PSA: Don’t download “architectury” from this site “architecturyapi.com”, it’s probably a malware, idk why no one talk about this

Why would you download architectury from that website in the first place?

[deleted]

Nobody talks about this because everyone downloads it from curseforge or modrinth like a normal person

Reddit deleted my original comment because my writeup was too spicy for it, with the ETH wallet address, node URLs and russian domain in there, so I’m posting the full version again but censored:

I took a look at it in Recaf. First of all, it’s far too small to be architectury and doesn’t contain any of its assets. It’s also heavily obfuscated with inserted bytecode specifically made to confuse reverse engineers and decompilers, e.g.

“`
if(365 * 365 == 0) {}
“`

and similar entirely useless stuff put into it everywhere.

Taking a look at the mod entry point and trying desperately not to rip my hair out, it’s some kind of infostealer. It hooks into the game, steals the session token, formats it and sends it to some kind of webhook. There are a bunch of other classes, too. So I’m guessing it also does some generic stealing of other credentials like browser passwords, crypto wallets, etc.

Edit: Very intriguing. I looked into this further, trying to decompile some of the encrypted strings, which was done with a very interesting approach of using the calling class name on the callstack to prevent decryption. That revealed, that this isn’t some skid doing weird stuff. It sends to some kind of central C&C server, not a discord webhook. Some URL at the endpoint /api/delivery/handler on a server determined by some other class with a specific hex string 0x1280a..redacted…5B74. I would guess this is some kind of malware as a service, since it contains a userID hardcoded into the jar file, something that would only find use to track what “user” of the malware is responsible for how many infections. That indicates infrastructure that works with multiple users. I will keep checking to see if I can figure out the URL mechanism. As it looks currently though, it appears as though the mod only steals the username, uuid and session token, no external credentials.

Edit 2: Electric Boogaloo

The URLs are decrypted in multiple different ways, and the encrypted strings resolve to a list of 32 Ethereum public endpoints (e.g. hxxps://eth[.]llamarpc[.]com, hxxps://rpc[.]flashbots[.]net, etc).

These are just fallback etherum nodes. When poking one of them with the auth token I snatched from the mod using curl, I can get the actual C&C Server, which seems to be

hxxps://whpayment[.]ru, which it verifies using a base64 encoded payload and publickey from the mod / sent along with the URL. So the full path that your data would be sent to if you ran this mod, would be hxxps://whpayment[.]ru/api/delivery/handler.

The majority of mod developers upload their mods to CurseForge and/or Modrinth. If you can get the mod from one of those, there is little reason to go to a random website.

Of course, these websites are not completely impervious to malware, but they are much more trustworthy than random websites.