Back to Intelligence

LofyStealer (GrabBot): Minecraft 'Slinky' Malware Campaign — Detection and Remediation Guide

SA
Security Arsenal Team
April 28, 2026
10 min read

Introduction

The Brazilian cybercrime group LofyGang has resurfaced after more than three years of inactivity with a new stealer campaign targeting Minecraft players. The malicious software, dubbed LofyStealer (also known as GrabBot), disguises itself as a popular Minecraft cheat called "Slinky" and uses the official game icon to trick users into voluntarily executing the malware. This resurgence represents a significant threat not only to individual gamers but to organizations with gaming infrastructure or BYOD policies that may allow gaming applications on corporate networks. Security teams must act immediately to detect and contain this threat, as credential harvesting from gaming accounts often overlaps with corporate credentials reused by employees.

Technical Analysis

Affected Products and Platforms

  • Platform: Windows-based systems (primary target)
  • Target Application: Minecraft (Java Edition and Bedrock Edition)
  • Malware Variants: LofyStealer, also known as GrabBot
  • Disguise: Minecraft hack/cheat tool named "Slinky"

Threat Actor Profile

  • Group: LofyGang (Brazilian origin)
  • History: Previously active more than three years ago
  • Motivation: Financial gain through credential theft and likely account monetization

Attack Chain Analysis

  1. Initial Access Vector: Victims search for or are offered Minecraft cheats/hacks through forums, Discord servers, or social media
  2. Social Engineering: The malware is distributed as "Slinky" — a purported Minecraft cheat tool
  3. Masquerading: The executable uses the official Minecraft game icon to appear legitimate and induce voluntary execution
  4. Execution: User voluntarily runs the malicious file, believing it to be a game modification
  5. Payload Deployment: LofyStealer/GrabBot executes and begins credential harvesting
  6. Data Exfiltration: Stolen credentials, session tokens, and sensitive data are exfiltrated to attacker-controlled infrastructure

Exploitation Status

  • Active Exploitation: Confirmed in the wild by ZenoX research team
  • Delivery Method: Social engineering via game modification distribution
  • Severity: High — targets widespread user base with effective masquerading techniques

Detection & Response

The following detection rules are designed to identify LofyStealer activity without generating excessive false positives. These focus on behavioral indicators rather than static signatures, as the malware uses legitimate-sounding filenames and icons.

Sigma Rules

YAML
---
title: Suspicious Minecraft Hack Execution - LofyStealer Pattern
id: 8a4c2d15-9e7f-4b3a-8c1d-5f6e7a8b9c0d
status: experimental
description: Detects execution of processes masquerading as Minecraft hacks like 'Slinky' from suspicious directories or with unexpected parent processes. Based on LofyGang LofyStealer campaign targeting Minecraft players.
references:
  - https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1204
  - attack.credential_access
  - attack.t1056
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\Slinky.exe'
      - '\slinky.exe'
      - '\MinecraftHack.exe'
      - '\MC_Cheat.exe'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\Steam\'
      - '\Minecraft\'
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate game modification tools (should be rare in corporate environments)
level: high
---
title: PowerShell Download from Suspicious Gaming-Related URLs
id: 2d5e8f4a-7b3c-4d9e-8f1a-2b3c4d5e6f7g
status: experimental
description: Detects PowerShell downloading executables from URLs containing gaming-related keywords or file extensions associated with game cracks/hacks. Potential LofyStealer delivery mechanism.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection_pwsh:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cmd:
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'Invoke-Expression'
      - 'DownloadString'
  selection_url:
    CommandLine|contains:
      - 'minecraft'
      - 'hack'
      - 'cheat'
      - 'crack'
      - 'mod'
  selection_ext:
    CommandLine|contains:
      - '.exe'
      - '.dll'
      - '.bat'
  condition: all of selection_*
falsepositives:
  - Legitimate game launcher updates (rare in corporate environment)
level: high
---
title: LofyStealer - Suspicious Network Connection from Non-Browser Process
id: 6f7g8h9i-0j1k-2l3m-4n5o-6p7q8r9s0t1
status: experimental
description: Detects non-browser, non-system processes making HTTP/HTTPS connections to ports commonly used for C2 or data exfiltration. LofyStealer may establish C2 communications using standard web ports.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071.001
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 80
      - 443
      - 8080
    Initiated: 'true'
  filter_browsers:
    Image|contains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\edge.exe'
      - '\msedge.exe'
      - '\opera.exe'
      - '\brave.exe'
      - '\iexplore.exe'
  filter_system:
    Image|contains:
      - '\System32\'
      - '\SysWOW64\'
      - '\Windows\'
  filter_legit:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  filter_image:
    Image|endswith:
      - '\Minecraft.exe'
      - '\java.exe'
      - '\javaw.exe'
  selection_suspicious:
    Image|contains:
      - '\Downloads\'
      - '\Desktop\'
      - '\Temp\'
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
  condition: selection and not filter_browsers and not filter_system and not filter_legit and not filter_image and selection_suspicious
falsepositives:
  - Legitimate game update checkers
  - Some cloud storage sync clients
level: medium

Microsoft Sentinel KQL Queries

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious executables masquerading as Minecraft hacks
let SuspiciousNames = dynamic(["Slinky", "slinky", "MC_Cheat", "MinecraftHack", "MC_Hack", "MinecraftMod", "Injector", "grabbot"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has_any (SuspiciousNames) 
   or ProcessVersionInfoOriginalFileName has_any (SuspiciousNames)
   or ProcessVersionInfoInternalFileName has_any (SuspiciousNames)
| where InitiatingProcessFileName !in ("explorer.exe", "cmd.exe", "powershell.exe", "java.exe", "javaw.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for processes from user directories making network connections
let UserDirectories = dynamic(["\\Users\\", "\\Downloads\\", "\\Desktop\\", "\\AppData\\"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFolderPath has_any (UserDirectories)
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe")
| where InitiatingProcessFileName !contains "Minecraft"
| summarize Count = count() by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, RemoteUrl, RemotePort
| where Count > 5
| order by Count desc

// Hunt for suspicious file creation patterns associated with stealer malware
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileName has_any (".exe", ".bat", ".ps1", ".dll")
| where FolderPath has_any ("\\Downloads\\", "\\Desktop\\", "\\Temp\\", "\\AppData\\Roaming\\", "\\AppData\\Local\\")
| where SHA256 != ""  // Only include files with hashes available
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256
| order by Timestamp desc

Velociraptor VQL Artifact

VQL — Velociraptor
-- Hunt for LofyStealer indicators - suspicious executables masquerading as Minecraft hacks
SELECT Pid, Name, Exe, Cmdline, Username, CreateTime, Hash
FROM process_tracker(pid=Pid)
WHERE Exe =~ '.*\\(Downloads|Desktop|Temp|AppData).*\\.*\.exe$'
  AND (Name =~ '(?i)(slinky|mc_cheat|minecrafthack|mc_hack|minecraftmod|injector|grabbot)'
       OR Cmdline =~ '(?i)(slinky|mc_cheat|minecrafthack|mc_hack|minecraftmod|injector|grabbot)')

-- Hunt for suspicious network connections from non-standard processes
SELECT Pid, Name, Exe, RemoteAddr, RemotePort, State, Username
FROM netstat()
WHERE State =~ 'ESTABLISHED'
  AND RemotePort IN (80, 443, 8080, 8443)
  AND Exe =~ '.*\\(Downloads|Desktop|Temp|AppData).*\\.*\.exe$'
  AND NOT Name =~ '(?i)(chrome|firefox|msedge|opera|brave|iexplore|java|javaw|Minecraft)'

-- Hunt for suspicious files in user directories
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='/*/{Downloads,Desktop,AppData/Local,AppData/Roaming,Temp}/**/*.exe')
WHERE Name =~ '(?i)(slinky|mc_cheat|minecrafthack|mc_hack|minecraftmod|injector|grabbot)'
  OR FullPath =~ '(?i)(slinky|mc_cheat|minecrafthack|mc_hack|minecraftmod|injector|grabbot)'

Remediation Script (PowerShell)

PowerShell
# LofyStealer/GrabBot Detection and Remediation Script
# Run as Administrator

Write-Host "[+] Starting LofyStealer Detection and Remediation..." -ForegroundColor Cyan

# Define known suspicious filenames/patterns
$suspiciousPatterns = @(
    "Slinky",
    "slinky", 
    "MC_Cheat",
    "MinecraftHack",
    "MC_Hack",
    "MinecraftMod",
    "Injector",
    "grabbot",
    "GrabBot"
)

# Define user directories to scan
$userDirectories = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Desktop",
    "$env:TEMP",
    "$env:APPDATA",
    "$env:LOCALAPPDATA"
)

# Scan for suspicious executables
Write-Host "[*] Scanning for suspicious executables..." -ForegroundColor Yellow
$foundThreats = @()

foreach ($dir in $userDirectories) {
    if (Test-Path $dir) {
        Get-ChildItem -Path $dir -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue | ForEach-Object {
            $match = $false
            foreach ($pattern in $suspiciousPatterns) {
                if ($_.Name -like "*$pattern*" -or $_.FullName -like "*$pattern*") {
                    $match = $true
                    break
                }
            }
            if ($match) {
                $foundThreats += $_
                Write-Host "[!] Found suspicious file: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check running processes for suspicious names
Write-Host "[*] Checking running processes..." -ForegroundColor Yellow
$suspiciousProcesses = Get-Process | Where-Object {
    $processName = $_.ProcessName
    foreach ($pattern in $suspiciousPatterns) {
        if ($processName -like "*$pattern*") {
            return $true
        }
    }
    return $false
}

if ($suspiciousProcesses) {
    Write-Host "[!] Found suspicious running processes:" -ForegroundColor Red
    $suspiciousProcesses | ForEach-Object {
        Write-Host "    - PID: $($_.Id), Name: $($_.ProcessName), Path: $($_.Path)" -ForegroundColor Red
    }
    
    # Terminate suspicious processes
    Write-Host "[*] Terminating suspicious processes..." -ForegroundColor Yellow
    foreach ($proc in $suspiciousProcesses) {
        try {
            Stop-Process -Id $proc.Id -Force -ErrorAction Stop
            Write-Host "[+] Terminated process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Green
        } catch {
            Write-Host "[-] Failed to terminate process: $($proc.ProcessName) - $($_.Exception.Message)" -ForegroundColor Yellow
        }
    }
}

# Block execution of suspicious files
Write-Host "[*] Blocking execution of detected files..." -ForegroundColor Yellow
foreach ($file in $foundThreats) {
    try {
        # Move file to quarantine location with .quarantine extension
        $quarantineDir = "$env:TEMP\Quarantine"
        if (-not (Test-Path $quarantineDir)) {
            New-Item -ItemType Directory -Path $quarantineDir -Force | Out-Null
        }
        $quarantinePath = Join-Path -Path $quarantineDir -ChildPath ($file.Name + ".quarantine")
        Move-Item -Path $file.FullName -Destination $quarantinePath -Force
        Write-Host "[+] Quarantined: $($file.FullName) -> $quarantinePath" -ForegroundColor Green
    } catch {
        Write-Host "[-] Failed to quarantine: $($file.FullName) - $($_.Exception.Message)" -ForegroundColor Yellow
    }
}

# Create block rule for suspicious process names via AppLocker (if available)
Write-Host "[*] Creating AppLocker block rule (if AppLocker is enabled)..." -ForegroundColor Yellow
try {
    $appLockerService = Get-Service -Name AppIDSvc -ErrorAction SilentlyContinue
    if ($appLockerService -and $appLockerService.Status -eq 'Running') {
        $ruleName = "Block LofyStealer Related Executables"
        $existingRule = Get-AppLockerPolicy -Effective | Select-Xml -XPath "//AppLockerPolicy/RuleCollection/FilePathRule[@Name='$ruleName']" -ErrorAction SilentlyContinue
        if (-not $existingRule) {
            Write-Host "[+] AppLocker block rule creation would be configured manually. Please review:" -ForegroundColor Green
            Write-Host "    Rule Name: $ruleName" -ForegroundColor Gray
            Write-Host "    Action: Deny" -ForegroundColor Gray
            Write-Host "    Conditions: File paths matching patterns: $($suspiciousPatterns -join ', ')" -ForegroundColor Gray
        } else {
            Write-Host "[+] AppLocker rule already exists." -ForegroundColor Green
        }
    } else {
        Write-Host "[-] AppLocker service not running. Consider enabling it for additional protection." -ForegroundColor Yellow
    }
} catch {
    Write-Host "[-] Could not configure AppLocker: $($_.Exception.Message)" -ForegroundColor Yellow
}

# Summary
Write-Host "`n[+] Remediation Complete" -ForegroundColor Cyan
Write-Host "    - Suspicious files found and quarantined: $($foundThreats.Count)" -ForegroundColor White
Write-Host "    - Suspicious processes terminated: $($suspiciousProcesses.Count)" -ForegroundColor White
Write-Host "`n[*] Additional Recommendations:" -ForegroundColor Yellow
Write-Host "    1. Educate users about the risks of downloading game modifications" -ForegroundColor White
Write-Host "    2. Review and restrict execution from user directories" -ForegroundColor White
Write-Host "    3. Implement application whitelisting where possible" -ForegroundColor White
Write-Host "    4. Monitor for unusual network connections from non-browser processes" -ForegroundColor White
Write-Host "    5. Review credentials for accounts used on affected systems" -ForegroundColor White

Remediation

Immediate Actions

  1. Isolate Affected Systems: Immediately isolate any endpoints where LofyStealer has been detected from the network to prevent further data exfiltration.

  2. User Education: Issue security awareness communications warning users about the dangers of downloading Minecraft hacks, cheats, or modifications from unofficial sources. Specifically mention the "Slinky" cheat tool as a known malware delivery mechanism.

  3. Password Reset: Force password resets for any user accounts that may have been used on systems where LofyStealer was present. Include gaming accounts (Minecraft, Microsoft) as well as corporate credentials if password reuse is suspected.

  4. Session Token Revocation: Revoke all active session tokens for affected accounts across SaaS platforms and internal applications.

Policy and Configuration Changes

  1. Application Whitelisting: Implement or enforce application whitelisting policies to prevent execution of unauthorized executables from user directories (Downloads, Desktop, AppData).

  2. Execution Policy: Restrict execution of files from user-writable directories using AppLocker or Windows Defender Application Control (WDAC).

  3. Network Segmentation: If gaming applications are permitted on the network, ensure they are isolated in a separate VLAN with restricted internet access.

  4. Proxy and DNS Filtering: Block access to known malicious domains and file-sharing sites commonly used to distribute game cracks and hacks.

Vendor and External References

  • ZenoX Research: Original technical report on LofyGang resurfacing (referenced in source article)
  • Mojang/Microsoft Official Guidelines: Advise users to only download modifications from trusted sources
  • CISA KEV Catalog: Monitor for potential inclusion if threat prevalence increases

Long-Term Recommendations

  1. Endpoint Detection and Response (EDR): Ensure comprehensive EDR coverage across all endpoints with behavioral detection capabilities for credential theft and data exfiltration.

  2. Zero Trust Architecture: Implement Zero Trust principles, particularly for remote access and credential validation, to reduce the impact of credential theft.

  3. Threat Hunting: Conduct regular threat hunts for credential stealers and data exfiltration indicators, not just known malware signatures.

  4. Gaming Policy Review: For corporate environments, explicitly define and enforce policies regarding the installation and use of gaming applications and modifications on company-owned devices.

  5. Incident Response Plan Update: Incorporate social engineering vectors targeting specific user interests (such as gaming) into IR playbooks and training scenarios.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionlofystealergrabbotmalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action