Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

Key Points:

• Brazilian cybercrime group LofyGang has resurfaced with a new campaign targeting Minecraft players using malware called LofyStealer, disguised as a hack named "Slinky."
• The malware harvests sensitive data such as cookies, passwords, and credit card information from multiple web browsers and exfiltrates it to a C2 server at 24.152.36[.]241.
• Security teams should monitor for suspicious downloads from GitHub and other platforms, especially those that involve JavaScript loaders or typosquatted packages.

Technical Details: LofyStealer is delivered via a JavaScript loader that executes in memory, capturing sensitive user data from various browsers. The campaign exploits social trust in gaming communities to lure victims.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1059.003 - Command and Scripting Interpreter: JavaScript (Execution)

IOCs Mentioned:

• 24.152.36[.]241 (C2 server)