&#8220;The malware disguises itself as a Minecraft hack called &#8216;Slinky,'&#8221; Brazil-based cybersecurity company ZenoX said in a technical report. &#8220;It uses the official game icon to induce voluntary execution, exploiting the trust of young users in the gaming scene.&#8221;<\/p>\n<p>The activity has been attributed with high confidence to a threat actor known as LofyGang, which was observed leveraging typosquatted packages on the npm registry to push stealer malware in 2022, specifically with an intent to siphon credit card data and user accounts associated with Discord Nitro, gaming, and streaming services.<\/p>\n<p>The group, believed to be active since late 2021, advertises their tools and services on platforms like GitHub and YouTube, while also contributing to an underground hacking community under the alias DyPolarLofy to leak thousands of Disney+ and\u00a0 Minecraft accounts.<\/p>\n<p>&#8220;Minecraft has been a LofyGang target since 2022,&#8221; Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News. &#8220;They leaked thousands of Minecraft accounts under the DyPolarLofy alias on Cracked.io. The current campaign goes after Minecraft players directly through a fake &#8216;Slinky&#8217; hack.&#8221;<\/p>\n<p>The attack begins with a Minecraft hack that, when launched, triggers the execution of a JavaScript loader that&#8217;s ultimately responsible for the deployment of LofyStealer (&#8220;chromelevator.exe&#8221;) on compromised hosts and execute it directly in memory with an aim to harvest a wide range of sensitive data spanning multiple web browsers, including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser.<\/p>\n<p>The captured data, which includes cookies, passwords, tokens, cards, and International Bank Account Numbers (IBANs), is exfiltrated to a command-and-control (C2) server located&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/brazilian-lofygang-resurfaces-after.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign https:\/\/thehackernews.com\/2026\/04\/brazilian-lofygang-resurfaces-after.html Publish Date: 2026-04-28 13:39:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":236786,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQf8Wzg1Ms0KVsO546uQuwlR3w_8qW1MQZExs5TgKCGHSNNS1UEnOITq-_y8HIrA_3n_gfq7Hm0IMb-XSRJSsGL1ncRPlPoyDX7cf_wFbEGAJCPkv6ZDBzjN1Nswe9-CMR3Tmn1F5KuVyWGdOkGEIbeI9R7zGKplJPofRFBx-Ru20JOGfAFEpiZOAlDBXh\/s1600\/hackers.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,32,34],"class_list":["post-236785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236785"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=236785"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236785\/revisions"}],"predecessor-version":[{"id":236787,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236785\/revisions\/236787"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/236786"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=236785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=236785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=236785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}