A Minecraft Mod, an Ethereum Smart Contract, and a 7MB Stage-2 Payload: Inside GriftClient's Blockchain-Based C2 Architecture

When our automated pipeline flagged a Fabric mod, we didn't expect to find RSA-signed Ethereum C2 resolution, a live 7MB payload download, and a technique that makes DNS takedowns obsolete

PublishedApril 19, 2026

griftclientminecraftethereumblockchainc2ratjavafabric-modddos-guardsmart-contractmalware-as-a-service

We received a Minecraft mod sample via MalwareBazaar. We pulled the thread and found an Ethereum-based C2 architecture that makes traditional takedowns impossible.

Most Minecraft-themed malware is garden-variety infostealers wrapped in a .jar. This one was different. Buried inside a Fabric mod calling itself "sexdefender" (also aliased "autism-defender"), we found a command-and-control resolution mechanism that queries an Ethereum smart contract on the public blockchain. The C2 URL is returned on-chain, RSA-signed to prevent hijacking, and immutable — meaning you cannot delete the evidence, and you cannot take it down through DNS alone.

This report documents our full tear-down: from sample analysis through stage-2 payload recovery, API endpoint mapping, infrastructure attribution, and the broader trend of blockchain-based C2 adoption we're tracking across unrelated threat actors.

Stage 1: The Fabric Mod

Sample: GriftClient.jar Disguise: Minecraft Fabric mod — a translation utility for the Meteor client (a popular Minecraft cheat/utility client) Mod ID: Listed as "sexdefender" / "autism-defender"

The stage-1 payload is a legitimate-looking Fabric mod that loads into Minecraft's mod framework. On initialization, it performs three actions:

1. Credential Theft

The mod accesses the active Minecraft session object and exfiltrates:

Username — the player's Minecraft identity
UUID — the unique player identifier tied to their Microsoft/Mojang account
Access Token — the session authentication token, which can be used to hijack the account

These credentials are shipped to the C2 server, giving the operator immediate account takeover capability. Compromised Minecraft accounts with rare skins, capes, or username history sell for $5–$500+ on underground markets.

2. Mod Enumeration

Before downloading stage-2, the mod enumerates every installed Fabric mod on the victim's system. This serves as a profiling mechanism — the operator can identify:

Whether the victim runs other cheat clients (potential for lateral tool poisoning)
Security-related mods that might interfere with payload execution
The victim's general profile (casual player vs. serious modder vs. server operator)

3. Stage-2 Download

The mod fetches a second-stage payload from the C2 server. But first, it needs to find the C2. This is where things get interesting.

The Ethereum Blockchain C2 Mechanism

Traditional malware resolves its C2 domain through DNS. Law enforcement and security teams can seize domains, sinkhole DNS records, or pressure registrars into suspending resolution. This is the backbone of most takedown operations.

GriftClient bypasses this entirely.

How It Works

The mod queries an Ethereum smart contract at address:

0x1280a841Fbc1F883365d3C83122260E0b2995B74

This contract is deployed on the public Ethereum mainnet. Anyone can verify it exists by searching the address on Etherscan.
The contract returns the current C2 URL configuration. The operator can update this URL by submitting a new transaction to the contract — changing where victims connect without touching DNS infrastructure.
The response is RSA-signed using SHA256withRSA. The mod contains an embedded RSA public key and validates every C2 URL against this signature before connecting. This prevents:
- Third parties from deploying a competing contract that redirects victims to a sinkhole
- Man-in-the-middle injection of alternative C2 addresses
- Researchers from poisoning the resolution chain
The blockchain record is immutable. Every C2 URL the operator has ever configured is permanently recorded on-chain. You cannot delete it. This is simultaneously a gift to investigators (full C2 history) and a nightmare for takedown teams (no single point of failure to seize).

Why This Matters

DNS-based takedowns are the standard playbook. ICANN, registrars, and law enforcement have decades of process built around seizing domains. Blockchain C2 resolution breaks this model:

No registrar to pressure. The Ethereum network is decentralized. There is no ICANN equivalent.
No single server to seize. The contract lives on every Ethereum node worldwide.
Operator can rotate C2 URLs by submitting a new transaction (costs a few dollars in gas fees).
Signature verification means you can't redirect victims even if you somehow inject a competing response.

The only viable countermeasure is endpoint detection — catching the malware before it queries the blockchain, or blocking the resolved C2 at the network level after resolution.

Implementation: The RPCHelper Class

The blockchain interaction is handled by the RPCHelper class within the dev.majanito package. It uses standard Ethereum JSON-RPC calls to read from the smart contract. The class handles:

Contract ABI encoding for the read call
Response parsing to extract the URL string
RSA signature verification against the embedded public key
Fallback logic if the Ethereum RPC endpoint is unreachable

DNS resolution for the Ethereum RPC endpoint itself uses Cloudflare's DNS-over-HTTPS (DoH) via the CloudflareDNS class — adding another layer of detection evasion by encrypting DNS queries.

Stage-2 Payload Analysis

After resolving the C2 via Ethereum, the mod downloads the stage-2 payload.

We successfully retrieved the live payload:

Property	Value
Endpoint	`/files/jar/module` (GET)
Size	7,064,037 bytes (7 MB)
SHA256	`36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d`
File count	3,323 files
Malware package	`dev.majanito` (10 classes)

Key Classes in dev.majanito

Class	Function
`Main`	Entry point, orchestrates initialization
`RPCHelper`	Ethereum smart contract C2 resolution
`CloudflareDNS`	DNS-over-HTTPS resolution via Cloudflare
`TelemetryHelper`	Data exfiltration and victim profiling
`IMCL`	Minecraft client interface for session access

Dependencies and Capabilities

The payload bundles JNA (Java Native Access) Windows API bindings, indicating it can:

Interact directly with Windows system calls
Access process memory
Enumerate running processes
Potentially inject into other processes

It also includes OkHttp for HTTP communications, providing connection pooling, retry logic, and TLS handling for C2 communications.

C2 Infrastructure

Active Domain

Property	Value
Domain	`friendlydomain[.]ru`
IP	`185[.]178[.]208[.]129`
CDN	DDoS-Guard
Registrar	R01-RU (Russian)
Nameservers	Cloudflare
TLS	Let's Encrypt (issued April 16, 2026 — 3 days before investigation)

The freshly issued Let's Encrypt certificate confirms this infrastructure was recently stood up or rotated. The use of DDoS-Guard — a Russian CDN provider — is consistent with threat actors seeking infrastructure resistant to Western law enforcement cooperation.

API Endpoints Mapped

Endpoint	Method	Response	Purpose
`/api/delivery/handler`	POST	`{}`	Command delivery / check-in
`/files/jar/module`	GET	7MB JAR	Stage-2 payload serving
`/dashboard`	GET	308 redirect	Operator panel (auth-gated)

The existence of a /dashboard endpoint confirms this is a managed operation with a web-based operator interface — not a one-off script.

DDoS-Guard Probe Detection

During our infrastructure probing, DDoS-Guard's CDN layer logged our probe IP in cookies (__ddg9_). Operators using DDoS-Guard's analytics would be able to see our reconnaissance. This is a known behavior of DDoS-Guard's bot detection system and is worth noting for other researchers conducting similar infrastructure analysis.

The Trend: Blockchain C2 Is Going Mainstream

GriftClient is not an isolated case.

Days before this investigation, we analyzed Shadow C2 — a completely unrelated malware operation that implements blockchain-based C2 resolution using the Binance Smart Chain (BSC) instead of Ethereum. Two independent threat actors, operating in different ecosystems, adopting the same technique within the same week.

Property	GriftClient	Shadow C2
Blockchain	Ethereum mainnet	Binance Smart Chain
Target	Minecraft/gaming community	General
Signature verification	RSA (SHA256withRSA)	Varies
C2 hosting	DDoS-Guard (Russia)	Varies

This convergence suggests blockchain C2 resolution is crossing from proof-of-concept into operational adoption. The technique has been discussed in academic papers and security conference talks for years, but seeing two independent implementations in production within the same week marks an inflection point.

Why Now?

Several factors are driving adoption:

Low cost. Deploying a smart contract costs ~$10-50 in gas fees. Updating the stored C2 URL costs $2-5 per transaction. This is cheaper than bulletproof hosting.
Tooling maturity. Libraries like Web3j (Java), Web3.py (Python), and ethers.js (JavaScript) make blockchain interaction trivial to implement. GriftClient's RPCHelper class is under 200 lines.
Takedown fatigue. Operators have watched peers lose infrastructure to DNS seizures and registrar takedowns. Blockchain offers a genuinely resistant alternative.
Public RPC endpoints. Free Ethereum RPC providers (Infura, Alchemy, public nodes) mean the malware doesn't need to run its own blockchain node.

MITRE ATT&CK Mapping

Technique ID	Technique	Context
T1195.002	Supply Chain Compromise: Compromise Software Supply Chain	Malicious Fabric mod distributed as legitimate Minecraft utility
T1071.001	Application Layer Protocol: Web Protocols	HTTPS-based C2 communication via OkHttp
T1102.002	Web Service: Bidirectional Communication	Ethereum blockchain used for C2 URL resolution
T1573.002	Encrypted Channel: Asymmetric Cryptography	RSA signature verification on C2 responses
T1539	Steal Web Session Cookie	Minecraft session token theft (accessToken)
T1082	System Information Discovery	Fabric mod enumeration for victim profiling
T1105	Ingress Tool Transfer	Stage-2 payload download (7MB JAR)
T1106	Native API	JNA Windows API bindings in stage-2
T1568.002	Dynamic Resolution: Domain Generation Algorithms	Blockchain-based dynamic C2 resolution (analogous to DGA)
T1001.003	Data Obfuscation: Protocol Impersonation	DNS-over-HTTPS via Cloudflare to hide DNS queries

Indicators of Compromise

File Hashes

Indicator	Type	Description
`36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d`	SHA256	Stage-2 payload (7MB JAR)

Network Indicators

Indicator	Type	Description
`friendlydomain[.]ru`	Domain	Active C2 domain
`185[.]178[.]208[.]129`	IPv4	C2 server IP (behind DDoS-Guard)
`0x1280a841Fbc1F883365d3C83122260E0b2995B74`	Ethereum Address	Smart contract for C2 resolution

Endpoints

Indicator	Type	Description
`/api/delivery/handler`	URI Path	Command delivery endpoint
`/files/jar/module`	URI Path	Stage-2 download endpoint
`/dashboard`	URI Path	Operator panel

Java Package

Indicator	Type	Description
`dev.majanito`	Java Package	Malware code namespace (10 classes)

YARA Rule

rule GriftClient_Ethereum_C2_Minecraft_RAT
{
    meta:
        author = "Breakglass Intelligence"
        description = "Detects GriftClient Minecraft RAT with Ethereum blockchain C2 resolution"
        date = "2026-04-16"
        reference = "https://intel.breakglass.tech/blog/griftclient-minecraft-rat-ethereum-blockchain-c2"
        hash = "36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d"

    strings:
        $eth_contract = "0x1280a841Fbc1F883365d3C83122260E0b2995B74" ascii wide
        $pkg1 = "dev/majanito/RPCHelper" ascii
        $pkg2 = "dev/majanito/TelemetryHelper" ascii
        $pkg3 = "dev/majanito/CloudflareDNS" ascii
        $pkg4 = "dev/majanito/IMCL" ascii
        $pkg5 = "dev/majanito/Main" ascii
        $c2_domain = "friendlydomain" ascii wide
        $rsa_sig = "SHA256withRSA" ascii
        $api_path1 = "/api/delivery/handler" ascii
        $api_path2 = "/files/jar/module" ascii
        $mc_session = "accessToken" ascii
        $fabric = "fabric.mod.json" ascii

    condition:
        $eth_contract or
        (3 of ($pkg*)) or
        ($c2_domain and $rsa_sig) or
        ($rsa_sig and 2 of ($pkg*) and $fabric) or
        (2 of ($api_path*) and $c2_domain)
}

Recommendations

For Minecraft Players

Only install mods from verified sources. CurseForge and Modrinth have review processes. Random Discord links and forum posts are the primary distribution vector.
Check your installed mods. If you use Meteor client, audit your mods folder for anything you don't recognize.
Rotate your Microsoft/Mojang account credentials if you've installed unknown Fabric mods recently.
Monitor your Ethereum wallet if you use the same machine for gaming and crypto — the stage-2 payload's capabilities suggest broader data theft is likely.

For Security Teams

Monitor for Ethereum RPC calls from non-crypto applications. A Minecraft mod making eth_call requests is a high-confidence indicator.
Block known Ethereum RPC endpoints in environments where blockchain access isn't required (most corporate and gaming networks).
Deploy the YARA rule above to detect GriftClient and variants.
Track the smart contract at 0x1280a841Fbc1F883365d3C83122260E0b2995B74 — every C2 rotation is permanently recorded.

For the Industry

Traditional takedown processes need to evolve. DNS seizure, registrar pressure, and hosting provider abuse reports are necessary but no longer sufficient. We need:

Blockchain monitoring integrated into threat intelligence platforms
Smart contract analysis as a standard step in malware reverse engineering
Coordination with Ethereum node operators for potential blacklisting (though this raises significant decentralization concerns)
Endpoint-first detection since network-level blocking of blockchain C2 resolution is inherently difficult

Conclusion

GriftClient represents a clear operational deployment of blockchain-based C2 resolution. This is not a proof-of-concept or a CTF challenge — it's a live malware operation with a functioning stage-2 payload, an active C2 panel, and infrastructure designed for persistence against takedown.

The convergence with Shadow C2's independent BSC implementation confirms what we've been tracking: blockchain C2 is transitioning from theoretical to operational. Security teams that haven't started monitoring for on-chain C2 resolution are already behind.

The Ethereum contract address is public. The C2 history is immutable. The evidence is on-chain for anyone to verify.

This investigation was conducted by Breakglass Intelligence. For threat intelligence consulting, incident response, or infrastructure analysis, visit consulting.breakglass.tech.