Recent software supply chain cyber incidents linked to LofyGang

Several recent software supply chain cyber incidents have been linked to the LofyGang threat group by researchers at leading software security company Checkmarx.

The researchers discovered around 200 malicious packages and several classes of malicious payloads, general password stealers, and Discord–specific persistent malware, with thousands of installations linked to LofyGang, which has been operating for over a year.

According to Checkmarx, some were integrated into the package, and others downloaded the malicious payload from c2 servers while running. Sonatype, Jfrog, and Securelist discovered that some of those packages had been noted in three distinct incident reports this year.

The Checkmarx team concluded that LofyGang was an organized crime group that targeted and shared stolen credit cards, gaming, streaming accounts (such as Disney), and more after observing the group’s online activities.

The investigation focused on the Discord server for LofyGang, established on October 31, 2021. A dark meme group, a dedicated bot in charge of giving away Discord Nitro updates, and technical support for the group’s hacking tools are all present in this communication channel. Additionally, it maintains a GitHub account called "PolarLofy," which hosts hacking tools, and its open-source repositories provide bots and tools for Discord.

Under the alias "DyPolarLofy," operators of the LofyGang have been seen posting to an underground hacking forum where they advertise their hacking tools and bots and leak thousands of Disney+ and Minecraft accounts. Even so, LofyGang promotes content on its own YouTube channel, including tutorials on how to use its hacking tools.

Due to the use of Brazilian Portuguese in the group’s sentences and the discovery of a file called "brazil.js," which contained malware in a few malicious packages, the researchers believe the group originated in Brazil.