During recent threat hunting activities on the ANY.RUN platform, analysts identified a sophisticated malware campaign masquerading as a Minecraft hack called “Slinky”. This campaign, attributed to the Brazilian cybercrime group LofyGang, leverages a modular architecture consisting of a Node.js-based loader (load.exe, 53.5 MB) and a native C++ payload (chromelevator.exe, 1.4 MB). The loader orchestrates execution and evasion, while the payload performs surgical data theft operations across eight browsers, targeting cookies, credentials, tokens, and financial data. The malware communicates with a command-and-control (C2) infrastructure hosted in Brazil, exposing a Malware-as-a-Service (MaaS) platform branded “LofyStealer V2.0”.

Attack Vector and Social Engineering

The malware disguises itself as a Minecraft cheat tool, exploiting the trust of young gamers. By embedding itself in a familiar gaming context and using the official Minecraft icon, the attackers induce voluntary execution. This social engineering tactic highlights the group’s focus on exploiting communities with lower awareness of cybersecurity risks.

Loader Analysis

The loader (load.exe) is packaged using pkg, a tool that compiles Node.js applications into standalone binaries. Its massive size (53.5 MB) is intentional, embedding legitimate libraries such as V8, OpenSSL, and libuv to dilute malicious indicators and bypass sandbox upload limits. The loader imports over 500 functions across 12 DLLs, including:

• dbghelp.dll – enabling process memory dumps.
• WS2_32.dll – providing low-level network capabilities, confirmed in dynamic analysis with TCP connections to C2 IP 24.152.36.241.
• CRYPT32.dll – accessing digital certificates and private keys.
• KERNEL32.dll – supporting process injection, memory manipulation, and anti-debugging.

This orchestration layer demonstrates professionalized malware development, with automated builds via GitHub Actions.

Payload Analysis

The payload (chromelevator.exe) is a lean C++ binary designed for stealth and precision. It imports only 127 functions across 5 DLLs, relying on runtime resolution of ntdll.dll syscalls to bypass EDR hooks. Key capabilities include:

• Process Injection – hollowing browser processes via direct syscalls.
• Data Theft – extracting cookies, credentials, and tokens from registry paths and browser databases.
• Exfiltration – compressing stolen data with PowerShell, encoding it in Base64, and transmitting via HTTP POST requests to /upload.
• Cryptography – using SHA-256 via bcrypt.dll for payload decryption and integrity verification.

The payload operates entirely in memory, leaving minimal forensic artifacts.

C2 Infrastructure and Attribution

The C2 infrastructure (24.152.36.241:8080) hosts a web-based victim management panel branded “LofyStealer V2.0”, offering real-time monitoring and executable generation. This confirms the commoditization of the malware into a MaaS model, with free and premium tiers. Attribution to LofyGang is supported by:

• Brazilian hosting provider (Master da Web Datacenter LTDA).
• Portuguese-language strings in code.
• Thematic continuity with Minecraft-targeted campaigns since 2022.
• Branding consistency (“LofyStealer” ↔ “Lofy”).

Indicators of Compromise (IOCs)

• Loader Hashes: SHA256 45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7
• Payload Hashes: SHA256 293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881
• C2 IP: 24.152.36[.]241
• Endpoints: /upload, /time
• User-Agent: GrabBot/1.0

Our Opinion

The GrabBot/Slinky campaign represents a significant evolution in the commoditization of malware. By combining a Node.js loader with a native C++ payload, the attackers achieve both scalability and stealth. The use of GitHub Actions for automated builds and the deployment of a polished C2 panel highlight the professionalization of cybercrime groups like LofyGang. What is particularly concerning is the deliberate targeting of young gaming communities, exploiting their trust and limited awareness of cybersecurity risks. This not only broadens the victim pool but also normalizes malware distribution in recreational spaces.

From a defensive standpoint, the campaign underscores the need for multi-layered detection strategies. Traditional antivirus solutions that rely on static signatures are insufficient against such modular and evasive malware. Security teams must leverage behavioral analysis, sandboxing, and threat intelligence platforms to detect anomalies like oversized binaries, suspicious PowerShell compression, and direct syscall usage. Furthermore, the rise of MaaS platforms like LofyStealer V2.0 signals a democratization of cybercrime, lowering the barrier to entry for malicious actors. Organizations must anticipate that such professionally packaged malware will proliferate, making proactive threat hunting and intelligence sharing indispensable in mitigating future risks.