The “Slinky” Trap: How a Fake Minecraft Cheat Deploys LofyStealer Malware

In a sophisticated social engineering campaign targeting the gaming community, Minecraft players are being targeted by a deceptive “hacking tool” known as Slinky. While marketed as a way to gain an unfair advantage in-game, the software is actually a delivery vehicle for LofyStealer (also identified as GrabBot), a potent infostealer linked to the Brazilian cybercrime syndicate, LofyGang.

By leveraging the official Minecraft icon to establish a sense of legitimacy, the attackers trick unsuspecting—and often younger—users into voluntarily executing malicious code. Instead of providing in-game cheats, the application initiates a silent, multi-stage infection process designed to exfiltrate sensitive browser data to a command-and-control (C2) infrastructure hosted in Brazil.

Technical Breakdown: The Multi-Stage Infection Chain

Threat hunters first identified the campaign via suspicious activity logs on the ANY.RUN sandbox. The malware utilizes a modular, two-stage architecture that prioritizes stealth and evasion of modern security software.

Stage 1: The Node.js Loader
The initial execution begins with a relatively large 53.5 MB binary named load.exe. This is not a traditional native executable, but a Node.js application packaged using the “pkg” tool. By bundling the entire V8 engine, OpenSSL, and various standard libraries (such as libuv and zlib), the malware creates a heavy, legitimate-looking runtime environment. This “bloated” file structure helps it blend in with standard developer tools and evades simple signature-based detection by endpoint protection platforms.

Separation between loader and payload (Source : ANY.RUN).
Visualizing the separation between the heavy Node.js loader and the lightweight native payload (Source: ANY.RUN).

Stage 2: In-Memory C++ Payload Injection
Once the loader is active, it decrypts a compact 1.4 MB native C++ binary named chromelevator.exe. To bypass Endpoint Detection and Response (EDR) hooks that monitor standard Windows API calls, the malware utilizes direct syscalls to inject the payload directly into the memory space of active browser processes. This “fileless” approach ensures that the most malicious components never touch the disk as traditional files, significantly complicating forensic analysis.

C2 Infrastructure and Malware-as-a-Service (MaaS)

The payload is highly effective at lateral data harvesting, targeting a wide array of browsers including Chrome, Edge, Brave, Opera (including Opera GX), Firefox, and Avast Secure Browser. It systematically scrapes:

  • Saved credentials and passwords
  • Session cookies and authentication tokens
  • Stored credit card information
  • International Bank Account Numbers (IBANs)

Extracted data is organized into structured JSON, compressed via zlib, and Base64-encoded before being transmitted via HTTP POST requests to the C2 server at 24.152.36.241:8080.

Loader analysis (Source : ANY.RUN).
Deep analysis of the loader’s internal structure (Source: ANY.RUN).

Evidence suggests that LofyStealer operates under a Malware-as-a-Service (MaaS) model. The C2 panel—branded as “LofyStealer, Advanced C2 Platform V2.0″—includes a dedicated builder for generating new malicious executables, alongside tools for victim monitoring and account management. This professionalization indicates a shift from simple, targeted attacks to scalable, multi-operator criminal enterprises.

The connection to LofyGang is substantiated by the Brazilian hosting infrastructure, Portuguese-language artifacts found within the code, and the specific branding of the stealer. Interestingly, the malware’s .text section demonstrates an extremely high entropy of 7.84, suggesting the use of Link-Time Code Generation (LTCG) and heavily obfuscated/encrypted inline data to hide injection keys and payloads.

Payload analysis (Source : ANY.RUN).
Entropy and payload analysis metrics (Source: ANY.RUN).

The group’s evolution—transitioning from poisoning npm packages to deploying polished, niche-targeted MaaS platforms—highlights a growing danger for the gaming community. For a young player, a single download of a “mod” or “cheat” can result in the total compromise of their digital identity, including banking details and social media accounts.

Indicators of Compromise (IOCs)

Indicator Type Value
C2 IP Address 24.152.36.241
Upload Endpoint /upload (HTTP POST)
Time Check Endpoint /time (HTTP GET)
User-Agent GrabBot/1.0
Content-Type application/json
Fallback Protocol WebSocket
C2 Management Panel http://24.152.36.241:8080
Platform Name LofyStealer – Advanced C2 Platform V2.0

Related Articles

Back to top button
OOy iKttPcUiPEPSBNHh LZf