June 9 Update:
The oldest sample we were able to track until now (
e69b50d1d58056fc770c88c514af9a82) shows the malware during its early development stage. Dated 2023-04-12, it looks like a Stage 2 sample with the C&C address set to
127.0.0.1, which leads us to believe that it was used for testing. It also includes limited functionality that currently is available in Stage 3 samples (only listening for OS commands (executed with
exec) ), which reinforces our assumption that the malware was in development at that time.
We also noticed that the Java package was named differently back in April (
dev.sirlennox.nekoclient instead of
We also identified several executables (NekoInstaller/NekoService), as described below:
C:\Program Files\nekoservice\ServiceHost.exe and adds it as a service named
NekoService to run;
Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows.
Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.
The malware has 4 stages, labeled 0 through 3. Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to
http://126.96.36.199:8080/dl to download the Stage 1 malware.
The Stage 1 malware comes in the form of a dl.jar file with a SHA-1 sum of
dc43c4685c3f47808ac207d1667cc1eb915b2d82. The Stage 1 malware includes a mutex to prevent it from running multiple times, and it seems responsible for infecting other JAR files, establishing persistence and contacting the command and control server in preparation of Stage 2 deployment.
Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.
Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code:
retrieveClipboardFiles - to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as
retrieveMSACredentials to retrieve Microsoft Live credentials.
The first sample apparently dates all the way back to April 24th 2023 in the form of a Stage 0 malware with the
0e583c572ad823330b9e34d871fcc2df hash. The first JAR (Java Archive) file lacks many of the features currently in the malware.
The malware currently affects Linux and Windows Minecraft installs and attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod. The malware has a complex logic to determine whether a .jar file is a candidate for infection. Upon modification of the file, the infection code also disables code signing for Java files by removing the
The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions. It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers.
During our analysis, we identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.
We were able to confirm that dozens of mods and plugins have been rigged with the malware. The affected mods are listed in the Indicators of Compromise section below.
The overwhelming majority of victims are in the US. We are monitoring the individual components of this malware and will update the threat distribution accordingly.
Bitdefender identifies the malicious code in all stages of execution as
Trojan.Java.Fractureiser.*. If you have downloaded any of the infected mods in recent months or have any concern about the integrity of your .jar files, run a deep scan with your favorite security solution such as Bitdefender Total Security.
New C2C -
Stage2 C2 interrogation -
Possibly new C2C -
Infected mods and plugins: