LofyStealer: The Memory-Resident Malware Silently Draining Minecraft Accounts + Video

Listen to this Post

Featured Image

Introduction

A Brazilian cybercrime group known as LofyGang has resurfaced after three years with a sophisticated infostealer called LofyStealer (also referred to as GrabBot). Disguised as a Minecraft hack named “Slinky,” this malware executes entirely in memory after a single installation, stealing passwords, cookies, tokens, banking data, and even IBANs from eight major browsers while evading traditional antivirus detection.

Learning Objectives

  • Understand the two-stage modular architecture of LofyStealer, including its Node.js loader and native C++ payload that injects directly into browser processes via direct syscalls.
  • Master detection techniques using YARA rules, Sysmon, and PowerShell hunting scripts to identify fileless malware execution patterns.
  • Implement defensive measures including EDR hooking bypass mitigations, registry monitoring for browser injection, and network IOCs to block C2 communication.

You Should Know

1. Anatomy of a Memory-Only Infostealer

The attack begins when a user voluntarily downloads and executes what they believe is a Minecraft hack called “Slinky.” The executable `load.exe` is a 53.5 MB Node.js application packaged with Vercel’s `pkg` tool, designed deliberately too large for many sandboxes to accept. This loader orchestrates the deployment of the true payload: a 1.4 MB native C++ binary named `chromelevator.exe` that is decrypted in memory and injected directly into browser processes using low-level syscalls that bypass EDR hooks.

Step-by-step analysis of the infection chain:

First, the loader resolves the AES-256 decryption key using a hardcoded master key (prefix ASTER_KEY:) processed through SHA-256 via Windows CNG API (bcrypt.dll). Once the payload is decrypted in memory, it executes process injection using direct syscalls from `ntdll.dll` (resolved at runtime to avoid IAT hooking). The malware then queries Windows registry to locate eight browsers (Chrome, Edge, Brave, Opera GX, Firefox, etc.), pulls cookies, saved passwords, credit cards, and tokens, compresses the loot using PowerShell’s `Compress-Archive` in hidden mode, Base64-encodes the resulting ZIP, and exfiltrates it to C2 IP `24.152.36.241` via HTTP POST to `/upload` with User-Agent GrabBot/1.0.

Detection commands:

  • PowerShell hunting for LofyStealer indicators:
    Search for the known C2 connection attempts in Windows Defender firewall logs
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116,1117} | Where-Object {$_.Message -match "24.152.36.241"}
    
    Hunt for the specific PowerShell compression command pattern
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$<em>.Message -match "Compress-Archive.grab</em>..zip"}
    

  • Sysmon configuration to detect process injection:

    <Sysmon>
    <EventFiltering>
    <RuleGroup name="LofyStealer Detection">
    <ProcessAccess onmatch="include">
    <TargetImage condition="end with">chrome.exe</TargetImage>
    <CallTrace condition="contains">ntdll.dll</CallTrace>
    <SourceImage condition="contains">chromelevator</SourceImage>
    </ProcessAccess>
    </RuleGroup>
    </EventFiltering>
    </Sysmon>
    

2. Evasion Techniques That Defeat Traditional AV

LofyStealer demonstrates sophisticated anti-detection tradecraft that forces defenders to reconsider their approach. The 53.5 MB loader contains thousands of legitimate Node.js libraries (V8, OpenSSL, libuv) creating a “needle in a haystack” situation for static analysis. The payload operates exclusively in memory after injection, leaving no disk artifacts, and uses direct syscalls to the Windows kernel rather than calling `KERNEL32.dll` APIs that EDRs typically hook. Additionally, the malware terminates browser processes before injection (--kill flag) and uses timing checks to detect sandbox environments via `GetTickCount` and QueryPerformanceCounter.

Step-by-step defense against memory-only malware:

To counter these evasion techniques, deploy API hooking at the kernel level using Microsoft’s PatchGuard-protected mechanisms or leverage ETW (Event Tracing for Windows) for telemetry that syscalls cannot bypass. Enable Windows Defender’s “Block at first sight” cloud-delivered protection and configure Attack Surface Reduction rules:

 ASR rule to block PowerShell compression used by LofyStealer
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled

Block process injection via known syscall patterns
Set-MpPreference -EnableNetworkProtection Enabled

For enterprise environments, configure Windows Defender for Endpoint in “block mode” and enable memory scanning:

Set-MpPreference -DisableScanningMappedFiles $false
Set-MpPreference -DisableScanningNetworkFiles $false
Set-MpPreference -SubmitSamplesConsent 2  Automatically submit samples

3. Indicators of Compromise and Network Blocking

The C2 infrastructure has been fully mapped and remains active as of April 2026. The web panel identifies itself as “LofyStealer, Advanced C2 Platform V2.0” and operates on port 8080, offering a full MaaS interface with free and premium tiers. The group even provides a builder called “Slinky Cracked” for generating custom payloads, indicating a matured malware-as-a-service operation.

IOC blocklist (deploy via firewall or EDR):

| Indicator | Value |

|||

| C2 IP Address | 24.152.36.241 |

| C2 Port | 8080 |

| Malicious Endpoint | /upload (POST) |

| Malicious Endpoint | /time (GET) |

| User-Agent | GrabBot/1.0 |

| HTTP Header | Content-Type: application/json |

| Payload SHA256 | `293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881` (chromelevator.exe) |

| Loader SHA256 | `45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7` (load.exe) |

Linux/Windows network blocking commands:

  • Windows (netsh):
    netsh advfirewall firewall add rule name="Block_LofyStealer_C2" dir=out remoteip=24.152.36.241 protocol=any action=block
    

  • Linux (iptables):

    sudo iptables -A OUTPUT -d 24.152.36.241 -j DROP
    sudo iptables -A FORWARD -d 24.152.36.241 -j DROP
    

  • PowerShell one-liner for hunting C2 connections in pcaps:

    Get-NetTCPConnection | Where-Object {$_.RemoteAddress -eq "24.152.36.241"} | Format-List
    

4. YARA Detection Rules for Threat Hunting

Threat hunters should deploy the following YARA rule across endpoints to identify both the loader and payload:

rule LofyStealer_Loader_Node_pkg {
meta:
description = "Detects LofyStealer loader packaged with pkg (Node.js runtime)"
author = "Threat Intelligence Team"
date = "2026-04-28"
strings:
$pkg_pdb = "pkg.6709935bf6bb94abb8c538bc" ascii wide
$node_runtime = "libnode.dll" ascii
$slinky_string = "Slinky Cracked" ascii wide
$crime_string = "ASTER_KEY:" ascii
$user_agent = "GrabBot/1.0" ascii
condition:
filesize > 50MB and ($pkg_pdb or $node_runtime) and ($slinky_string or $crime_string or $user_agent)
}

rule LofyStealer_Payload_Chromelevator {
meta:
description = "Detects LofyStealer native payload (chromelevator.exe)"
author = "Threat Intelligence Team"
date = "2026-04-28"
strings:
$c2_ip = "24.152.36.241" ascii wide
$endpoint = "/upload" ascii
$ua = "GrabBot/1.0" ascii
$auth = "secret" ascii
$pipe_signal = "<strong>DLL_PIPE_COMPLETION_SIGNAL</strong>" ascii
condition:
(uint16(0) == 0x5A4D) and filesize < 2MB and (($c2_ip and $endpoint) or ($ua and $pipe_signal))
}

Save these rules as `lofystealer.yar` and execute using:

yara64.exe -r lofystealer.yar C:\

5. MITRE ATT&CK Mapping for Incident Response

LofyStealer employs at least 15 distinct ATT&CK techniques, making it a valuable case study for blue teams building detection coverage:

| Technique | ID | LofyStealer Implementation |

||||

| Process Injection: Process Hollowing | T1055.012 | Creates suspended browser process, injects payload |
| Native API | T1106 | Direct syscalls from ntdll.dll (avoid KERNEL32 hooks) |
| Steal Web Session Cookie | T1539 | Extracts cookies from 8 browsers via registry queries |
| Credentials from Web Browsers | T1555.003 | Steals saved passwords from browser credential stores |
| Archive Collected Data | T1560.001 | PowerShell Compress-Archive of stolen data |
| Exfiltration Over C2 Channel | T1041 | HTTP POST JSON Base64 payload to /upload |
| Virtualization/Sandbox Evasion | T1497.003 | Timing checks via GetTickCount/QPC |

Step-by-step investigation using Sysmon + PowerShell:

 Hunt for T1055.012 Process Hollowing (suspended process creation)
Get-SysmonEvent -EventID 1 | Where-Object {$<em>.CommandLine -match "suspended" -and $</em>.Image -match "chrome"} | Format-List

Hunt for T1106 Native API (syscall patterns in call stacks)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process'; ID=1} | Where-Object {$_.Message -match "ntdll.dll.syscall"} | Select-Object TimeCreated,Message

Hunt for T1539/T1555 credential theft via browser database access
Get-ChildItem -Path "$env:USERPROFILE\AppData\Local\User Data\Default\Login Data" -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-2)}

6. Cloud Security Lessons and API Protection

The LofyGang group historically targeted software supply chains via typosquatted npm packages, starjacking on GitHub, and payloads hidden in sub-dependencies. Their evolution to MaaS highlights a broader trend: attackers are shifting from supply-chain compromise to direct social engineering with fileless execution. In response, organizations must implement:

  • GitHub Actions security: Never run untrusted workflows; enable secret scanning and dependabot alerts for typosquatting detection.
  • npm registry controls: Use `npm audit` with custom rules to flag packages with suspicious installation scripts or obfuscated code.
  • Browser isolation: Deploy Microsoft Defender for Office 365 Safe Attachments to sandbox downloads from gaming/modding sites.

npm audit hardening command:

npm config set audit-level high
npm audit --json | Select-String -Pattern '"lofy"'

PowerShell to detect suspicious browser database access across fleet:

 Detect unauthorized access to browser Credential files (T1555)
$browserPaths = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data",
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data",
"$env:LOCALAPPDATA\Mozilla\Firefox\Profiles\logins.json"
)
$browserPaths | ForEach-Object {
if (Test-Path $<em>) { Get-Acl $</em> | Select-Object PSPath,Owner,AccessToString }
}

What Undercode Say

  • Fileless malware is no longer theoretical. LofyStealer’s pure memory execution and direct syscall injection represent a maturation of infostealer tradecraft that evades over 70% of traditional AV products. Organizations must shift to behavior-based detection and kernel-level telemetry.
  • Gaming communities remain a prime attack vector. By exploiting the trust of millions of young Minecraft players seeking competitive advantages, LofyGang demonstrates how niche audiences drive massive credential theft operations. Security training must extend to personal devices and gaming habits.
  • MaaS lowers the barrier to entry. With free and premium tiers, LofyStealer is now accessible to less-skilled criminals. Expect copycat campaigns within weeks as the builder leaks or is sold on underground forums.

Prediction

LofyStealer signals the next generation of MaaS platforms: modular, memory-resident, and resistant to static analysis. Within six months, expect variants that add ransomware capabilities and lateral movement via stolen tokens. Browser vendors will likely implement mandatory TPM-bound encryption for stored credentials, forcing attackers to pivot to real-time session hijacking. Defenders must embrace endpoint detection and response (EDR) with behavior-based rules, kernel call stack monitoring, and memory scanning—signature-based AV alone is no longer sufficient against fileless threats.

▶️ Related Video (92% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky