highRAT
GriftClient: Minecraft RAT Using the Ethereum Blockchain as a C2 Resolver
Originally shared via @BreakGlassIntel thread on 2026-04-19.
InvestigatedApril 19, 2026PublishedApril 19, 2026
griftclientminecraftethereumblockchain
Provenance: Originally published as a thread on @BreakGlassIntel on 2026-04-19. This page reproduces the thread narrative and supporting probe artifacts for permanent reference.
Thread
We received a Minecraft mod sample via MalwareBazaar. It uses an Ethereum smart contract to resolve its C2 infrastructure — queries the contract on mainnet, gets the current C2 URL back, RSA-signed.
If the domain gets seized, the operator updates the contract. Clients follow
The mod targets Minecraft cheat client users. Steals session credentials, profiles installed mods, then downloads a 7MB stage-2 RAT from friendlydomain[.]ru (Russian registrar, behind DDoS-Guard).
We grabbed the full stage-2 payload — 3,323 files, JNA Windows API bindings,
Worth noting — this is the second blockchain-based C2 we've come across recently. Shadow C2 uses Binance Smart Chain for similar purposes. Different actors, same approach.
On-chain C2 config is something defenders should be watching for.
Full writeup with IOCs, YARA rules, and the contract address:
Blog: https://t.co/IMwXT2VHel IOCs: https://t.co/lPGYjhaoLr
Reply or DM if you have indicators you'd like investigated.
#Minecraft #Ethereum #Blockchain #C2 #ThreatIntel
Supporting probe artifacts
Raw output captured from the live infrastructure during the investigation.
=== api-enum.txt ===
302 | 207b | https /
301 | 568b | http /
404 | 207b | https /api
301 | 568b | http /api
405 | 153b | https /api/delivery/handler
301 | 568b | http /api/delivery/handler
404 | 207b | https /api/delivery
301 | 568b | http /api/delivery
404 | 207b | https /files
301 | 568b | http /files
404 | 207b | https /files/jar
301 | 568b | http /files/jar
200 | 7064037b | https /files/jar/module
301 | 568b | http /files/jar/module
404 | 207b | https /admin
301 | 568b | http /admin
404 | 207b | https /login
301 | 568b | http /login
404 | 207b | https /panel
301 | 568b | http /panel
308 | 259b | https /dashboard
301 | 568b | http /dashboard
404 | 207b | https /api/config
301 | 568b | http /api/config
404 | 207b | https /api/status
301 | 568b | http /api/status
404 | 207b | https /api/agents
301 | 568b | http /api/agents
404 | 207b | https /api/bots
301 | 568b | http /api/bots
404 | 207b | https /api/users
301 | 568b | http /api/users
404 | 207b | https /static/
301 | 568b | http /static/
404 | 207b | https /data/
301 | 568b | http /data/
404 | 207b | https /logs/
301 | 568b | http /logs/
404 | 207b | https /.env
301 | 568b | http /.env
404 | 207b | https /.git/config
301 | 568b | http /.git/config
404 | 207b | https /robots.txt
301 | 568b | http /robots.txt
=== eth-contract.txt ===
=== ETHERSCAN ===
{"status":"0","message":"NOTOK","result":"You are using a deprecated V1 endpoint, switch to Etherscan API V2 using https://docs.etherscan.io/v2-migration"}
{"status":"0","message":"NOTOK","result":"You are using a deprecated V1 endpoint, switch to Etherscan API V2 using https://docs.etherscan.io/v2-migration"}
=== hashes.txt ===
=== FILE HASHES ===
36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d stage2-payload.jar
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--.env.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--.git-config.txt
277417c41a4f388148f5d417ab45695967adf8e7ea28bce7ef634adc1e01c419 resp--.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--admin.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-agents.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-bots.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-config.txt
bfb286554b24db87b6cbcb6e68be23f89dee1be4d7db544d1e7c97c45664e0df resp--api-delivery-handler.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-delivery.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-status.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api-users.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--api.txt
e85d686a5981ce1d9b8f65712e2b4b8056773bb9d45a706d4219afbc68c29901 resp--dashboard.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--data-.txt
36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d resp--files-jar-module.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--files-jar.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--files.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--login.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--logs-.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--panel.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--robots.txt.txt
e9639e3c4681ce85f852fbac48e2eeee5ba51296dbfec57c200d59b76237ab80 resp--static-.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--.env.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--.git-config.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--admin.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-agents.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-bots.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-config.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-delivery-handler.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-delivery.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-status.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api-users.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--api.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--dashboard.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--data-.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--files-jar-module.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--files-jar.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--files.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--login.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--logs-.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--panel.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--robots.txt.txt
9f7a07f69d9b9a5af186a79159ccea18935ab4103128ca967e3f3f8ae45fb3ee resp-http--static-.txt
=== delivery-handler.txt ===
HTTP/2 200
server: ddos-guard
set-cookie: __ddg8_=tfvU0oEcP4prKH3U; Domain=.friendlydomain.ru; Path=/; Expires=Sun, 19-Apr-2026 04:44:23 GMT
set-cookie: __ddg10_=1776572663; Domain=.friendlydomain.ru; Path=/; Expires=Sun, 19-Apr-2026 04:44:23 GMT
set-cookie: __ddg9_=216.203.20.196; Domain=.friendlydomain.ru; Path=/; Expires=Sun, 19-Apr-2026 04:44:23 GMT
content-security-policy: upgrade-insecure-requests;
set-cookie: __ddg1_=YDgrVDSYLfSgbw7sGUDF; Domain=.friendlydomain.ru; HttpOnly; Path=/; Expires=Mon, 19-Apr-2027 04:24:23 GMT
date: Sun, 19 Apr 2026 04:24:23 GMT
content-type: application/json
content-length: 3
{}
=== cert.txt ===
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:5e:0b:c9:53:af:e5:4c:a3:8d:a5:78:b3:f7:c2:ba:42:80
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R12
Validity
Not Before: Apr 16 08:25:32 2026 GMT
Not After : Jul 15 08:25:31 2026 GMT
Subject: CN=friendlydomain.ru
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:26:2f:28:66:b3:4c:90:06:80:7d:8b:c5:9c:
e9:da:bc:6a:13:05:fa:22:a9:60:54:da:8e:ad:5b:
5a:9e:0c:cd:cd:b7:49:3f:b6:bf:5d:6a:64:f4:4e:
47:2d:82:f9:74:da:8d:06:e1:92:87:5d:28:6f:16:
bd:ea:af:20:dd:23:27:2e:b2:09:b0:1c:1a:d2:a3:
29:95:86:c2:c3:97:17:2e:96:98:fd:29:ee:35:eb:
1e:60:82:9f:4b:b2:65:ac:87:53:c8:91:4c:ba:d9:
a0:61:e5:f7:a0:21:be:b8:de:5a:59:5c:0e:21:9f:
ca:2a:d3:81:64:21:50:4f:9d:e2:cf:f5:36:e4:6f:
20:b0:03:b1:f3:19:96:39:51:4f:e1:6a:dd:ba:c2:
29:62:dd:d5:d5:67:42:ad:39:6b:ff:b2:ec:7a:30:
e9:03:f0:70:5f:c7:6e:94:3b:0b:74:77:38:da:ff:
f8:bd:b8:9c:88:a6:6d:1b:3e:be:a0:05:6f:14:09:
70:32:37:99:51:4c:a8:52:a2:7f:0b:19:40:b2:76:
f9:02:71:68:b8:db:13:ae:71:8e:90:1d:f8:14:8e:
73:01:f0:6e:2e:0e:36:90:35:d6:c9:c9:56:3c:af:
ce:aa:4a:b2:a4:d0:e2:b6:7c:89:9a:bb:d3:ba:48:
eb:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
96:8D:1F:02:DC:FF:D2:E1:2F:28:4D:6D:E4:5A:8E:D1:DD:B1:74:EE
X509v3 Authority Key Identifier:
00:B5:29:F2:2D:8E:6F:31:E8:9B:4C:AD:78:3E:FA:DC:E9:0C:D1:D2
Authority Information Access:
CA Issuers - URI:http://r12.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:friendlydomain.ru
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://r12.c.lencr.org/1.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : D8:09:55:3B:94:4F:7A:FF:C8:16:19:6F:94:4F:85:AB:
B0:F8:FC:5E:87:55:26:0F:15:D1:2E:72:BB:45:4B:14
Timestamp : Apr 16 09:24:03.178 2026 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:8D:22:15:50:FE:9C:DC:1E:EA:CA:DE:
D6:1F:DA:88:95:49:44:9C:87:66:17:02:E0:FC:85:49:
71:A0:A0:B0:7B:02:21:00:E1:D2:AF:9E:91:2C:B6:5C:
CA:B2:C1:41:79:37:3D:D4:BD:64:49:93:29:40:08:6E:
AD:18:92:2B:ED:46:F2:F6
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 46:AF:86:3D:3B:3E:E5:9F:A5:77:DE:A8:24:5D:36:B0:
D9:ED:22:A2:23:F4:61:77:41:22:94:52:EE:95:50:5F
Timestamp : Apr 16 09:24:03.330 2026 GMT
Extensions: 00:00:05:00:04:05:45:51
Signature : ecdsa-with-SHA256
30:46:02:21:00:94:FA:19:46:21:4F:88:2E:8A:2A:5E:
F5:17:0F:E5:48:33:AC:7A:80:97:18:8C:FD:42:F9:6D:
A9:F8:D0:78:D4:02:21:00:D3:00:0C:4B:CE:B1:34:C6:
41:A8:D8:3B:55:39:1D:48:6F:B3:09:95:38:EE:B3:BA:
68:51:1A:3E:F0:76:01:04
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
89:cb:15:e8:21:01:49:53:68:f0:5b:bc:1d:7b:2e:cc:8f:2c:
e2:a9:42:ce:44:24:a6:1f:fe:17:8f:61:c5:77:00:80:f9:ad:
f2:35:e0:fe:d4:b4:f1:81:a6:be:31:47:25:77:37:c3:23:dc:
4a:eb:98:17:28:4b:df:df:a5:c9:81:fd:2e:04:77:4e:78:fd:
27:44:ca:b6:1d:ca:62:35:09:b9:95:f8:b1:df:f0:4f:72:6f:
a5:2c:b8:7f:0b:08:bb:7c:ce:a0:b3:36:9c:2c:d3:ba:a5:df:
a2:f7:41:b4:34:05:42:63:8a:69:59:a0:45:93:71:68:84:5b:
cf:ef:a6:ba:43:9a:17:ab:64:fa:a2:3c:62:1e:fa:6a:c2:a2:
f0:ff:c1:50:19:e1:fe:a5:d5:74:7b:f1:a1:3a:dc:52:8a:e1:
ae:78:cf:cc:d6:b2:88:1f:7f:36:3f:96:e1:8d:1e:85:50:fa:
6a:b0:72:4e:f9:b8:b6:58:3e:2d:b1:71:d2:91:c4:af:22:76:
03:fd:1c:76:5e:b9:c9:64:fc:f4:be:7d:65:23:5a:f4:27:30:
c6:d8:c6:b2:56:bf:6a:a3:44:16:ff:d0:a1:6f:4d:18:ff:6d:
31:55:d1:38:a0:a1:d9:ee:29:53:0f:d6:66:8b:1a:d9:ff:2a:
75:b7:c5:e1
=== resp--dashboard.txt ===
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="https://friendlydomain.ru/dashboard/">https://friendlydomain.ru/dashboard/</a>. If not, click the link.
=== resp-http--admin.txt ===
<!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 301</title><style>*{margin:0;padding:0}html{font:15px/22px arial,sans-serif;background: #fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}p{margin:11px 0 22px;overflow :hidden}ins{color:#777;text-decoration :none;}</style><p><b>301 - Moved Permanently .</b> <ins>That’s an error.</ins><p>Requested content has been permanently moved. <ins>That’s all we know.</ins>
=== resp-http--api-status.txt ===
<!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 301</title><style>*{margin:0;padding:0}html{font:15px/22px arial,sans-serif;background: #fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}p{margin:11px 0 22px;overflow :hidden}ins{color:#777;text-decoration :none;}</style><p><b>301 - Moved Permanently .</b> <ins>That’s an error.</ins><p>Requested content has been permanently moved. <ins>That’s all we know.</ins>