Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/LofyStealer Targets Minecraft Players with Node.js Loader and Browser Injection
Threats

LofyStealer Targets Minecraft Players with Node.js Loader and Browser Injection

Key Takeaways A sophisticated malware campaign, attributed to the LofyGang cybercrime group, is targeting Minecraft players. The threat actors distribute LofyStealer, a Node.js-based loader,...

Marcus Rodriguez
Marcus Rodriguez
April 29, 2026 2 Min Read
31 0

Key Takeaways

  • A sophisticated malware campaign, attributed to the LofyGang cybercrime group, is targeting Minecraft players.
  • The threat actors distribute LofyStealer, a Node.js-based loader, disguised as a Minecraft cheat called “Slinky.”
  • LofyStealer employs advanced in-memory browser injection techniques to evade detection by endpoint security solutions.
  • The malware exfiltrates sensitive data, including cookies, passwords, session tokens, payment card data, and IBANs, from multiple browsers.
  • Users should avoid unofficial game mods and enable multi-factor authentication to protect against this evolving threat.

LofyStealer Leverages Node.js Loader and Advanced Browser Injection to Target Minecraft Players

Recent analysis of public submissions has revealed a concerted cyber campaign linked to the LofyGang group, a Brazilian cybercrime organization first identified by Checkmarx in October 2022. This group is now deploying a sophisticated stealer, dubbed LofyStealer, which employs a Node.js loader and advanced in-memory browser injection techniques to compromise unsuspecting users, particularly those within the Minecraft gaming community.

Table Of Content

  • Key Takeaways
  • LofyStealer Leverages Node.js Loader and Advanced Browser Injection to Target Minecraft Players
  • Social Engineering and Malware-as-a-Service Model
  • In-Memory Browser Injection: A Stealthy Approach

Attribution to LofyGang is supported by several key indicators, including hardcoded Brazilian Portuguese strings found within the malware’s code, a command-and-control (C2) server located at a small Brazilian datacenter with the IP address 24.152.36.241, and the C2 panel itself being branded as “LofyStealer, Advanced C2 Platform V2.0.” For a detailed technical breakdown, refer to the research paper.

Social Engineering and Malware-as-a-Service Model

The attackers primarily rely on social engineering to disseminate the malware. They cleverly package the malicious executable as a Minecraft cheat named “Slinky,” even utilizing the official Minecraft icon to enhance its perceived legitimacy. This tactic proves particularly effective against Minecraft’s younger player base, who are often more inclined to download unofficial modifications or cheats from various online sources.

Upon execution, the infection proceeds surreptitiously in the background, offering no visible alerts to the user. LofyStealer itself operates on a Malware-as-a-Service (MaaS) model, providing both free and premium tiers to its criminal clientele via a web-based dashboard. Premium subscribers gain access to a comprehensive victim management panel, a bespoke executable builder dubbed “Slinky Cracked,” and real-time monitoring capabilities for compromised machines. This sophisticated business structure underscores the professional and mature nature of LofyGang’s operations, a significant evolution from its earlier iterations as a JavaScript supply chain attack distributed through the NPM package registry.

In-Memory Browser Injection: A Stealthy Approach

A critical technical aspect of LofyStealer’s operation is the stealthy in-memory injection of its second-stage payload, chromelevator.exe, into active browser processes. This method is designed to circumvent common security defenses. The initial loader, load.exe, first identifies installed browsers by querying the Windows registry. It then launches the target browser in a suspended state, pausing the process before it fully initializes. For more information on this technique, consult the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/f96da39c-93e5-4c95-9ba6-918a3bb13ea5/Minecraft-Players-Targeted-by-LofyStealer-Using-Node.js-Loader-and-In-Memory-Browser-Injection.pdf?AWSAccessKeyId=ASIA2F3EMEYEXDNZZJHI&Signature=8ix6l%2B7CRipBZffGwI2f8Ds2mBQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECwaCXVzLWVhc3QtMSJHMEUCIBvB4bysu7Qt%2BnOWInaWYGxCGfG9nYhIZSI6Bqzxkbl8AiEAkocRB1syt1Z4h7pHe%2B5iTrS1Vu%2BZiSVBfbtvHjb%2BiE0q%2FAQI9f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDH7sTKu7sS%2BgTHBMjirQBOg%2BzV5tnUHP9BycFwDjFJ8CAOmrHk4aytB1DrG0HJTUD41fADT5VJUcaGQleDI%2BgS363WweF0kqUWt3%2F0glKJrLECYBLRCt%2F%2BZVqx1lLxN8UR2W61i%2BiWa9wEUkiVo%2BeFNDGVlXnFNZFl6K5bISJDku5oOKhx2rPysPQMUoHVtFn5d3q7IgckVDwGq1v%2Fib8YqYaiOM5nEFGwY8e9ctnc8uS7gR7FUBSSC5qT4BdqUp%2B2Ohgqi3tgZUbBWQqGGwyvynNbaAOpJRKJ7Os%2FJBP%2FIt%2Bg%2FlQ84147SmVDYOPu7pJsy2qEOxcMmCqEpG63oqSW%2FQDyPe2F%2Bff9WuWewalBM0xpStT5stS%2B%2B3xHDP62kznYhtmsvfNJCsaLjgX7I5%2B%2BJYvgXzfXLSaKXzNiIW7G2ExLtmYs8xg4qMYPtJMsGrU0g%2FcBD9ud1%2FocKW2mUMbivkD%2BGfHeF3x79I%2Fs9tVPGuS082eZ9Ch5SzEpne%2BqiRcaDAR%2BxrzaTI05mzpeG05jQJev54RWfKM0CQVZPflc5%2Bg8WdsjEiK6oEmDLwx5n40DqXYFSD%2F%2Fj1FgsIeG4m40i1ogRIOPWaXXOnh8NPncgBICCNmXYdbmgCIAVg3FwOsUIlGAIVKHhyz6TFo7cSddcwubGmwpAXgWcHzmONo6B2o6iaWZsq8u%2FpYR2RpVw9SUbmL2uk4m011t7cR6eG036PF%2FweRFhjHByMVkNTK3tHq3HF575c5KhxYzY1nhoO0%2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Chrome Vulnerabilities Let Attackers Execute Remote Code

Next Post

Vimeo Confirms Data Breach, Users Database Accessed by Hackers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us