LofyStealer Targets Minecraft Players with Node.js Loader and Browser Injection
Key Takeaways A sophisticated malware campaign, attributed to the LofyGang cybercrime group, is targeting Minecraft players. The threat actors distribute LofyStealer, a Node.js-based loader,...
Key Takeaways
- A sophisticated malware campaign, attributed to the LofyGang cybercrime group, is targeting Minecraft players.
- The threat actors distribute LofyStealer, a Node.js-based loader, disguised as a Minecraft cheat called “Slinky.”
- LofyStealer employs advanced in-memory browser injection techniques to evade detection by endpoint security solutions.
- The malware exfiltrates sensitive data, including cookies, passwords, session tokens, payment card data, and IBANs, from multiple browsers.
- Users should avoid unofficial game mods and enable multi-factor authentication to protect against this evolving threat.
LofyStealer Leverages Node.js Loader and Advanced Browser Injection to Target Minecraft Players
Recent analysis of public submissions has revealed a concerted cyber campaign linked to the LofyGang group, a Brazilian cybercrime organization first identified by Checkmarx in October 2022. This group is now deploying a sophisticated stealer, dubbed LofyStealer, which employs a Node.js loader and advanced in-memory browser injection techniques to compromise unsuspecting users, particularly those within the Minecraft gaming community.
Table Of Content
Attribution to LofyGang is supported by several key indicators, including hardcoded Brazilian Portuguese strings found within the malware’s code, a command-and-control (C2) server located at a small Brazilian datacenter with the IP address 24.152.36.241, and the C2 panel itself being branded as “LofyStealer, Advanced C2 Platform V2.0.” For a detailed technical breakdown, refer to the research paper.
Social Engineering and Malware-as-a-Service Model
The attackers primarily rely on social engineering to disseminate the malware. They cleverly package the malicious executable as a Minecraft cheat named “Slinky,” even utilizing the official Minecraft icon to enhance its perceived legitimacy. This tactic proves particularly effective against Minecraft’s younger player base, who are often more inclined to download unofficial modifications or cheats from various online sources.
Upon execution, the infection proceeds surreptitiously in the background, offering no visible alerts to the user. LofyStealer itself operates on a Malware-as-a-Service (MaaS) model, providing both free and premium tiers to its criminal clientele via a web-based dashboard. Premium subscribers gain access to a comprehensive victim management panel, a bespoke executable builder dubbed “Slinky Cracked,” and real-time monitoring capabilities for compromised machines. This sophisticated business structure underscores the professional and mature nature of LofyGang’s operations, a significant evolution from its earlier iterations as a JavaScript supply chain attack distributed through the NPM package registry.
In-Memory Browser Injection: A Stealthy Approach
A critical technical aspect of LofyStealer’s operation is the stealthy in-memory injection of its second-stage payload, chromelevator.exe, into active browser processes. This method is designed to circumvent common security defenses. The initial loader, load.exe, first identifies installed browsers by querying the Windows registry. It then launches the target browser in a suspended state, pausing the process before it fully initializes. For more information on this technique, consult the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/f96da39c-93e5-4c95-9ba6-918a3bb13ea5/Minecraft-Players-Targeted-by-LofyStealer-Using-Node.js-Loader-and-In-Memory-Browser-Injection.pdf?AWSAccessKeyId=ASIA2F3EMEYEXDNZZJHI&Signature=8ix6l%2B7CRipBZffGwI2f8Ds2mBQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECwaCXVzLWVhc3QtMSJHMEUCIBvB4bysu7Qt%2BnOWInaWYGxCGfG9nYhIZSI6Bqzxkbl8AiEAkocRB1syt1Z4h7pHe%2B5iTrS1Vu%2BZiSVBfbtvHjb%2BiE0q%2FAQI9f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDH7sTKu7sS%2BgTHBMjirQBOg%2BzV5tnUHP9BycFwDjFJ8CAOmrHk4aytB1DrG0HJTUD41fADT5VJUcaGQleDI%2BgS363WweF0kqUWt3%2F0glKJrLECYBLRCt%2F%2BZVqx1lLxN8UR2W61i%2BiWa9wEUkiVo%2BeFNDGVlXnFNZFl6K5bISJDku5oOKhx2rPysPQMUoHVtFn5d3q7IgckVDwGq1v%2Fib8YqYaiOM5nEFGwY8e9ctnc8uS7gR7FUBSSC5qT4BdqUp%2B2Ohgqi3tgZUbBWQqGGwyvynNbaAOpJRKJ7Os%2FJBP%2FIt%2Bg%2FlQ84147SmVDYOPu7pJsy2qEOxcMmCqEpG63oqSW%2FQDyPe2F%2Bff9WuWewalBM0xpStT5stS%2B%2B3xHDP62kznYhtmsvfNJCsaLjgX7I5%2B%2BJYvgXzfXLSaKXzNiIW7G2ExLtmYs8xg4qMYPtJMsGrU0g%2FcBD9ud1%2FocKW2mUMbivkD%2BGfHeF3x79I%2Fs9tVPGuS082eZ9Ch5SzEpne%2BqiRcaDAR%2BxrzaTI05mzpeG05jQJev54RWfKM0CQVZPflc5%2Bg8WdsjEiK6oEmDLwx5n40DqXYFSD%2F%2Fj1FgsIeG4m40i1ogRIOPWaXXOnh8NPncgBICCNmXYdbmgCIAVg3FwOsUIlGAIVKHhyz6TFo7cSddcwubGmwpAXgWcHzmONo6B2o6iaWZsq8u%2FpYR2RpVw9SUbmL2uk4m011t7cR6eG036PF%2FweRFhjHByMVkNTK3tHq3HF575c5KhxYzY1nhoO0%2
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.