LofyStealer (GrabBot) TTPs: Dissecting the 'Slinky' Gaming Campaign
Just caught the report from ZenoX regarding the resurgence of the Brazilian threat group LofyGang. After three years of radio silence, they are back with LofyStealer (also tracked as GrabBot), specifically targeting Minecraft players.
The distribution method is clever in its simplicity: they disguise the payload as a game cheat named "Slinky" and even spoof the official Minecraft icon to get the user to voluntarily execute the binary. This isn't a zero-day in the game client, but rather a classic case of social engineering targeting a younger demographic.
Technical Analysis & Detection Based on the GrabBot family behavior, we expect the malware to target:
- Discord tokens
- Browser cookies/passwords
- Minecraft session data
While there isn't a CVE to patch, we can hunt for the artifacts. If you are managing endpoints where gaming is permitted, I recommend adding the following YARA rule to your scanning suite to catch the obfuscation patterns typically used in these .NET loaders:
rule LofyStealer_Slinky {
meta:
description = "Detects LofyStealer 'Slinky' variants based on string obfuscation"
author = "SecurityArsenal"
date = "2026-04"
strings:
$s1 = "Slinky" nocase
$s2 = "GrabBot" nocase
$c wide nocase
$obf = /discord\.com\/api\/webhooks\/[0-9]+\//
condition:
uint16(0) == 0x5A4D and 2 of ($s*) and $obf
}
For a quick triage on a potentially infected machine, you can check user directories for the suspicious executable names using PowerShell:
Get-ChildItem -Path "$env:USERPROFILE\Downloads", "$env:APPDATA" -Recurse -Filter "Slinky*.exe" -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime
Given the rise of BYOD and work-from-home, how are you all handling the risk of "gaming" malware intersecting with corporate environments? Are you strictly blocking these execution policies, or just relying on AV?
Solid write-up. From a SOC perspective, we're actually seeing a lot of overlap with these 'game cheat' infections leaking corporate credentials. The user installs the cheat for their personal account, and the stealer grabs the session token for their corporate Discord or even browser SSO cookies.
I'd suggest adding a KQL rule for rare process execution in AppData:
ProcessCreationEvents
| where FolderPath startswith @"C:\Users\"
| whereFolderPath endswith "\AppData\Roaming"
| where ProcessVersionInfoOriginalFileName contains "Slinky"
It's usually the first red flag before the C2 beaconing starts.
The icon spoofing is the oldest trick in the book, but it still works depressingly well against non-technical users. As an MSP, dealing with this is a nightmare because parents don't understand why a 'Minecraft hack' broke their bank accounts.
I've started deploying Software Restriction Policies (SRP) via GPO to block unsigned executables in the %AppData% and %Downloads% folders for standard user accounts. It kills a lot of these stealers instantly without needing updated signatures.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access