News and Analysis

A dangerous infostealer malware called LofyStealer is actively targeting Minecraft players by disguising itself as a game cheat tool named “Slinky.”

The malware runs a two-stage attack that quietly steals sensitive data from popular web browsers while staying largely hidden from standard security software installed on the victim machine.

The campaign is notably more sophisticated than typical gaming malware seen in the past. LofyStealer bundles a Node.js-based loader with a native C++ payload that is injected directly into live browser memory during execution.

The malware covers a wide range of targets, hitting eight major browsers including Chrome, Edge, Brave, Opera GX, and Firefox, while extracting cookies, saved passwords, payment card details, active session tokens, and IBANs from each one.

Analysts and researchers at Zenox.ai identified and confirmed the malware during active threat hunting activities conducted on the ANY.RUN sandbox platform.

By carefully studying public submissions, the team was able to link the campaign to the LofyGang group, a Brazilian-origin cybercrime organization first tracked by Checkmarx in October 2022.

The attribution is backed by hardcoded Brazilian Portuguese strings found inside the code, a C2 server hosted at a small Brazilian datacenter with the IP address 24.152.36.241, and the command-and-control panel branding itself as “LofyStealer, Advanced C2 Platform V2.0.”

Threat actors spread the malware entirely through social engineering. They package the malicious file as a Minecraft cheat called “Slinky” and use the game’s official icon to make it look completely legitimate.

This method works particularly well because Minecraft attracts a younger audience that is far more likely to download cheats or mods from unofficial sources.

Once the file is executed, the infection starts silently in the background with no visible warning signs shown to the user.

Infection Chain (Source – Zenox.ai)

LofyStealer operates as a Malware-as-a-Service (MaaS) platform, offering Free and Premium tiers to criminal buyers through a web-based dashboard. Premium users gain full access to a victim management panel, a custom executable builder called “Slinky Cracked,” and real-time monitoring of compromised machines.

LofyStealer C2 Panel (Source – Zenox.ai)

This structured business model reflects a mature and professionalized operation that has grown well beyond its early roots as a JavaScript supply chain attack distributed via the NPM package registry.

In-Memory Browser Injection: How LofyStealer Bypasses Security Tools

The most technically notable part of LofyStealer is the way its second-stage payload, chromelevator.exe, gets injected into active browser processes without triggering common security defenses.

Once the loader, load.exe, runs on the victim machine, it queries the Windows registry to locate installed browsers and then launches the identified browser in a suspended state, temporarily halting the process before it becomes fully active.

The loader then maps the payload directly into the browser’s memory space using kernel-level Windows calls. Rather than relying on common API functions that endpoint security products actively watch, it resolves low-level functions from ntdll.dll at runtime through direct syscalls.

This technique bypasses EDR and antivirus hooks that only monitor high-level KERNEL32.dll calls, giving the payload a clean and undetected path into the running browser process.

Once injected and fully active inside the browser, the payload extracts cookies, stored passwords, session tokens, payment card data, and IBANs across eight targeted browsers.

Stolen data is compressed using a hidden PowerShell command, encoded in Base64, and sent to the C2 server via an HTTP POST request with a SHA-256 integrity signature attached. The server then makes all stolen records available to operators through the live web dashboard.

Users and organizations should avoid downloading Minecraft mods, cheats, or game utilities from unofficial or untrusted sources, particularly those shared through Discord channels or unknown file-sharing sites.

Endpoint security solutions capable of detecting in-memory injection behavior offer stronger protection against this malware than traditional file-based scanning alone.

Multi-factor authentication should be enabled on all gaming, streaming, and financial accounts to reduce the risk of credential theft.

Security teams are advised to block outbound traffic to IP 24.152.36.241 on port 8080 and monitor systems for PowerShell execution running in hidden mode as a key behavioral indicator of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Minecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection appeared first on Cyber Security News.