Listen to this Post
Introduction
Cybercriminals are once again exploiting the gaming community, this time through a dangerous malware campaign hidden behind a fake Minecraft cheat tool called Slinky. Security researchers using the ANY.RUN interactive sandbox platform discovered that the malware, known as LofyStealer or GrabBot, is actively targeting gamers by disguising itself as something attractive and familiar. By using Minecraft branding and the official game icon, attackers are manipulating young and unsuspecting users into running the malicious file themselves.
This campaign is especially notable because it signals the return of LofyGang, a Brazilian cybercrime group that has significantly upgraded its methods. What was once a smaller-scale operation has now evolved into a structured malware business using advanced evasion tools, stealth delivery systems, and even paid subscription models for other criminals.
Malware Hidden Inside a Fake Minecraft Tool
The attack begins with a file named load.exe, a large 53.5 MB program that appears harmless to many users. However, this file is actually a full Node.js runtime environment packed with malicious JavaScript code. By embedding the malware inside a huge package filled with thousands of legitimate files, attackers make detection much harder.
Many automated security scanners skip or poorly analyze oversized files, allowing the malware to slip through unnoticed. This technique shows a deeper understanding of how security systems work and how to avoid them.
Once launched, the loader connects to the attacker’s remote server using normal Windows networking tools. This communication helps the malware retrieve and prepare its second stage.
Second Stage Uses Advanced Memory Injection
After execution, the loader decrypts a second malicious component called chromelevator.exe, a smaller but highly dangerous 1.4 MB C++ payload.
Instead of writing the payload to disk where antivirus software may detect it, the malware injects it directly into system memory. This allows it to run more silently and avoid many security products.
The payload also uses direct system calls to interact with the Windows kernel. This bypasses standard monitoring hooks commonly used by endpoint detection and response tools. In simple terms, the malware intentionally avoids normal pathways so security software has a harder time seeing what it is doing.
Eight Browsers Targeted for Theft
Once active, the malware scans popular web browsers including:
Google Chrome
Microsoft Edge
Brave
Mozilla Firefox
And four others
It attempts to steal five major categories of sensitive data, including:
Saved passwords
Browser cookies
Login sessions
Authentication tokens
Financial or payment information
This stolen data can later be used to hijack accounts, bypass two-factor authentication sessions, access email inboxes, or steal money.
Hidden Exfiltration Process
After collecting the information, the malware launches a hidden PowerShell command to compress everything into a ZIP archive.
The archive is then protected using SHA-256 cryptography, encoded for transfer, and quietly sent back to the attacker’s infrastructure. This entire process happens in the background without obvious warning signs to the victim.
Many users may never realize their accounts or financial details were stolen until much later.
LofyGang Becomes Malware-as-a-Service
Researchers say this campaign demonstrates how LofyGang has evolved into a more professional cybercrime organization.
The group first became known around 2021 for placing malicious code inside open-source packages to steal Discord and streaming platform accounts. Now, they appear to be operating a full Malware-as-a-Service (MaaS) model.
Their command-and-control server reportedly hosts a graphical dashboard called LofyStealer V2.0. This control panel allows multiple criminals to:
Monitor victims in real time
Build custom malware samples
Manage stolen data
Launch new campaigns easily
The service reportedly offers both free and premium plans, showing how cybercrime increasingly mirrors legitimate software businesses.
Why Gamers Are Frequent Targets
Gamers are attractive targets because they often download:
Mods
Cheats
Hacks
Cracked software
Third-party launchers
Game utilities from unofficial sources
Many younger users focus on gaining in-game advantages and may ignore warning signs such as unsigned executables or suspicious downloads. Attackers know this and design malware around popular titles like Minecraft, Roblox, Fortnite, and GTA.
What Undercode Say:
This campaign is another example of how cybercriminals now combine psychology and technology. The technical side includes memory injection, modular payloads, Node.js abuse, and stealthy exfiltration. The psychological side uses Minecraft branding to lower suspicion instantly.
The use of a trusted game icon is simple but powerful. Many users judge safety visually. If something looks like Minecraft, they assume it belongs to Minecraft. That false sense of trust is exactly what attackers want.
The oversized Node.js loader is also clever. Instead of writing highly complex malware from scratch, criminals weaponize legitimate frameworks. This saves development time while making detection harder because security tools must distinguish malicious code hidden inside normal components.
The move to Malware-as-a-Service is perhaps the most important part of this story. It means one skilled group can supply tools to many lower-skilled criminals. That increases the number of attacks globally without requiring every attacker to build malware independently.
Gaming communities need stronger awareness programs. Players often receive cybersecurity advice designed for office workers, not gamers. Warnings about fake mods, cheat clients, Discord scams, and credential theft need to become standard in gaming spaces.
Parents should also understand that gaming malware is no longer harmless prank software. It now steals passwords, payment cards, social media access, and private messages.
For defenders, unusual Node.js execution on gaming PCs should be investigated. Hidden PowerShell usage combined with browser data access is another strong red flag.
Browser session theft is especially dangerous because it can bypass passwords entirely. If a criminal steals active cookies, they may log in without needing credentials.
This campaign also shows how regional threat groups can become international threats quickly. A group starting in one country can target users worldwide within days.
The future of gaming-related malware will likely involve AI-generated phishing pages, fake update tools, and malware hidden inside mod installers. Users should expect these attacks to become more convincing.
Fact Checker Results
✅ Researchers did identify a campaign using malware disguised as a Minecraft hack tool named Slinky.
✅ The malware reportedly targets browser data such as cookies, passwords, and tokens.
❌ No public evidence confirms exact victim totals or total financial damage at this time.
Prediction
🔮 Gaming malware campaigns will continue growing because young users frequently trust unofficial tools.
🔮 More threat groups will adopt subscription-based Malware-as-a-Service platforms.
🔮 Future variants may target Discord, Steam, Epic Games, and crypto wallets more aggressively.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
