LofyGang Returns: Analyzing the 'Slinky' Minecraft Stealer Wave
Saw the ZenoX report today: LofyGang is back after a three-year hiatus. They're pushing a new stealer called LofyStealer (aka GrabBot), specifically targeting Minecraft players. The social engineering is straightforward but effective—they disguise the malware as a cheat client called "Slinky," complete with the official game icon to induce voluntary execution.
While gamers are the primary target, the implications for corporate security are real if employees are using BYOD or gaming on company machines. GrabBot typically targets session tokens (Discord, Minecraft), browser cookies, and crypto wallets.
Since this malware relies on user execution rather than a system exploit, traditional patching won't help. We need better behavioral detection. Specifically, watching for unsigned executables dropping in user directories or suspicious PowerShell child processes.
Here's a basic KQL query for Sysmon/Microsoft Sentinel to look for suspicious process creation patterns often associated with these stealers:
Sysmon
| where ProcessCreateActions contains "minecraft"
| where Image endswith ".exe"
| where not (Image has @"Program Files")
| project Timestamp, Computer, Image, CommandLine, ParentImage
Has anyone started blocking specific game launchers or modifying AppLocker policies to counter this gaming-trojan trend? How are you handling the "Shadow IT" of gaming in your environment?
We've caught a few iterations of this recently. The key is the Discord token exfiltration. We set up a correlation rule looking for base64-encoded strings hitting Discord webhooks from non-browser user agents. It’s noisy but effective.
The icon spoofing is a classic trick that still works surprisingly well against younger users (and tired employees). From a red team perspective, finding a way to scan for unsigned binaries in %AppData% is usually the quickest way to flag this family. I’d also recommend checking for suspicious C# runners if you have EDR telemetry.
From an EDR perspective, we often see these Java-based loaders spawning suspicious child processes. A cheat client shouldn't need to spawn powershell or cmd to function. Hunting for parent-child process anomalies is usually faster than waiting for network IOCs.
Here is a basic KQL query to start hunting for this behavior:
DeviceProcessEvents
| where InitiatingProcessFileName =~ "java.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "regsvr32.exe")
Building on the process analysis, automation is key for BYOD environments. If you manage these endpoints, pushing a quick scan for recently modified Java artifacts in user profiles can help catch infections before the callback. You can deploy a simple PowerShell script via your management solution to flag anomalies.
Get-ChildItem -Path "$env:APPDATA\.minecraft" -Recurse -Filter '*.jar' | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access