The World’s Most Popular Game Could Have Infected Countless Computers

Over the past few days, about two dozen virus-infected Minecraft add-ons have been removed from CurseForge, the largest platform for game modifications. These malicious extensions were suspected to have been installed on hundreds of thousands of computers. CurseForge is actively working on resolving the issue, but in the meantime, users are urged to be patient.

CurseForge, one of the most popular gaming platforms that offers various plugins and mods to make released games more exciting and diverse, has issued a warning to its users. Although the site is generally safe, it appears that several dozen malicious software programs were included in the offerings, exclusively targeting the world’s most popular game, Minecraft.

CurseForge operated the mod developer accounts, and the creation dates of the malicious files used in the attack trace back to mid-April, indicating that the compromise of these accounts had been active for weeks. Furthermore, it is possible that the developer platform Bukkit.org, also operated by CurseForge, may have been affected.

According to a statement from Prism Launcher, the creator of an open-source Minecraft launcher, the malware called Fracturiser primarily infected Windows and Linux systems. It spread primarily through the following mods:

1. Dungeons Arise
2. Sky Villages
3. Better MC modpack series
4. Dungeonz
5. Skyblock Core
6. Vault Integrations
7. AutoBroadcast
8. Museum Curator Advanced
9. Vault Integrations Bug fix
10. Create Infernal Expansion Plus

Additionally, several mods had to be removed from Bukkit, operated by CurseForge. These mods were:

1. Display Entity Editor
2. Haven Elytra
3. The Nexus Event Custom Entity Editor
4. Simple Harvesting
5. MCBounties
6. Easy Custom Foods
7. Anti Command Spam Bungeecord Support
8. Ultimate Leveling
9. Anti Redstone Crash
10. Hydration
11. Fragment Permission Plugin
12. No VPNS
13. Ultimate Titles Animations Gradient RGB
14. Floating Damage

Highly Cunning

According to forum participants, the malware named Fracturiser was deployed in various stages to infect computers. The attack began with Phase 0, which initiated when an infected mod was executed. Each subsequent phase was responsible for downloading the files of the next phase from a command and control server. Phase 3, believed to be the final stage of the series, created folders and scripts, modified system files, and initiated data theft.

Reports suggest that Fracturiser effortlessly gained access to various web browser cookies, login credentials for Discord, Microsoft, and Minecraft, personal files, sensitive data, and even clipboard contents.

On their community platforms, CurseForge officials stated that a “malicious user created multiple accounts and uploaded projects containing malicious programs to the platform.” They also revealed that the account of a mod developer associated with Luna Pixel Studios was compromised, and the attackers used it to upload virus-infected mods as well.

Putting Out the Fire with a Water Gun

Regarding the incident, CurseForge mentioned that they are currently dedicating all their resources to reviewing every new upload and project to ensure user safety. However, during this time, they are not allowing new mods to be released on the platform. Unfortunately, they cannot provide direct assistance to users who may have already downloaded one of the infected mods.

They advised against uninstalling the CurseForge client, as it does not solve the problem and can potentially cause more harm than good. If uninstalled, users will not be able to install future updates and fixes. They stated that they are working on a tool to help users easily determine whether they have been exposed to the infection or not. In the meantime, they kindly ask for everyone’s patience.