RAT Infecting MC Players (Mostly Anarchy)

  • Source: https://www.reddit.com/r/minecraftcli…utm_name=iossmf

    It is suggested that everyone check if this malware is on their computer. The author of the thread suggests doing a complete computer reset if the malware is found on your computer. There is no current origin of this malware.

    How to know if you have the malware.

    • Navigate to this folder: C:\Users\(username)\AppData\Roaming\.minecraft\libraries\net\minecraftforge\injector\forgedefault
    • If a file named injector-forgedefault exists, then it is suggested to completely reset your computer.

    According to the Reddit thread, this is all the information it can get from you:

    • injects itself into forge profile when you run it grabs your ip, operating system name, computer username, and some hwid
    • grabs your discord token, discord username, email, if you have 2fa enabled, phone number, if you have nitro, and if you have any linked payment methods
    • grabs your minecraft session token, name, and uuid
    • grabs all of the mods in your mods folder takes a screenshot of your screen
    • grabs the minecraft accounts you have logged into the minecraft launcher
    • grabs your chrome login data file
    • grabs filezilla servers
    • grabs sharex configs grabs your future client login details
    • grabs your minecraft accounts from future client manager
    • grabs your waypoints from future client
    • grabs your waypoints from salhack
    • grabs your minecraft accounts from rusherhack manager
    • grabs your waypoints from rusherhack
    • grabs your minecraft accounts from pyro manager
    • grabs some weird server stuff from pyro idek what this is
    • grabs your konas files which i assume have waypoints and stuff
    • grabs your waypoints from kami blue
    • grabs everything from journeymap
    • grabs source code from recent intellij projects
    • and all of that is being sent to one of 5 discord webhooks
  • Quote

    @Xen#6270 C:\Users(username)\AppData\Roaming.minecraft\libraries\net\minecraftforge\injector\forgedefault

    C:\Users(username)\AppData\Roaming\.minecraft\libraries\net\minecraftforge\injector\forgedefault *

    you have to put two \'s in front of the dot or else flarum will remove it

  • @neo#6276 As far as I know, OptiFine is not affected.

    I recently learned that the creator of the malware has since come out and apologized. He's even created open-source software that'll remove the malware from your computer. Apparently, he included the malware in most, if not all, of his clients/mods he has created, which is why the Anarchy community was affected so heavily.

    This subreddit has a ton of information about the malware and its creator: https://www.reddit.com/r/minecraftclients/ and there is also a thread that'll link you to the creator's new GitHub account (because his last one got banned in light of the malware). On the GitHub account is a repository that has a few links. One link includes the malware removal software.