October 3, 2023

Researchers are warning the Minecraft gamers about a rapidly spreading multi-stage malware campaign dubbed as Fractureiser targeting modpacks and plugins.

Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the original author’s knowledge. These mods have then been included in popular modpacks that have been downloaded in millions.

Mods are user-created add-ons that extend the gameplay, collections of which are put together and configured in the form of modpacks. CurseForge and Bukkit are two of the largest Minecraft mod repositories.


The Fractureiser malware is downloaded in four stages, labelled zero through to three. Stage three brings the final payload in the form of a JAR file that includes a native binary named hook.dll. It currently affects Linux and Windows Minecraft installs and attempts to propagate itself to all JAR files on the system, including those that are not part of a Minecraft mod.

Upon modification of the file, the malware can target victims in a range of ways. Firstly, it can hijack cryptocurrency transactions by swapping wallet addresses with the attackers. Fractureiser can also steal cookies and user credentials from web browsers and exfiltrate authentication tokens for Discord, Microsoft, and Minecraft.

Researchers highlighted it is aimed at mod or plugin developers, since the stage three malware targets Windows Sandbox, the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.

This research was documented by researchers from BItDefender

Indicators of Compromise

  • 2db855a7f40c015f8c9ca7cbab69e1f1aafa210b
  • a4b6385d1140c111549d95eab25cb51922eefba2
  • b0752dcf01d56f420cb084c84b641b9c132e8a73
  • 282adb0edc52ce955932de48ef06df36e1050ada
  • c55c3e9d6a4355f36b0710ab189d5131a290df26
  • 33677ca0e4c565b1f34baa74a79c09a3b690bf41
  • 284a4449e58868036b2bafdfb5a210fd0480ef4a
  • 32536577d5bb074abd493ad98dc12ccc86f30172
  • 0C6576BDC6D1B92D581C18F3A150905AD97FA080
  • dc43c4685c3f47808ac207d1667cc1eb915b2d82
  • 52d08736543a240b0cbbbf2da03691ae525bb119
  • 6ec85c8112c25abe4a71998eb32480d266408863
  • e50eadd3293e35e60e89d1914bbc67ab597c8721
  • c2d0c87a1fe99e3c44a52c48d8bcf65a67b3e9a5
  • e299bf5a025f5c3fff45d017c3c2f467fa599915
  • 2de8f42871213f17771be2943e5f9da3b0a94ad2

Leave a Reply

%d bloggers like this: