Brazilian LofyGang Returns with Minecraft LofyStealer Campaign

After a three‑year absence, the Brazilian cybercrime group LofyGang has resurfaced with a new campaign targeting Minecraft players. The outfit is deploying a freshly coded stealer dubbed LofyStealer (also known as GrabBot) through malicious mods, cheat packs, and phishing links that promise exclusive in‑game advantages.

LofyStealer functions as a credential‑harvesting Trojan that extracts login tokens, session cookies, and personal data from compromised hosts. It employs anti‑analysis techniques such as environment checks and encrypted communications to obscure its traffic, sending stolen information to a command‑and‑control server hosted on bulletproof infrastructure. The malware is distributed via fraudulent download sites and compromised community forums, capitalizing on the trust players place in third‑party Minecraft content.

Researchers have linked the campaign to a spike in Minecraft account takeovers and associated virtual‑currency theft. The increase in fraudulent activity has raised concerns among game publishers and security teams, as the attackers leverage the popularity of the platform to scale their operations. Early detection signatures have been published, but the rapidly evolving malware variants demand continuous monitoring.

To defend against LofyStealer, players should refrain from downloading mods from unverified sources and enable two‑factor authentication on gaming accounts. Security teams are encouraged to share threat intelligence on LofyGang’s infrastructure and to block known C2 IPs. Keeping endpoints patched and employing behavior‑based detection tools will help mitigate the risk posed by this resurgence.