{ "type": "SHA256", "indicator": "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "validation": [], "base_indicator": { "id": 4334022487, "indicator": "9b1264eb4ff5ee8f00b8b80341fb6917dc3d3148", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69f1f50b6a5e5d1ca31204bb", "name": "LofyStealer: Malware targeting Minecraft players.", "description": "A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:09:47.279000", "tags": [ "browser data", "infostealer", "chromelevator", "grabbot", "node.js loader", "credential theft", "syscalls evasion", "lofystealer", "slinky", "minecraft" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft" ], "public": 1, "adversary": "LofyGang", "targeted_countries": [], "malware_families": [ { "id": "LofyStealer", "display_name": "LofyStealer", "target": null }, { "id": "GrabBot", "display_name": "GrabBot", "target": null }, { "id": "chromelevator", "display_name": "chromelevator", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f2bad7d78ead8432be1c62", "name": "IOC - LofyStealer: Malware targeting Minecraft players.", "description": "During threat hunting activities conducted on the ANY.RUN platform, the artifact was identified in public submissions of the interactive sandbox. The analysis of samples available in the public repository allowed correlating hashes and network behaviors with the already mapped C2 infrastructure (24.152.36.241), confirming that the GrabBot/Slinky campaign is active and being distributed in a real environment. The sandbox results complement the static analysis presented in this report, providing dynamic execution evidence.", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:13:43.548000", "tags": [ "sha256", "sha1", "indicador valor" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f1f3dc23ca83b640baa7cf", "name": "LofyStealer: Malware targeting Minecraft players. - ZenoX - Artificial Intelligence for Cyber Security", "description": "A report on LofyStealer, a malicious infostealer targeting Minecraft players, has been published by the Security Research Centre at the University of California, Los Angeles (UCL).", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:04:44.832000", "tags": [ "dlls", "lofygang", "slinky", "lofystealer", "sha256", "minecraft hack", "github", "base64", "http", "javascript", "premium", "discord", "loader", "openssl", "payload", "lofy", "theft", "aster", "guard", "easy", "beyond", "pipes", "exfiltration", "powershell", "path", "refresh", "keepalive", "glitch", "authentication", "json" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f1f3df296f05418b195d3d", "name": "LofyStealer: Malware targeting Minecraft players. - ZenoX - Artificial Intelligence for Cyber Security", "description": "A report on LofyStealer, a malicious infostealer targeting Minecraft players, has been published by the Security Research Centre at the University of California, Los Angeles (UCL).", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:04:47.108000", "tags": [ "dlls", "lofygang", "slinky", "lofystealer", "sha256", "minecraft hack", "github", "base64", "http", "javascript", "premium", "discord", "loader", "openssl", "payload", "lofy", "theft", "aster", "guard", "easy", "beyond", "pipes", "exfiltration", "powershell", "path", "refresh", "keepalive", "glitch", "authentication", "json" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f8255cd124262416ec241a", "name": "LofyStealer: Malware targeting Minecraft players.", "description": "", "modified": "2026-05-29T12:25:38.288000", "created": "2026-05-04T04:49:32.066000", "tags": [ "browser data", "infostealer", "chromelevator", "grabbot", "node.js loader", "credential theft", "syscalls evasion", "lofystealer", "slinky", "minecraft" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft" ], "public": 1, "adversary": "LofyGang", "targeted_countries": [], "malware_families": [ { "id": "LofyStealer", "display_name": "LofyStealer", "target": null }, { "id": "GrabBot", "display_name": "GrabBot", "target": null }, { "id": "chromelevator", "display_name": "chromelevator", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69f1f50b6a5e5d1ca31204bb", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft", "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "related": { "alienvault": { "adversary": [ "LofyGang" ], "malware_families": [ "Lofystealer", "Grabbot", "Chromelevator" ], "industries": [] }, "other": { "adversary": [ "LofyGang", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Lofystealer", "Json", "Chromelevator", "Grabbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69f1f50b6a5e5d1ca31204bb", "name": "LofyStealer: Malware targeting Minecraft players.", "description": "A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:09:47.279000", "tags": [ "browser data", "infostealer", "chromelevator", "grabbot", "node.js loader", "credential theft", "syscalls evasion", "lofystealer", "slinky", "minecraft" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft" ], "public": 1, "adversary": "LofyGang", "targeted_countries": [], "malware_families": [ { "id": "LofyStealer", "display_name": "LofyStealer", "target": null }, { "id": "GrabBot", "display_name": "GrabBot", "target": null }, { "id": "chromelevator", "display_name": "chromelevator", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f2bad7d78ead8432be1c62", "name": "IOC - LofyStealer: Malware targeting Minecraft players.", "description": "During threat hunting activities conducted on the ANY.RUN platform, the artifact was identified in public submissions of the interactive sandbox. The analysis of samples available in the public repository allowed correlating hashes and network behaviors with the already mapped C2 infrastructure (24.152.36.241), confirming that the GrabBot/Slinky campaign is active and being distributed in a real environment. The sandbox results complement the static analysis presented in this report, providing dynamic execution evidence.", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:13:43.548000", "tags": [ "sha256", "sha1", "indicador valor" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f1f3dc23ca83b640baa7cf", "name": "LofyStealer: Malware targeting Minecraft players. - ZenoX - Artificial Intelligence for Cyber Security", "description": "A report on LofyStealer, a malicious infostealer targeting Minecraft players, has been published by the Security Research Centre at the University of California, Los Angeles (UCL).", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:04:44.832000", "tags": [ "dlls", "lofygang", "slinky", "lofystealer", "sha256", "minecraft hack", "github", "base64", "http", "javascript", "premium", "discord", "loader", "openssl", "payload", "lofy", "theft", "aster", "guard", "easy", "beyond", "pipes", "exfiltration", "powershell", "path", "refresh", "keepalive", "glitch", "authentication", "json" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f1f3df296f05418b195d3d", "name": "LofyStealer: Malware targeting Minecraft players. - ZenoX - Artificial Intelligence for Cyber Security", "description": "A report on LofyStealer, a malicious infostealer targeting Minecraft players, has been published by the Security Research Centre at the University of California, Los Angeles (UCL).", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:04:47.108000", "tags": [ "dlls", "lofygang", "slinky", "lofystealer", "sha256", "minecraft hack", "github", "base64", "http", "javascript", "premium", "discord", "loader", "openssl", "payload", "lofy", "theft", "aster", "guard", "easy", "beyond", "pipes", "exfiltration", "powershell", "path", "refresh", "keepalive", "glitch", "authentication", "json" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f8255cd124262416ec241a", "name": "LofyStealer: Malware targeting Minecraft players.", "description": "", "modified": "2026-05-29T12:25:38.288000", "created": "2026-05-04T04:49:32.066000", "tags": [ "browser data", "infostealer", "chromelevator", "grabbot", "node.js loader", "credential theft", "syscalls evasion", "lofystealer", "slinky", "minecraft" ], "references": [ "https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft" ], "public": 1, "adversary": "LofyGang", "targeted_countries": [], "malware_families": [ { "id": "LofyStealer", "display_name": "LofyStealer", "target": null }, { "id": "GrabBot", "display_name": "GrabBot", "target": null }, { "id": "chromelevator", "display_name": "chromelevator", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69f1f50b6a5e5d1ca31204bb", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170005.2257092 }