Shadow Client is a RAT (with proof)

Please Note: The TotalFreedom Forum has now been put into a read-only mode. Total Freedom has now closed down and will not be returning in any way, shape or form. It has been a pleasure to lead this community and I wish you all the best for your futures.
  • Preamble

    I'm writing this post for the idiots who were stupid enough to download Shadow Client, without heeding the many warnings they got from people who know what they're talking about, and ran it outside of a virtual machine and with Internet.

    If you downloaded the "official" build from the Shadow client Discord, chances are, you're ratted. @"Luna__"#2532's fork, to my knowledge, does not contain this malware. But you shouldn't be running it anyways as Shadow is a piece of shit.

    Proof

    Starting the connection to the C2
    Receiving commands from the C2

    What should I do if I've ran this?

    This will probably only affect you if you used Windows to run Shadow because it launches Command Prompt. However, we cannot be entirely sure about that.
    We must do a full reinstall because we simply don't know what commands they were running. If you look at the screenshot above, there's nothing hardcoded, except for the launching of Command Prompt. To make this even worse, Command Prompt doesn't even have history.

    1. Disconnect the machine you used to run Shadow from the internet.
    2. On another device, download the Windows 10 ISO from here (hint: you need a user agent other than Windows to download it else you'll be asked to download their crappy Media Tool)
    3. Use a tool like Balena Etcher (simple) or Rufus (advanced) to flash the ISO to a USB drive.
    4. Plug the flashed USB drive into your infected machine.
    5. Enter the BIOS of the infected machine and set the boot priority for the USB to the top.
    6. Exit & save your settings.
    7. Reinstall windows through the installer.

    If these steps didn't work for you, find another guide for reinstalling windows from the ISO and NOT from within Windows.
    Maybe after reinstalling Windows you'll know not to be stupid and run software from people who have backdoored others (hint hint Coffee client IRC class loading, them backdooring Minecraft servers)

  •   Allink I've managed to get them to turn off their C2 server (likely by spamming them with fake clients… Oops!), so new users are safe for the time being.

    You can verify if your shadow JAR is infected by checking if it contains the class net.shadow.client.feature.gui.hud.HudRegistry

  • It's obvious they did this to take advantage of the fact that kids don't know or can't be bothered to figure out how to compile the clients themselves or even understand what's going on under the hood, so they just snuck in a RAT that gives them their Minecraft session token along with opening up a backdoor on their computer to connect to.

    What a dick move.

    image.png

  • This client also seems to break a lot of mods including WNT, Optifine/Optifabric, etc. To confirm that the mod's just a pile of dog shit, I compiled shadow myself using source code that was on GitHub that was inspected to be rat-free and thoroughly swept. Command Prompt was also never launched either. I never trusted it to begin with so I definitely made sure I wasn't endangering myself when testing it.

    Simply put, it's a shitty mod made by a group of shitty kids and ratted since the average player really isn't going to do a sweep like what I did to check for malware inside it, they took advantage and put a rat in it. Coffee is another client that is just as shitty and ratted as Shadow and it's what F_x uses as well. You are not 'cool' for running this garbage and it's not worth being ratted by a sad group of kids because you decided to use it either.

    javaw_VqNRNZdU6Q.png
    image.png
    image.png

  • There's a pretty long story behind why this client is ratted.

    Basically, a member of the moles that we kicked out decided to go and leak the client to some select people in the public. Because of this, I decided to release the client to the public on Github. Some other developers were really ticked off by my release of the client. One of the devlopers decided to go and make a separate copy of the shadow discord and a ratted copy of shadow (I still don't know why).

  • Our dev couldnt find proof and didnt yet think about the discord rpc in our pic and while our server was the attack of 3 shadow client Loggs it wasnt great the last one caused is to move servers as it was that bad i hope that the moles get reported and ip banned from using discord


    codium multimatter redanium sporres

  •   root the discord rpc isnt apart of the rat we couldnt yet find the rat in the code but we knew it had a rat cause of the problems it caused with stuff like spamming our discord (pay to lose) and after a bit even getting into a discord bot and breaking all of the discord

    Edit: one of the latest hacks from the moles/the voles?
    https://media.discordapp.net/attachments/97…30/IMG_1914.png

    https://media.discordapp.net/attachments/97…08/IMG_1915.png


    codium multimatter redanium sporres