Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

Multi-stage infostealer “Fractureiser” was distributed by compromised CurseForge and Bukkit accounts that pushed malicious updates to Minecraft mods and plugins, then used those modified components to download and deploy subsequent stages. The malware infects other .jar files, disables Java code signing, monitors and hijacks clipboard cryptocurrency addresses, steals application tokens and browser data, and communicates with multiple C2 endpoints. #Fractureiser #CurseForge

Keypoints

Fractureiser is a four-stage, multi-platform infostealer distributed via compromised Minecraft mods/plugins on CurseForge and Bukkit.
Stage 0 is the modified mod/plugin that fetches Stage 1 from http://85.217.144.130:8080/dl; Stage 1 (dl.jar) handles persistence, infection of other JARs, and C2 contact.
Stage 2 (lib.jar / libWebGL64.jar) acts as a downloader/updater for Stage 3; Stage 3 deploys a jar with a native hook.dll exposing clipboard and Microsoft credential extraction functions.
The malware attempts to infect all eligible .jar files on host(s), removes Java signing files in META-INF to bypass code signing, and uses a mutex to prevent multiple instances.
Clipboard monitoring is used to replace cryptocurrency addresses and to attempt VM-to-host infection via Windows Sandbox clipboard file descriptors; it also steals Minecraft/Discord tokens and browser cookies/credentials.
Persistence variants include dropping executables (NekoInstaller → NekoService) that install a Windows service and dropping/running a JRE-hosted service.jar; compilation timestamps indicate active development April–May 2023.
IOCs include multiple SHA-1 hashes, C2 URLs/IPs (85.217.144.130, files-8ie.pages.dev, 107.189.3.101), and dozens of infected mod/plugin download links hosted on CurseForge/Bukkit.

MITRE Techniques

[T1071.001] Application Layer Protocol – used for C2 and initial download (‘connects to http://85.217.144.130:8080/dl to download the Stage 1 malware.’)
[T1105] Ingress Tool Transfer – downloader/updater behavior to fetch and deploy later stages (‘Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.’)
[T1543.003] Create or Modify System Process: Windows Service – installer drops and registers a service for persistence (‘drops the executable file in C:Program FilesnekoserviceServiceHost.exe and adds it as a service named NekoService to run;’)
[T1056.005] Input Capture: Clipboard – monitors and replaces cryptocurrency addresses to hijack transactions (‘The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions.’)
[T1553.002] Subvert Trust Controls: Subvert Code Signing – removes Java signing files to disable code signing (‘the infection code also disables code signing for Java files by removing the META-INF/CERTIFIC.RSA … and META-INF/CERTIFIC.SF’)
[T1036] Masquerading / File Infection – infects other JAR files on the system to propagate (‘attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod.’)

Indicators of Compromise

[File hashes] Malicious JAR/EXE samples – dc43c4685c3f47808ac207d1667cc1eb915b2d82, 2db855a7f40c015f8c9ca7cbab69e1f1aafa210b, and 14 more hashes
[URLs/IPs] C2 and download endpoints – http://85.217.144.130:8080/dl, https://files-8ie.pages.dev:8083/ip, and 107.189.3.101
[Domains] Potential C2/hostnames – connect.skyrage.de (possibly new C2)
[File names / binaries] Deployed artifacts and service components – hook.dll, NekoServices / ServiceHost.exe, service.jar (JRE-run payload)
[Infected packages / download links] Compromised mods/plugins (examples) – https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced, https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor, and many additional CurseForge/Bukkit files

Fractureiser’s technical procedure begins with compromised developer accounts publishing modified Stage 0 mods/plugins that load a remote dl.jar (Stage 1) from an HTTP endpoint. Stage 1 establishes persistence, uses a mutex to avoid duplicate instances, and implements logic to determine and infect eligible .jar files across Linux and Windows systems; it also strips Java signing artifacts from META-INF to disable signature checks. Stage 2 functions as a downloader/updater to retrieve the final Stage 3 payload.

The Stage 3 payload bundles a native hook.dll exposing functions invoked from Java to harvest clipboard file descriptors (used for VM-to-host escape attempts via Windows Sandbox) and to extract Microsoft Live credentials; it also targets Minecraft and Discord tokens, browser cookies, and stored logins. Persistence can be achieved via dropped EXEs (NekoInstaller → installing NekoService as a Windows service) or by deploying a JAR and bundled JRE (service.jar) under Program Files. C2 communication and payload retrieval use HTTP/HTTPS endpoints and IPs enumerated in the IOCs, and the malware actively replaces clipboard cryptocurrency addresses to hijack transactions.

Detection and mitigation should focus on scanning JAR files for the listed SHA-1s and IOC endpoints, validating Java package integrity and signatures (absence of META-INF signature files), monitoring for unexpected services like NekoService or dropped ServiceHost.exe, and blocking known C2 URLs/IPs at the network layer. For contaminated environments, perform a full filesystem scan for infected JARs, remove persisted services and dropped runtimes, and validate developer accounts for compromise to prevent further staged distribution.