Malware News Sweet Minecraft Mods – The Dark Tale of SugarSMP Scam, Malware & Extortion

[Khushal]

Content source

https://blog.gdatasoftware.com/2026/03/38390-minecraft-mod-sugarsmp-malware

related earlier MalwareTips post

Thread 'VT undetected Java (.jar) Minecraft Mod file used as Loader for Payload'

Feb 9, 2026

Here's an apparent game mod (.jar) with no detection on VirusTotal.

https://community.bitdefender.com/en/discussion/comment/361034

I've recently been targeted via Discord by a threat actor that tried to make me load a Minecraft Mod that he linked via chat. Actor displayed multiple threat vectors in a well organized scheme mixing social engineering, discord features and low-security Minecraft Bedrock java runtime to hack and steal information from victims.

The full brief report I made:....

• Wrecker4923
• Replies: 1
• Forum: News Archive

• 
• 

Gdata expert and his allies have an interesting blogpost for all of us.
IoCs contain FUD VT files or only one detection which is shocking.

VirusTotal

VirusTotal

www.virustotal.com

VirusTotal

VirusTotal

www.virustotal.com

@TuxTalk will be proud of Gdata's research. Thanks @rifteyy for his contribution.

Minecraft: SugarSMP's Dark Tale of Scams, Malware & Extortion

Some Minecraft players were looking for safe haven away from griefers, but found an elaborate web of malware, deception and extortion.

blog.gdatasoftware.com

 

[Parkinsond]

Kaspersky strikes again.

 

[Khushal]

Kaspersky strikes again.

only on few samples

 

[SeriousHoax]

Gdata expert and his allies have an interesting blogpost for all of us.

G-Data malware researcher Karsten Hahn aka @struppigel is a MT member and a moderator, but he hasn't been active on the forum for a while.

 

[Khushal]

G-Data malware researcher Karsten Hahn aka @struppigel is a MT member and a moderator, but he hasn't been active on the forum for a while.

quite unfortunate to see him being inactive. Surprisingly he is quite active on reddit. It seems he was fed up with the MWT community.

 

[Wrecker4923]

I found these notable:

1. The sugarsmp[.]com website is only one month old. I hope I won't want something bad enough to risk working with such a site.
2. Apparently, the download file was changed back to a non-malware mod; a tactic we also saw with the 7-Zip manager's malware sites (which actually had aged long-registration domains; were they hacked?).
3. They used a hacked reputable mod developer's Reddit account to convince the moderators to take down malware warnings. Oops, social engineering works everywhere.

 

[Parkinsond]

The sugarsmp[.]com website is only one month old

It's even down

 

[ForgottenSeer 123960]

It's even down

PING sugarsmp.com(2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0)) 56 data bytes
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=1 ttl=55 time=2.30 ms
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=2 ttl=55 time=2.40 ms
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=3 ttl=55 time=2.49 ms

--- sugarsmp.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.301/2.394/2.486/0.075 ms

 

[Sampei.Nihira]

It's even down

Blocked by NextDNS:

 

[Parkinsond]

Blocked by NextDNS:

View attachment 296382

So it is blocked by ControlD without notification on my side.

 

[Jonny Quest]

LOL...here we go again, who and what blocks what

 

[Jonny Quest]

PING sugarsmp.com(2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0)) 56 data bytes
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=1 ttl=55 time=2.30 ms
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=2 ttl=55 time=2.40 ms
64 bytes from 2606:4700:3035::ac43:cbd0 (2606:4700:3035::ac43:cbd0): icmp_seq=3 ttl=55 time=2.49 ms

--- sugarsmp.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.301/2.394/2.486/0.075 ms

View attachment 296381

Agree, not down, just blocked?

 

[Sampei.Nihira]

So it is blocked by ControlD without notification on my side.

Try running the test using HTTPS.
You opened the website using HTTP.

 

[Parkinsond]

Try running the test using HTTPS.
You opened the website using HTTP.

How would I do that?

 

[Khushal]

Kaspersky strikes again.

web protection misses the domain. Seems like users with Kaspersky solutions managed to download the malware that is why that VT detection.
@harlan4096 ?
The domain is not malicious in itself

 

[Parkinsond]

View attachment 296385

web protection misses the domain. Seems like users with Kaspersky solutions managed to download the malware that is why that VT detection.
@harlan4096 ?
The domain is not malicious in itself

Seems Kaspersky has got it by behavioral analysis; system watch is a top-notch.

 

[Khushal]

How would I do that?

As explained the domain is not malicious in itself. Users need to download jar to complete the social engineering attack. Nevertheless i had to use vpn to get to this domain. http/https doesn't make a difference.

mine opened as http.

 

[Parkinsond]

As explained the domain is not malicious in itself

So it is blocked just for bing mewly registered one?

 

[Khushal]

So it is blocked just for bing mewly registered one?

No i believe the site is intermittently serving malware and legit mods.

 

[Parkinsond]

No i believe the site is intermittently serving malware and legit mods.

The jar file was not flagged; now it is by GData