Pardon our dust, documentation still in progress
fractureiser
is a virus found in several Minecraft projects uploaded to CurseForge and BukkitDev. The malware is embedded in multiple mods, some of which were added to highly popular modpacks. The malware is only known to target Windows and Linux.
If left unchecked, fractureiser can be INCREDIBLY DANGEROUS to your machine. Please read through this document for the info you need to keep yourself safe.
We've dubbed this malware fractureiser because that's the name of the CurseForge account that uploaded the most notable malicious files.
If you're simply a mod player and not a developer, the above link is all you need. It contains surface level information of the malware's effects, steps to check if you have it and how to remove it, and an FAQ.
Anyone who wishes to dig deeper may also look at
You are not infected.
We have a good idea how fractureiser works, from Stages 0 to 3. There are certain unknowns, but the attack servers are offline and to our knowledge, new infections are not possible. Old infections may still be active.
User-facing documentation is more or less finished. We're working with community members to get it translated into other languages to further spread awareness.
On 2023-06-08 the fractureiser Mitigation Team held a meeting with notable members of the community to discuss preventive measures and solutions for future problems of this scale. See this page for the agenda and minutes of the event.
If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to [email protected] — anything sent to it will be shared with the rest of the team. If you need to get in touch more generally, please send mail to [email protected].
If you copy portions of this document elsewhere, please put a prominent link back to this GitHub Repository somewhere near the top so that people can read the latest updates and get in contact.
The only official public channel you may join without being personally invited that's run by the same team that wrote this writeup is #cfmalware on EsperNet IRC. Joining an IRC channel will expose your IP address.
Do not ask for samples. If you have experience and credentials, that's great, but we have no way to verify this without using up tons of our team's limited time. Sharing malware samples is dangerous, even among people who know what they're doing.