The Mod That Empties Your Inventory
- Javier Conejo del Cerro
- hace 54 minutos
- 2 Min. de lectura
What appears to be a harmless Minecraft enhancement is, in reality, a well-crafted entry point for data theft. LofyGang’s reappearance signals not just a comeback, but a strategic evolution—from supply chain abuse targeting developers to direct, user-centric attacks embedded in trusted digital environments.
By leveraging familiarity, visual legitimacy, and the natural behavior of gamers downloading mods, the campaign turns voluntary execution into its most effective weapon.
Phase 1: The Perfect Mod
The attack begins where trust is highest: gaming. LofyGang disguises its malware as a Minecraft hack named “Slinky,” leveraging the game’s popularity and the natural tendency of users—especially younger ones—to download mods and cheats without scrutiny. By mimicking legitimate tools and using official game icons, the attackers lower suspicion and encourage voluntary execution.
This marks a strategic evolution from their earlier supply chain attacks (npm typosquatting, GitHub manipulation) into direct user targeting through familiar ecosystems.
Phase 2: Execution Behind the Screen
Once executed, the fake mod silently launches a JavaScript loader. This loader operates as the bridge between user interaction and system compromise, preparing the environment for the final payload.
Unlike traditional malware delivery, this stage relies entirely on user trust and legitimate execution, bypassing many conventional detection layers that focus on exploits rather than behavior.
Phase 3: The Stealer Awakens
The loader deploys LofyStealer (“chromelevator.exe”) directly in memory, avoiding disk-based detection. From there, it begins harvesting a wide range of sensitive data across multiple browsers:
Cookies and session tokens
Stored passwords
Discord and gaming tokens
Credit card data
IBANs
All collected data is exfiltrated to a remote C2 server (24.152.36[.]241), giving attackers immediate access to accounts, financial data, and identities.
Phase 4: From Campaign to Service
This campaign also signals a shift in LofyGang’s operations. Previously focused on supply chain abuse and Discord token theft, the group is now evolving into a malware-as-a-service (MaaS) model, offering both free and premium tiers.
Tools like “Slinky Cracked” act as delivery builders, enabling wider distribution and scaling the attack beyond a single campaign into an ecosystem.
Phase 5: The Bigger Picture
This activity fits into a broader trend: the abuse of trusted platforms like GitHub, YouTube, and Reddit to distribute malware. From fake game cheats to developer tools and AI utilities, attackers are optimizing for volume, not precision.
By embedding malicious payloads in environments users already trust, they bypass traditional security assumptions—turning legitimacy itself into the attack vector.
Measures to Fend Off
Avoid downloading unofficial mods, cheats, or cracked software
Verify sources—even on trusted platforms like GitHub
Limit sensitive data stored in browsers (passwords, cards, tokens)
Monitor for unusual processes like unexpected executables in memory
Use EDR solutions capable of behavioral detection
Educate users (especially younger audiences) about social engineering risks
Block or inspect outbound traffic to unknown C2 endpoints
This campaign highlights a fundamental shift in modern threat landscapes: attackers are no longer relying solely on technical exploits, but on trust, scale, and behavioral manipulation. Platforms like GitHub, gaming communities, and content-sharing channels are increasingly weaponized to distribute malware under the guise of legitimacy.
Defending against these threats requires more than patching vulnerabilities—it demands stronger user awareness, stricter validation of downloaded content, and security controls capable of detecting abnormal behavior rather than just known signatures.
The Hacker News
Comentarios