Simply Houses mod shipped Fracturiser malware
Part of the Fracturiser mod campaign stole player credentials campaign
A developer account (shyandlostboy81) with publishing rights for the 'Simply Houses' Minecraft mod on CurseForge was compromised. Attackers uploaded a malicious JAR file disguised as a legitimate update.
Story
Simply Houses was a direct Fracturiser distribution point. A CurseForge account with rights to publish the mod was compromised, and the attacker used that authority to upload a JAR that looked like a normal project update.
The malicious artifact carried the shared Fracturiser stage seen across the campaign. The first-stage code ran in the Minecraft mod-loading path, then pulled the infection chain toward host-level credential theft.
The package scope is narrow, but useful. Players looking at a large campaign need to know whether a mod they installed was one of the concrete affected names, and Simply Houses was named in public response material.
The response path was the same as the wider campaign: remove affected JARs, scan for active infection, and treat dormant downloaded mods as dangerous until checked.
The campaign record carries the broad mechanics; this record anchors the specific project so inventories, launcher profiles, and server mod folders can be checked against a concrete name.
Affected Artifacts
Simply Houses
- Observed
- 2023-05-01 to 2023-06-08
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:5584ac1f8b713d2f6310bd3cde425b775402fbc70e56e5e8d774bec15703ca79
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Cybercriminal Gang
External References
- June 2023 - Infected mods detection toolsupport.curseforge.com
- Fractureiser Malwaremineacademy.org
- Infected Minecraft mods lead to multi-stage, multi-platform infostealer malwarebitdefender.com
Source record: oss/attacks/simply-houses/meta.yaml