{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] LofyStealer: Malware targeting Minecraft players.", "protected": false, "publish_timestamp": "1779545867", "published": true, "threat_level_id": "3", "timestamp": "1779545867", "uuid": "6876fa3a-2485-479a-9565-5b902b5522a6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#45f3d5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Thread Execution Hijacking - T1055.003\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#f4b62b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Checks - T1497.003\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777546810", "to_ids": false, "type": "link", "uuid": "f5f0ff1a-613d-405c-b2b4-695bb4cb6f55", "value": "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777546810", "to_ids": false, "type": "text", "uuid": "0c81fb09-4be0-450f-9c56-d7b388321ba6", "value": "A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777546810", "to_ids": false, "type": "text", "uuid": "5dd32a4b-286a-4d02-9d86-e76312eeb1cd", "value": "Name: LofyStealer: Malware targeting Minecraft players.\nAuthor: AlienVault\nAdversary: LofyGang\nTags: [\"browser data\", \"infostealer\", \"chromelevator\", \"grabbot\", \"node.js loader\", \"credential theft\", \"syscalls evasion\", \"lofystealer\", \"slinky\", \"minecraft\"]\nTgtd countries: []\nMlwr families: [\"LofyStealer\", \"GrabBot\", \"chromelevator\"]\nAttack_ids: [\"T1560.001\", \"T1132.001\", \"T1539\", \"T1082\", \"T1106\", \"T1005\", \"T1140\", \"T1055.003\", \"T1036\", \"T1497.003\", \"T1555.003\", \"T1057\", \"T1041\", \"T1059.001\", \"T1562.001\", \"T1055.012\", \"T1027\", \"T1012\", \"T1518.001\", \"T1071.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777546810", "to_ids": false, "type": "threat-actor", "uuid": "a3c8b4c8-c2dd-4d92-99d0-7e23c39c8644", "value": "LofyGang" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689704", "to_ids": true, "type": "ip-dst", "uuid": "073ab0be-0e0f-46e1-ab10-8d48cc6e829c", "value": "24.152.36.241", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1777689725", "to_ids": true, "type": "url", "uuid": "0d71794e-9672-4660-b490-bbfe34ba545a", "value": "http://24.152.36.241", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545864", "uuid": "efc7bd1e-0f18-442a-b03f-6145b484d949", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545864", "to_ids": true, "type": "md5", "uuid": "52fb44d1-3b17-40b5-9f91-de448db8c975", "value": "d21a5d08b4614005c8fcd9d0068f0190", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545864", "to_ids": true, "type": "sha1", "uuid": "8124ba52-3ae7-4088-ba6f-abfad53bd20c", "value": "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545864", "to_ids": true, "type": "sha256", "uuid": "50e70815-8d8a-4e55-a99c-d9f5bc2da004", "value": "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777688092", "to_ids": true, "type": "ssdeep", "uuid": "e4ae800f-8178-4a34-a51c-7212dfa08a82", "value": "24576:ClDnwX7Dtd3rTl4r1YMgMsbO+/I3XceQhYGgp1WGMc50e/K2Od2KosBl+gcGKrJD:qDG7/3t4qU+gcThYH2GEe/K/ZTBl+gcg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777688092", "to_ids": false, "type": "size-in-bytes", "uuid": "77a2201f-4f4f-48d1-a699-c060de13d4fe", "value": "1473536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777688092", "to_ids": true, "type": "vhash", "uuid": "d12ce606-cdfc-4ad9-8caa-9cd5986387d2", "value": "0160667d15551d055038z68pz3dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777688092", "to_ids": true, "type": "filename", "uuid": "175b26c1-6cdf-4af3-bb21-2e94170c8793", "value": "download" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777688092", "to_ids": false, "type": "text", "uuid": "368d33ef-6626-4cc4-a68e-fe777f33bd12", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:48/71\nFirst Submission:2026-04-22T22:33:17.000000+00:00\nLast Submission:2026-04-22T22:33:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545867", "uuid": "e19cf9ee-ba77-4919-9c10-2c60e81aef1a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545866", "to_ids": true, "type": "md5", "uuid": "c72e5bde-a114-48de-b3aa-562857b303e6", "value": "fb203c0ac030a97281960d7c28d86ebf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545866", "to_ids": true, "type": "sha1", "uuid": "7677fdec-5414-42a0-b953-1ec349bb70ee", "value": "f9fe23f24d45eae418c60819c523a83ddba4ca50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545867", "to_ids": true, "type": "sha256", "uuid": "9e6fccc5-d6e2-4127-bb86-5a3c6b92d0a9", "value": "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777688114", "to_ids": true, "type": "ssdeep", "uuid": "30fef11f-f8b6-433e-a3f0-a52e69f464a4", "value": "393216:pSuLbP8kNEzixq3QthJXs6XC/sPM9dweq8EZzlxl27EnmvgTfIj9JS3sgmrYN9+5:piAukA8zrI8rfKKSdGVD9e/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777688114", "to_ids": false, "type": "size-in-bytes", "uuid": "7bb1a44e-8053-4b8f-a668-a33b9d8e55ee", "value": "56096727" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777688114", "to_ids": true, "type": "vhash", "uuid": "674d1be8-e9ec-4534-bfdf-43c7ff564e09", "value": "057076656d156d05655253z72zff7z11z13z13z93z12b4z11z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777688114", "to_ids": true, "type": "filename", "uuid": "055ef3a5-66c8-4ddf-b68a-a1c5f7c73abd", "value": "load.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777688114", "to_ids": false, "type": "text", "uuid": "ada7cc17-9690-4106-8717-f0571343686a", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/WinosStager!MTB\nVT Total Detection:31/70\nFirst Submission:2026-04-21T17:07:43.000000+00:00\nLast Submission:2026-04-21T17:07:43.000000+00:00" } ] } ] } }