Minecraft Hackers Unleash “Slinky” Trap: LofyStealer Malware Pilfers Browser Secrets Worldwide

It’s the dream of every Minecraft player: a secret hack that promises game-changing powers. But for thousands lured by a file named “Slinky,” the only thing unlocked was their own personal data. Behind this seemingly innocent Minecraft cheat lies LofyStealer - a shadowy, industrial-strength info-stealer operated by the elusive Brazilian group, LofyGang. What began as a simple click for in-game advantage has spiraled into a global heist targeting browser-stored credentials, passwords, and financial data.

Investigators first noticed the LofyStealer campaign when suspicious binaries appeared in public malware analysis sandboxes. The infection chain starts with “Slinky” - a Trojan horse cheat tool promoted on gaming forums and Discord. The file, load.exe, weighs a whopping 53.5 MB because it bundles an entire Node.js runtime, cleverly masking the malicious code among legitimate libraries and making it too large for some security tools to scan effectively.

Once launched, the loader reaches out to a command-and-control (C2) server in Brazil. It then decrypts and injects a much smaller, native C++ payload (chromelevator.exe) directly into the memory of popular browsers like Chrome, Edge, and Firefox. By using direct system calls instead of standard Windows APIs, the malware sidesteps most endpoint security solutions, leaving little forensic evidence behind.

The injected payload scours the victim’s browsers for a digital goldmine: cookies, saved passwords, authentication tokens, IBANs, and credit card information. This data is packed into a ZIP archive, encoded, and whisked away to the LofyGang’s web panel - an advanced dashboard allowing criminals to monitor victims, manage stolen accounts, and even generate new malware builds. The MaaS (Malware-as-a-Service) model means other criminals can rent LofyStealer, amplifying its reach.

This marks a significant evolution for LofyGang, who previously relied on poisoned npm packages to steal Discord accounts. Their new platform is polished, scalable, and dangerously effective - especially among teenagers seeking unfair advantages in Minecraft. For these gamers, the price of cheating is far steeper than a lost match: it’s the wholesale theft of their online identities and finances.

With gaming communities increasingly targeted by professional cybercriminals, the LofyStealer saga is a stark warning: in the hunt for shortcuts, players may unwittingly open the door to advanced malware. The next time a “hack” promises the world, remember - sometimes, it’s your world that’s at stake.

WIKICROOK

• Node.js: Node.js is a platform for running JavaScript outside browsers, often on servers. It can be exploited to execute malware or automate attacks.
• Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Memory Injection: Memory injection is when attackers load malicious code directly into a computer’s memory, making it difficult for antivirus tools to detect or block.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.