SugarSMP: Malicious mod files target Minecraft players

Minecraft players often seek refuge on alternative servers to escape so-called “griefers” — players who deliberately ruin the gaming experience for others. The platform SugarSMP claims to offer such a peaceful online haven. To access it, players are required to log into a private server, which in turn requires the installation of so-called modpacks. This is nothing unusual within the community — however, in this case, malware is hidden beneath a colorful disguise.

At the center of the campaign is “SparkStealer” — a piece of malware that harvests sensitive information such as login credentials (including GitHub), browser data, crypto wallets, as well as content from applications like Discord, Steam, or Telegram — and even uses the stolen data to extort victims. One affected user reported the incident on the discussion platform Reddit and warned others about the site.

Particularly noteworthy is the effort made by the operators behind SugarSMP to clear their name. Investigations revealed not only the existence of numerous copies of the SugarSMP website, but also attempts by the criminals to use social engineering to remove a user’s warning about the malicious site from the internet. At times, they even temporarily removed the malware from the website, replaced it with harmless downloads, and actively asked for support.

Users whose systems may have been infected with SparkStealer should reinstall Discord, remove scheduled tasks, and scan their systems with an up-to-date antivirus program. Additionally, they should log out of browser and Discord sessions and regenerate Discord backup codes for two-factor authentication. All potentially affected passwords must be changed.

A detailed technical analysis can be found on our blog.