LofyGang Is Back: A Credit Card Separator Named After What It Does, a Full RAT With Bidirectional Audio, and Two npm Packages Still Live
NYX Stealer — 5,092 lines of decrypted JS, 50+ crypto wallets, Discord injection, and an operator whose Telegram bio links to the dropper domain
They named it separadordeinfocc. Portuguese for "credit card info separator." A malicious npm package, published to the world's largest JavaScript registry, by a threat group that literally put their name in the code, their dropper domain in their Telegram bio, and === Lofygang Started === in the console output. And as of this writing, it is still live on npm.
This is the story of how a routine GHOST investigation into a suspicious npm package uncovered a full-featured remote access trojan, a native Windows stealer, real-time surveillance capabilities that rival commercial spyware, and a threat group that the security industry declared a known quantity in 2022 -- but whose current tooling has evolved far beyond anything previously documented.
A Name You Might Remember
LofyGang first appeared in public reporting in 2022, when Checkmarx and Sonatype documented a Brazilian Portuguese-speaking cybercrime group publishing malicious packages to npm. Their playbook was narrow: Discord token grabbers disguised as utility libraries. Steal tokens, hijack accounts, move on. The security community catalogued them, wrote their detection rules, and largely moved on.
Four years later, they are still publishing. And the token grabber has become something else entirely.
Two Packages, 72 Hours
On March 29, 2026, the npm maintainer consolelofy published a package called undicy-http -- a typosquat of undici, Node.js's official HTTP client library. Two days later, on April 1, the same account published separadordeinfocc. Both packages were built with Node 20.19.4 and npm 10.8.2, share identical dependency lists, and were published from the same development environment using pnpm 10.8.0.
The maintainer email is duba70015@gmail.com. The naming pattern -- "console" + "lofy" -- is consistent with historical LofyGang infrastructure. And neither package has been removed.
The separadordeinfocc package weighs 157 KB. Inside is a single index.js file: an IIFE wrapping a Base64-encoded blob that, when decoded, produces 214,900 bytes of XOR-encrypted data. The key is hardcoded in the clear:
qA#s5~d/YLcg5c;^r7$x.'h!#ik?<82!
Thirty-two bytes. Static. Applied as a repeating XOR against the ciphertext. The result: 5,092 lines of fully functional JavaScript that constitute one of the most complete infostealers we have analyzed from the npm ecosystem.
They call it NYX.
What NYX Actually Does
Previous LofyGang documentation describes a Discord token grabber with some credential harvesting. NYX is not that. NYX is a dual-stage attack platform with capabilities organized across roughly a dozen functional modules, each purpose-built and technically competent. Here is what happens when a developer runs npm install separadordeinfocc:
Stage 0: The Vanishing Act
Before any malicious behavior begins, NYX re-launches itself invisibly. It writes a VBScript file (_nyx_launch.vbs) to the temp directory, sets the environment variable _NYX_HIDDEN=1, and executes the script windowless. The original process exits cleanly. From this point forward, the malware runs with no visible window, no console, no taskbar presence.
It then deploys what the authors call LegitimateModule -- a sandbox evasion layer that creates fake configuration files (%APPDATA%\WindowsSystemService\config.json), fake log files, and a fake README, all designed to make the process look like a benign Windows service under automated analysis. For good measure, it displays a fake error popup: "MSVCR100.dll is missing from your computer." A social engineering touch to explain why the "utility" the developer installed doesn't appear to work.
Stage 1: The RAT
NYX connects via WebSocket to ws://18[.]231[.]131[.]246:80 -- an AWS EC2 instance in the sa-east-1 region (Sao Paulo, Brazil). This is not a simple beacon. It is a bidirectional command-and-control channel supporting real-time interactive operations.
Screen streaming. NYX captures screenshots at 80-millisecond intervals -- roughly 12 frames per second -- compresses them to JPEG (1280px width, quality 55), and streams them over the WebSocket. The operator sees the victim's screen in near-real-time.
Webcam capture. Using the Windows Media Foundation API, compiled from inline C# at runtime, NYX activates the victim's camera and streams MJPEG frames to the operator. No prior installation of imaging libraries required -- it builds its own capture binary from source on the victim's machine.
Microphone recording. Same technique: inline C# compilation produces a native binary using the waveIn API (16kHz, 16-bit PCM) to record audio from the victim's microphone.
Bidirectional audio. This is the capability that separates NYX from commodity stealers. The operator can play audio through the victim's speakers via the waveOut API. They can talk to the victim. Or play sounds. Or deliver social engineering pretexts through the compromised machine's own hardware.
Remote execution. Full cmd.exe and PowerShell shells with 30-second timeout per command. File upload to the victim machine. And a suite of system control actions: disable UAC, disable Windows Defender, disable Task Manager, and kill the shutdown button -- all via registry manipulation.
This is not a token grabber that grew legs. This is a remote access trojan with surveillance capabilities that would be at home in a commercial spyware product.
Stage 2: The Native Stealer
While the Node.js RAT handles interactive operations, NYX downloads a second payload: chromelevator.exe, a 1.4 MB PE64 C/C++ binary hosted at hxxp://amoboobs[.]com/arquivos/chromelevator.exe. The dropper attempts three execution methods in sequence: direct execution, cmd.exe launch, and UAC elevation prompt. The binary is written to a Windows Defender exclusion folder or %TEMP%\WinSvcHost\ -- a path NYX has already whitelisted.
chromelevator.exe operates independently of the Node.js payload. It harvests browser cookies, saved passwords, and Discord tokens from the local filesystem, then exfiltrates everything through the same dual-channel infrastructure. A standalone stealer running in parallel with the RAT, sharing no code, sharing no runtime -- just sharing the same operator.
The Theft
The breadth of credential harvesting in NYX deserves its own section, because it goes well beyond what you would expect from an npm supply chain attack.
25+ Browsers
Discord (all variants: stable, Canary, PTB, Lightcord), Chrome (stable, Beta, Dev, Canary), Edge (stable, Beta, Dev, Canary), Brave (stable, Beta, Dev, Nightly), Opera (stable, GX, Beta, Dev, Crypto), Vivaldi, Yandex, Waterfox, Firefox, CocCoc, Epic Privacy. NYX reads leveldb databases and Local State files, decrypts tokens protected by DPAPI using a PowerShell helper, and validates every recovered token against the Discord API (v9/v10) before exfiltration.
For encrypted Discord tokens -- those prefixed with dQw4w9WgXcQ: -- NYX extracts the AES key from the browser's Local State file, decrypts via DPAPI, and uses it to decrypt the token. Every validated token triggers a full profile enrichment: billing information, Nitro status, badges, friend list, two-factor authentication status, email, phone number. All of it formatted into rich embeds and sent to the operator.
50+ Cryptocurrency Wallet Extensions
MetaMask, Phantom, Coinbase Wallet, Binance Wallet, Trust Wallet, Exodus, Atomic Wallet, Rabby, XDEFI, SafePal, Keplr, Terra Station, Nami, Eternl, Yoroi, TronLink, Ronin, Solflare, Slope, Braavos, Polymesh, ICONex, Nabox, KardiaChain, Guarda, EVER Wallet, Clover, Leather (Hiro), Sui Wallet, Petra Aptos, Martian Aptos, Pontem Aptos, Sender Wallet, Goby, Leap Cosmos, Core, Harmony, Enkrypt, Opera Wallet, Rainbow, Zerion, Talisman, Backpack, Fordefi, SubWallet -- and more. NYX reads extension data directories for every supported wallet across Chrome, Edge, Brave, and Opera profiles, then uploads the stolen data via GoFile and Catbox.
Exodus Wallet Brute-Force
This module deserves special attention. NYX doesn't just steal Exodus extension data -- it attempts to brute-force the desktop wallet's encrypted seed file (seed.seco). It tries 17 common passwords against the file using PBKDF2 key derivation and AES-256-GCM decryption. If any password succeeds, the operator gets the wallet's seed phrase. Everything in the wallet. Every chain. Every token.
The password list is short and targeted: common defaults, simple patterns, the kind of passwords people set when they think "nobody will find this file on my local machine." For a non-trivial percentage of Exodus users, one of those 17 passwords will work.
8 Platforms
Discord: Token theft plus client injection. NYX kills all Discord processes, locates the core module JavaScript files, injects malicious code that intercepts logins, token changes, email changes, and payment information in real-time, then restarts Discord. The victim's own Discord client becomes a persistent credential harvester that survives updates and reboots.
Roblox: Extracts .ROBLOSECURITY cookies and enumerates the account via API -- username, display name, Robux balance, premium status, account age.
Steam: Parses loginusers.vdf for saved accounts, steals SSFN authentication files, and enumerates profiles using a hardcoded Steam Web API key (440D7F4D810EF9298D25EDDF37C1F902).
Minecraft: Reads launcher_accounts.json, zips the session data, and uploads it.
Telegram Desktop: Zips the entire tdata folder -- session keys, authorization data, cached messages -- and uploads it. With this folder, the operator can clone the victim's Telegram session on another machine.
Instagram: Extracts the sessionid cookie, then uses it to enumerate the victim's profile, follower count, following count, and whether the account is private or verified.
TikTok: Same approach -- session cookie to API enumeration. Account details, follower count, coin balance.
Spotify: Extracts the sp_dc cookie and queries for account type, subscription plan, and email.
System Fingerprinting
Before any theft begins, NYX fingerprints the victim machine: OS version, CPU, RAM, GPU, disk capacity, system uptime, and public IP (via ipinfo.io). It then scans for antivirus products -- checking file paths and running processes against a list of 60+ security products. The results, along with a screenshot, are sent to the operator as the first exfiltration message. A reconnaissance report before the looting begins.
Persistence
NYX does not intend to run once. It installs four independent persistence mechanisms:
- Scheduled task:
ScreenLiveClient, triggered ONLOGON with HIGHEST privileges - Registry Run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScreenLiveClient - Startup folder: Copies itself to
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ - Windows Defender exclusions: Adds its own paths to Defender's exclusion list to prevent detection
The scheduled task and registry key both point to a VBScript launcher (svchost.vbs) marked with hidden and system attributes. Three independent autostart mechanisms plus antivirus blindness. Kill one, the others bring it back.
Dual-Channel Exfiltration
Every piece of stolen data is sent through two independent channels simultaneously:
Channel 1: Discord webhook. ptb.discord.com/api/webhooks/1484725829412851915/... -- a Discord PTB (Public Test Build) webhook that receives rich embed messages with the victim's data, formatted with the LofyGang username and avatar.
Channel 2: Telegram bot. @GrabberLofybot (bot ID 8713069597), sending to chat ID 8245283894. The Telegram messages mirror the Discord embeds with HTML formatting.
For large files -- wallet data, Telegram session archives, browser databases -- NYX uploads to GoFile or Catbox and sends the download link through both channels. Redundant exfiltration: if Discord kills the webhook, Telegram still delivers. If Telegram blocks the bot, Discord still receives.
The OPSEC Failures
LofyGang's operational security ranges from "nonexistent" to "actively self-incriminating."
The code identifies itself. The entry point prints === Lofygang Started === to the console. Stolen data is stored in a folder called lofygang-local. Every webhook embed includes the footer text Lofygang | t.me/lofygang. The npm account is consolelofy. The Telegram bot is @GrabberLofybot. At no point did anyone involved consider the value of anonymity.
The Telegram bio. The operator's Telegram account -- chat ID 8245283894, display name "HAHAHAHAHA" -- lists amoboobs.com as their public bio. This is the domain hosting chromelevator.exe. The dropper infrastructure is linked to the exfiltration endpoint through a social media profile that anyone can view. One click from the Telegram bot to the bio to the domain to the payload.
The encryption. A single layer of XOR with a static 32-byte key. No key rotation. No polymorphism. No secondary obfuscation. The key is embedded in the clear in the npm package. Any analyst who looks at the index.js for more than thirty seconds will find it.
The package name. They named their malware "credit card info separator" in Portuguese. The npm registry is public. The package metadata is public. They published a malware package whose name is a description of its function in the attacker's native language.
The Anti-VM Suite Nobody Turned On
Buried in the code (lines 4630-4800) is a comprehensive anti-VM detection suite: 13 checks covering MAC address prefixes (VMware, VirtualBox, Hyper-V, QEMU), BIOS strings, disk identifiers, running processes (VBoxService, vmtoolsd, qemu-ga), suspicious hostnames, registry keys, screen resolution anomalies, and low RAM/CPU configurations. It is well-implemented. It checks for sandboxing indicators that many commercial stealers miss.
It is also disabled. A boolean flag in the current build turns the entire suite off. Whether this is a development oversight, a deliberate choice to prioritize reach over evasion, or a feature reserved for a future version is unclear. But the capability exists and is ready to activate.
Infrastructure
The C2 server at 18[.]231[.]131[.]246 is an AWS EC2 instance in the sa-east-1 region -- Sao Paulo, Brazil. It listens on port 80 via WebSocket only; standard HTTP requests receive no response. The PTR record confirms the AWS allocation: ec2-18-231-131-246.sa-east-1.compute.amazonaws.com.
The dropper domain amoboobs.com was registered January 8, 2026, through PublicDomainRegistry, with Cloudflare nameservers (alex/elle). TLS certificates were issued February 7 by both Let's Encrypt and Google Trust Services. The domain has been operational for nearly three months. The payload URL hxxp://amoboobs[.]com/arquivos/chromelevator.exe uses the Portuguese word "arquivos" (files) for the directory path -- another linguistic fingerprint consistent with a Brazilian Portuguese-speaking operator.
A token copy service at copytoken.vercel.app, hosted on Vercel's free tier, provides one-click Discord token copying functionality -- a convenience tool for the operator to quickly use stolen tokens.
Every component of this infrastructure is live as of April 1, 2026. The C2 is accepting WebSocket connections. The dropper is serving the binary. The Discord webhook is active. The Telegram bot is receiving messages. And both npm packages remain available for installation.
What This Means
LofyGang in 2022 was a Discord token grabber operation. LofyGang in 2026 is deploying a modular RAT with real-time surveillance, a native companion stealer, 50+ wallet targets, 8 platform credential harvesters, brute-force decryption of local wallet files, Discord client injection for persistent access, and a dual-channel exfiltration pipeline with file hosting fallbacks.
This is not incremental evolution. This is a capability jump. The group that security researchers categorized as a nuisance-tier npm threat four years ago is now deploying tooling that overlaps with commercial spyware vendors in its surveillance features and with top-tier infostealers in its breadth of credential harvesting.
And the packages are still live on npm. Both of them. Right now.
Indicators of Compromise
Network Indicators
| IOC | Type | Context |
|---|---|---|
18[.]231[.]131[.]246 | IPv4 | WebSocket C2 server (AWS sa-east-1, Sao Paulo) |
amoboobs[.]com | Domain | Dropper infrastructure, hosts chromelevator.exe |
hxxp://amoboobs[.]com/arquivos/chromelevator.exe | URL | Stage 2 native stealer download |
hxxps://ptb[.]discord[.]com/api/webhooks/1484725829412851915/54vteoSxvtdHKSj3b4_tHSXkfN172hK5MN7NiuhPeCS370ka7j9u6kqdUKO6S1XYDnmx | URL | Exfiltration webhook |
ws://18[.]231[.]131[.]246:80 | WebSocket | C2 connection URI |
copytoken[.]vercel[.]app | Domain | Token copy utility |
File Indicators
| Hash | Algorithm | File |
|---|---|---|
bad0fd9a966e4eb7edfaa7e19da025f9be3c1541de22b5ca76afb9afbc0b548f | SHA256 | separadordeinfocc-1.0.0.tgz |
d151b17ea820d3b5892bab6db72ef71690487a6780c6bc1bbbc11d5fde22fc52 | SHA256 | undicy-http-2.0.0.tgz |
d6090c843c58f183fb5ed3ab3f67c9d96186d1b30dfd9927b438ff6ffedee196 | SHA256 | chromelevator.exe |
53b0121940b45f0785e16f1cb3ad588b | MD5 | chromelevator.exe |
4dac9d6e3796d77b2b9b6cb4361d21c76a9488f0 | SHA1 | chromelevator.exe |
75a3f20be3e037c09f87c2cb2508da5c3c77d024 | SHA1 | separadordeinfocc npm shasum |
dd6ab9bbaab803b6f2bda6441692dbbe333b2487 | SHA1 | undicy-http npm shasum |
Behavioral Indicators
| Type | Value | Context |
|---|---|---|
| Scheduled Task | ScreenLiveClient | Persistence (ONLOGON, HIGHEST) |
| Registry Key | HKCU\...\Run\ScreenLiveClient | Persistence fallback |
| File Path | %TEMP%\_nyx_launch.vbs | Hidden process re-launch |
| File Path | %TEMP%\svchost.vbs | Persistence VBScript (hidden+system) |
| File Path | %LOCALAPPDATA%\lofygang-local\ | Stealer output directory |
| File Path | %APPDATA%\WindowsSystemService\config.json | Sandbox evasion decoy |
| File Path | %TEMP%\WinSvcHost\ | Dropper download directory |
| Environment Variable | _NYX_HIDDEN=1 | Hidden process marker |
| Console Output | === Lofygang Started === | Self-identification |
Threat Actor Indicators
| Type | Value | Context |
|---|---|---|
| npm maintainer | consolelofy | Package publisher |
duba70015@gmail[.]com | Maintainer email | |
| Telegram Bot | @GrabberLofybot (ID 8713069597) | Exfiltration bot |
| Telegram Chat | 8245283894 | Operator account (display: "HAHAHAHAHA") |
| Telegram Channel | t.me/lofygang | Group channel |
| Steam API Key | 440D7F4D810EF9298D25EDDF37C1F902 | Hardcoded in stealer |
| XOR Key | qA#s5~d/YLcg5c;^r7$x.'h!#ik?<82! | Payload decryption key |
| Discord Attachment | 1402635989654044807/1409163724417142964 | Webhook avatar |
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Supply Chain Compromise | T1195.002 | Malicious npm packages |
| PowerShell | T1059.001 | DPAPI decryption, mic/webcam compilation |
| Visual Basic | T1059.005 | VBScript hidden re-launch, UAC prompt |
| Scheduled Task | T1053.005 | ScreenLiveClient ONLOGON persistence |
| Registry Run Keys | T1547.001 | Autostart persistence |
| Disable or Modify Tools | T1562.001 | Defender, UAC, Task Manager disabled |
| Obfuscated Files | T1027 | XOR-encrypted payload |
| Virtualization/Sandbox Evasion | T1497 | 13 anti-VM checks (disabled in current build) |
| Browser Credentials | T1555.003 | 25+ browser credential theft |
| Steal Application Access Token | T1528 | Discord tokens via leveldb + DPAPI |
| Steal Web Session Cookie | T1539 | Roblox, Instagram, TikTok, Spotify |
| Screen Capture | T1113 | Real-time streaming at 80ms intervals |
| Audio Capture | T1123 | Microphone via waveIn API |
| Video Capture | T1125 | Webcam via Media Foundation |
| Exfiltration Over Web Service | T1567 | Discord webhook, Telegram, GoFile, Catbox |
| Application Layer Protocol | T1071 | WebSocket C2 on port 80 |
This investigation was conducted by Breakglass Intelligence's autonomous GHOST investigation system. The malicious packages were identified through routine npm ecosystem monitoring. 5,092 lines of decrypted malicious JavaScript were recovered and analyzed. All indicators were confirmed live at the time of publication. Both packages remain available on npm.
Breakglass Intelligence | April 1, 2026