Open Source 2023-06-01 · 7 days ·Data Exfiltration

Better MC modpacks shipped Fracturiser malware

Part of the Fracturiser mod campaign stole player credentials campaign

The CurseForge account for 'Luna Pixel Studios', creators of the very popular 'Better MC' modpack series, was compromised. Attackers uploaded malicious versions of the modpacks (e.g., BMC3 for Forge 1.19.2).

Story

Better MC mattered because it was a modpack, not a single small mod. A compromised Luna Pixel Studios publishing account let attackers place Fracturiser into releases that players installed as trusted bundles.

The named affected scope included Better MC Forge BMC3, Better MC Forge BMC2, and Better MC Fabric. Those packages pulled together many mods under a familiar project name, so the malicious upload inherited trust from both the modpack brand and its dependency graph.

Fracturiser used the Minecraft loader path as execution. Once a poisoned JAR was loaded, the staged malware reached beyond the game and targeted host data on Windows and Linux, including secrets useful for accounts and further spread.

The cleanup problem was therefore not just "remove one mod." Players had to treat the whole affected modpack install as suspect, then scan for active infection and for dormant JARs that could restart the chain later.

This record stays separate from the campaign because Better MC was one of the high-signal package scopes. The campaign explains the shared malware; this record preserves the concrete releases players were told to remove and scan around.

Affected Artifacts

Better MC [Forge] - BMC3

curseforge · Source Archive

Observed: 2023-06-01 to 2023-06-08
Compromised Versions: v18
Fixed: Not listed
Evidence: distribution: curseforge.com/minecraft/modpacks/better-mc-forge/files/4477460

One of the named Better MC examples from the compromised Luna Pixel Studios account; shared Fracturiser stage hashes remain at the attack level.

Better MC [Forge] - BMC2

curseforge · Source Archive

Observed: 2023-06-01 to 2023-06-08
Compromised Versions: v7
Fixed: Not listed
Evidence: distribution: curseforge.com/minecraft/modpacks/better-mc-forge

Named affected modpack release; exact file URL is not captured in the current record.

Better MC [FABRIC]

curseforge · Source Archive

Observed: 2023-06-01 to 2023-06-08
Compromised Versions: v10
Fixed: Not listed
Evidence: distribution: curseforge.com/minecraft/modpacks/better-mc-fabric

Named affected modpack release; exact file URL is not captured in the current record.

Incident Context

Motive: Credential Theft
Attribution: Group
Cause: Compromised Account Credentials
Transitive: No
Actor: Cybercriminal Gang

Indicators

Locationmirror: github.com/fractureiser-investigation/fractureiser
Locationmirror: github.com/clrxbl/NekoClient
Locationmirror: gist.githubusercontent.com/NotNite/79ab1e5501e1ef109e8030059356b1b8/raw/c2102bf5ff74275ac44c2200d5121bfff652fd49/hook.dll.c
Locationmirror: gist.github.com/Darkhax/d7f6d1b5bfb51c3c74d3bd1609cab51f
Locationmirror: hackmd.io/5gqXVri5S4ewZcGaCbsJdQ
Hashsha1:dc43c4685c3f47808ac207d1667cc1eb915b2d82
Hashsha1:52d08736543a240b0cbbbf2da03691ae525bb119
Hashsha1:6ec85c8112c25abe4a71998eb32480d266408863
Hashsha1:c2d0c87a1fe99e3c44a52c48d8bcf65a67b3e9a5
Hashsha1:e299bf5a025f5c3fff45d017c3c2f467fa599915

External References

June 2023 - Infected mods detection toolsupport.curseforge.com
New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linuxbleepingcomputer.com
Some CurseForge accounts might be compromisedreddit.com
Fractureiser technical detailsraw.githubusercontent.com

Source record: oss/attacks/better-mc/meta.yaml