Skip to content

lordofpipes/malware-analysis-discordsrv

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
byte-reversed-samples
byte-reversed-samples
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
signs-youre-infected.md
signs-youre-infected.md
 
 

Repository files navigation

Fake DiscordSRV malware samples

[ Signs you're infected ]

This contains byte-reversed copies of the fake version of DiscordSRV. In Sept 2025, it was posted to dev.bukkit.org by a malicious account impersonating the DiscordSRV developers.

⚠️ For educational purposes only. No one should run this malware. It's nasty.

This is my own independent research, using my expertise to discover the secondary payload as safely as possible. Now that this has been done, it doesn't need to be replicated except by security researchers.

SHA256: cfff9a2c7503bacd693b68a7c0501609832916a7bcda0badb6a60613049d42e8

VirusTotal Link: https://www.virustotal.com/gui/file/cfff9a2c7503bacd693b68a7c0501609832916a7bcda0badb6a60613049d42e8

Description: The original payload found on the fake dev.bukkit.org listing. Originally named DiscordSRV-Build-1.30.1.jar, not to be confused with the real DiscordSRV file by the same name.

This copy has been byte-reversed to avoid accidental execution.

SHA256: ca792e3dc7daa34cc2ed9964d2d276c775dd1b4c6809c6d6be2662a27435dd7e

VirusTotal Link: https://www.virustotal.com/gui/file/ca792e3dc7daa34cc2ed9964d2d276c775dd1b4c6809c6d6be2662a27435dd7e

Description: This is the payload file that the malware stores in the logs folder. When the malware is first executed, this file is written to a path like logs/2025-10-20-2.log.gz\u{200b}. The invisible special character (U+200B ZERO WIDTH SPACE) is used to tag the file so the malware knows where to find it. It is AES encrypted and then Base64 encoded.

This copy has been byte-reversed to avoid accidental execution.

SHA256: fe9d770375afa3f23ad3d8adbdb52e3468597ee2dedc133da2a68c0dc2f19215

VirusTotal Link: https://www.virustotal.com/gui/file/fe9d770375afa3f23ad3d8adbdb52e3468597ee2dedc133da2a68c0dc2f19215

Description: Decrypted secondary payload. This is a jar file. It's heavily obfuscated but it seems to contain the spicy bits, perhaps some sort of force op and remote control system.

This copy has been byte-reversed to avoid accidental execution.

SHA256: 6c4ffa0a10c84bd796d1912ea2a33acfee8bce6d010935dd1c322e2349645a6a

Description: This file is an example of what may be written to world/playerdata/2c1e9c08-84dc-303b-bc20-20a2e49b8de4.dat. I'm not entirely sure its purpose. It's only 96 bytes so it may be some sort of cryptographic key or server-specific identifier? Its contents are different for each infection.

This copy has been byte-reversed to avoid accidental execution.

About

Analysis of the fake DiscordSRV malware incident

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published