Some Minecraft ‘hacks’ don’t help build worlds – they break them. Here’s how malware can masquerade as a Minecraft mod.
Gaming is one of the defining pastimes of the digital age, and for many children, it’s also their first real experience with online communities. This is where platforms like Minecraft and Roblox stand out, as they have transformed gaming into a space for creativity and learning, all while giving players almost unlimited freedom to build worlds and share their experience with others.
On the other hand, that same openness, along with the ability to download, modify, and share user-made content, also creates opportunities for nefarious actors. As we explored in a blogpost about risks surrounding Roblox executors, cybercriminals are keen to exploit trust, curiosity, and the lure of free enhancements disguised as must-have mods, cheats or automation tools. As shown by ESET researchers way back in 2015 and 2017, the risks facing Minecraft players have been around for years, and they certainly aren’t going anywhere.
What is a Minecraft mod?
First, let’s get the basics out of the way. A mod (short for “modification”) is a custom software extension for Minecraft that alters or enhances gameplay by adding new blocks, dimensions, mechanics, textures or other effects. Over time, modding has evolved into a cornerstone of the game’s appeal for many players, giving rise to a thriving ecosystem supported by communities and repositories like Planet Minecraft, CurseForge and Modrinth.
However, since mods are created by users and are distributed as third-party tools, they can also be a convenient attack vector. Attackers are long known to hide their malicious wares inside files that appear to be harmless mods, plugins, or fan tools. The risks were brought into sharp relief again recently in several large-scale campaigns:
- Earlier this year, no fewer than 500 GitHub repositories spread an infostealer under the guise of Minecraft mods.
- In another large-scale attack, bad actors were spotted abusing the popular modding platforms Bukkit and CurseForge to distribute the Fractureiser infostealer.
- The risks apply to the wider gaming ecosystem, as demonstrated by ESET researchers who looked into campaigns spreading Lumma Stealer disguised as cheats for the Hamster Kombat game.
How do attackers weaponize Minecraft mods?
Malicious campaigns often follow a familiar pattern. The malware poses as a well-known or must-have mod or cheat that is available for download from GitHub, user forums, or various mod repositories. Once installed, it launches malicious background tasks or downloads additional payloads from remote servers in order to execute further instructions on the machine.
Here are some common types of malware that can masquerade as a Minecraft mod:
- Trojans let attackers take control of a victim’s device, steal data, install other malware or flood your device with ads.
- Infostealers steal sensitive user data such as login credentials, credit card information or web browser cookies.
- Ransomware encrypts a victim’s files or system and demands payment, usually in cryptocurrency, for their decryption.
- Cryptominers allow attackers to misuse someone else’s device to illegally mine cryptocurrencies.
Also, mods downloaded from unreputable places carry additional, lesser-known risks. For instance, a mod that updates automatically can become a vehicle for smuggling in malware later. Also, many mods request broad privileges, including modifications to system files, while other mods may contain vulnerabilities that are then exploited by attackers, as was the case with the BleedingPipe vulnerability.
How can I reduce the risk of downloading a malicious mod?
As mods exist outside the controlled, verified environment of the official Minecraft client, there is no foolproof way to ensure a mod is completely safe. However, there are a few steps you can take to minimize the risk:
- Be wary of the source: Only download mods from trusted and verified platforms within the Minecraft community like CurseForge and Modrinth. Steer clear of random file-hosting or other obscure websites, as well as discussion forums, Discord links, links in emails and social media messages, YouTube video descriptions, or other sources unrelated to the game, as these are common vectors for malware.
- Verify the developer’s reputation: Established mod developers often have a visible track record and community support. If the author is anonymous or has no reviews, consider avoiding the mod altogether. Player feedback can also reveal past malware issues or be a decent indication that a mod is safe.
- Watch out for unusual file types: Minecraft mods and modpacks are usually distributed as .jar files and compressed archive, such as .zip or .rar, respectively. Be cautious with executables (.exe, .bat) or installers that request administrator privileges as these are often unnecessary for mods and may contain malware.
- Have the download link and/or the file or its hash checked by your security software or VirusTotal. It also won’t hurt to run the mods in a virtual machine or an online sandbox such as anyrun or joesandbox.
What can I do after installing a suspicious Minecraft mod?
If you suspect that a Minecraft mod you installed contains malware, do this:
- Delete the mod file and any associated folders or configuration files. Make sure to terminate any related processes in Task Manager.
- Run a full antimalware scan. Use a trusted security tool to scan your entire computer to remove any malicious files or scripts. A one-time check is also as available courtesy of ESET’s free scanner.
- Reinstall Minecraft from the official source. To ensure a clean environment, uninstall it and reinstall it only from minecraft.net.
- Change passwords for linked and any other accounts, especially the valuable ones. In other words, update credentials for not only your Minecraft account, but also for email, banking apps, and any other potentially affected accounts. Enable two-factor authentication wherever possible.
- Contact cybersecurity professionals: If you suspect lingering malware or data compromise, reach out to security experts to ensure your devices are fully secure.
Staying safe when playing Minecraft with mods
Even if you enjoy modding Minecraft, there are steps you can take to reduce security risks and protect your system:
- Use non-administrator accounts for gaming: Play Minecraft on a standard user account rather than one with administrator privileges. This limits a malicious mod’s ability to alter critical system settings or install unauthorized software.
- Keep your system and software updated: Regularly install updates for your operating system and all software on it, including security software. Patches fix known software vulnerabilities and reduce the risk of compromise from malicious mods.
- Maintain regular backups: Keep copies of both your system files and Minecraft game data. Backups allow you to recover quickly if malware compromises your system or data.
- Use security software: This is another non-negotiable line of defense against all manner of threats.
To mod or not to mod?
Mods can significantly enhance your Minecraft experience, offering new gameplay, creativity, and customization. However, it’s crucial to remember that any file downloaded from the internet carries inherent risks. As there is no surefire way to guarantee that a mod is completely safe, the safest approach, therefore, is to avoid unofficial mods altogether. If you still choose to use them, exercise extreme caution.
If you’re a parent, educate yourself and your children not only about the risks of downloading software, but talk to them also about other risks lurking online.
