Campaign Open Source 2023-05-01 · 38 days ·Data Exfiltration

Fracturiser mod campaign stole player credentials

Fracturiser spread through compromised Minecraft mod and modpack publishing accounts in 2023, turning trusted CurseForge and Bukkit distribution paths into malware delivery channels.

Story

Fracturiser moved through the social and technical machinery of Minecraft modding. Attackers used compromised platform accounts and project uploads to put malicious JARs where players already went for mods, plugins, and modpacks.

That distribution path gave the campaign a long reach. A player did not need to visit a suspicious site or install a fake project. A trusted CurseForge or Bukkit page, a familiar maintainer name, or a modpack dependency graph could carry the first stage.

The payload chain targeted Windows and Linux systems. Detection guidance split the problem in two: active host infection and dormant infected JARs. That mattered because a downloaded mod archive could sit quietly in a mods folder until Minecraft or a server loader executed it.

CurseForge banned accounts tied to the uploads, published detection tooling, and maintained a list of affected projects. Community investigators separately mapped stages, hashes, indicators, and cleanup steps as the campaign unfolded.

The incident was not one poisoned package. It was a distribution-path failure across a creator ecosystem, where trust attached to project names, maintainer accounts, and modpack dependency graphs.

Linked Attacks

2023

Top vector Revision control Top payload point Distribution

5 entries 5 open source 0 proprietary

June 1 entry

1 Open Source

Better MC modpacks shipped Fracturiser malware

The CurseForge account for 'Luna Pixel Studios', creators of the very popular 'Better MC' modpack series, was compromised. Attackers uploaded malicious versions of the modpacks (e.g., BMC3 for Forge 1.19.2).

May 4 entries

1 Open Source

When Dungeons Arise shipped Fracturiser malware

A developer account with publishing rights for the popular 'When Dungeons Arise' Minecraft mod on CurseForge was compromised. Attackers uploaded a malicious JAR file disguised as a legitimate update.

When Dungeons Arise

Open Source

Treecapitator plugin shipped Fracturiser malware

An account with publishing rights on BukkitDev for a popular plugin implementing 'Treecapitator' functionality was compromised. A malicious JAR file containing the 'Fracturiser' malware was uploaded, appearing as an update.

Treecapitator (Bukkit Plugin)

Open Source

Sky Villages mod shipped Fracturiser malware

The CurseForge account associated with the 'Sky Villages' Minecraft mod was compromised. Attackers uploaded a malicious JAR file appearing as a legitimate update for the mod.

Sky Villages [Forge/Fabric]

Open Source

Simply Houses mod shipped Fracturiser malware

A developer account (`shyandlostboy81`) with publishing rights for the 'Simply Houses' Minecraft mod on CurseForge was compromised. Attackers uploaded a malicious JAR file disguised as a legitimate update.

Simply Houses

Campaign Context

Actor: Cybercriminal Gang
Attribution: Group
Cause: Unknown

Affected Packages

External References

June 2023 - Infected mods detection toolsupport.curseforge.com
fractureiser investigationgithub.com

Source record: oss/campaigns/fracturiser-2023/meta.yaml