What happens when you download a reposted mod?
worldwidepixelworldwidepixel
discussion
Mod reuploads, malware, and lots of .ru.

A mediocre blogpost from March. Read with embarrasment.

What happens when you download a mod from a suspicious reupload?

A russian mod reuploader.
The home page of MinecraftInside.

When I started contributing to the mod Hollow, I never knew that I would be investigating malware only a week later.

Hollow is a Minecraft mod for 1.20.1 which adds features that Mojang has promised. Find out more on the Modrinth page.

When the lead developer of Hollow, CallMeEcho found out that Hollow was being hosted on a Russian mod reuploader, named MinecraftInside, they instantly took action and contacted them.

A button that lets users report a mod download.
Echo used the site's built-in reporting feature, so I could not get hold of the original request.

A couple days later, the page was gone. Echo and I thought they had won. Then I started digging. I found a Russian blog post with the mod's name on Google, and started us down the rabbit hole.

The blog post that featured Hollow.
The blog post which featured a suspicious download link to Hollow, auto-translated from Russian.

When we visited the links, we were met with many URL shorteners. This is when we decided to switch to malware analysing software. Neither of us wanted to risk everything on this.

When I downloaded the file, I got a ZIP file encompassing two (most likely fake or dangerous) EXE installers. One for a VPN named Adguard, and another for an unbranded 'Download Assistant'.

Obviously, you shouldn't be using mod repost services. They both steal from passionate creators and are likely to harm your computer.

Thanks for reading.

Youtube Github Bluesky