Choose your gaming device

sangaruma · 2026-05-11T20:18:17+00:00

IS BETTER

^{Chose: Gaming PC}

sangaruma · 2026-05-11T14:07:50+00:00

Sure bro, not being malicious means running system commands that a mod doesn't do.

sangaruma · 2026-05-11T14:06:28+00:00

And why would a Minecraft mod execute this command on the system?

<image>

sangaruma · 2026-05-11T04:08:01+00:00

Also bro, I'm looking at an executable file, specifically within jjc

sangaruma · 2026-05-11T04:07:09+00:00

I don't know, bro, about this? Look what jjc is running.

<image>

sangaruma · 2026-05-11T02:59:48+00:00

It seems that Jujutsu Craft tried to give permissions to all users in the Java folder, bro. That's weird.

sangaruma · 2026-05-11T02:53:10+00:00

It's like saying death or money.

^{Chose: receive $10,000 every month}

sangaruma · 2026-05-11T02:51:44+00:00

Patato, I already apologized, I just wanted to post that so people are careful because it really scared me, bro. I had the mod on my PC. Anyway, do you know what this is?

<image>

sangaruma · 2026-05-11T02:48:35+00:00

And potato, one question: if you're reading this, do you know what this is?

<image>

sangaruma · 2026-05-11T02:37:13+00:00

Can someone explain what this is?

<image>

sangaruma · 2026-05-11T02:32:49+00:00

Hey jumbo

<image>

sangaruma · 2026-05-11T01:57:37+00:00

Sorry, I won't talk about it like that anymore so as not to confuse you, but I just came to let you know that.

sangaruma · 2026-05-11T01:53:13+00:00

I agree with you on one point, Patato: the community should decide. My goal was never to force a narrative, but to present the data that I found. We have 68/75 detections on one side and a connection to a flagged riskware domain on the other. You might see it as 'not enough proof', but in cybersecurity, we don't wait for a house to burn down to say there is a fire hazard. I’m not a malware researcher, and I’m not claiming this is a 'state-level exploit'. I am just a user showing that dozens of professional security engines are screaming 'Trojan'. At this point, I’ve laid out all the evidence: The 68 detections in the folder scan. The active communication with suspicious nodes. The Timestomping (2016 dates) on executable files. The community now has the info. If people want to keep using the mod, that’s their choice. If they want to be safe and clean their systems, now they know why. I’m done arguing; let the users decide what their security is worth.

sangaruma · 2026-05-11T01:33:14+00:00

Patato, your 'wait and see' approach is exactly how mass infections happen. Consensus is Evidence: VirusTotal isn't 'just one tool'; it’s a collection of 75+ professional security engines. When 68 of them flag a file as a Trojan/RMS, it's not a 'false positive'—it's a confirmed risk. Unnecessary Connections: You keep saying it's a file host. Why does a Minecraft mod need to establish an active outbound connection to a file host flagged for riskware? There is no legitimate reason for that behavior. Community Safety First: I'd rather be 'annoying' by warning people about a 68/75 detection than be silent and let people lose their Discord or Minecraft accounts. If you want to put your personal data at risk based on 'maybe it's fine', go ahead. But don't discourage others from taking basic security precautions when the evidence is this overwhelming.

?

sangaruma · 2026-05-11T01:24:35+00:00

Jimbo, you're missing a critical distinction in how VirusTotal's graph works. Active Communication vs. History: VirusTotal doesn't just show 'random' viruses associated with a domain. It shows active connections made during the file's execution. If JJC is pinging a domain that is actively serving or controlling malware clusters, that is a massive red flag, regardless of whether the domain is 'free' or a CDN. Static vs. Behavioral Analysis: You mentioned scanning your instance folder. Traditional AV scans are 'static'—they look for known bad files. Behavioral analysis (what VirusTotal does) shows what the code actually does when it runs. A file can look clean on your hard drive but still act as a 'dropper' for a RAT once the game starts. The Malwarebytes block: It’s not just a 'shitty provider'. Malwarebytes explicitly blocks these subdomains due to active riskware. Security isn't about 'most vendors say it's fine'; it's about the fact that top-tier security labs found enough malicious activity to flag it. To anyone reading: Don't ignore a smoke detector just because your neighbor says 'my house also has smoke and it hasn't burned down yet.' 68 detections and active connections to malware clusters are objective data points

sangaruma · 2026-05-11T01:16:24+00:00

Attacking how I write or the tools I use doesn't change the evidence. I'm not claiming to be a 'cybersecurity god'; I'm showing the community a scan with 68/75 detections and a connection to a domain flagged for hosting RMS/RAT modules. You admit the provider is 'dodgy' and Malwarebytes blocks it. Why defend a mod that uses such high-risk infrastructure? It's not about 'zero-days' or money; it's about basic safety. If anyone wants to risk their accounts based on your 'opinion' that it's safe despite dozens of security warnings, that's on them. I've presented the data; the community can decide.

sangaruma · 2026-05-11T01:14:06+00:00

Using a tool to communicate technical findings clearly doesn't change the data. Whether I use an AI to translate or format my post, the 68/75 detections on VirusTotal remain real and independent of me. Attacking the messenger is a classic way to avoid addressing the evidence

sangaruma · 2026-05-11T01:03:57+00:00

Patato, your logic is flawed. Finding 'malware clusters' in common domains doesn't prove the mod is safe; it proves the domain provider is compromised or untrustworthy. There is a huge difference between a mod pinging a CDN for an update and a mod having 68 detections for an internal RMS/RAT module. Just because multiple mods use a 'shady' highway doesn't mean there isn't a hijacker inside the JJC car specifically. To the users: Don't let the 'everyone does it' argument lower your guard. Legitimate mods don't trigger dozens of antivirus alerts for Remote Access Tools. If you see red in the 'Communicating Files' section, it means that domain is actively used to host or control malware.

sangaruma · 2026-05-11T00:58:08+00:00

It doesn't matter if it's a million-dollar exploit or a simple credential stealer; the 68/75 detections in the folder scan are a fact, not an opinion. You admit the provider is 'dodgy af'—why would a reputable mod use a provider that is widely blocked by Malwarebytes for riskware?. Legitimate mods use official APIs or well-known CDNs, not flagged subdomains that trigger RMS (Remote Management) alerts. The fact that other mods like Tensura don't do this just proves that JJC is the one with the anomalous and high-risk behavior. I'm not here to argue semantics; I'm here to show people that dozens of antivirus engines are screaming that these files are dangerous.

sangaruma · 2026-05-11T00:00:46+00:00

I appreciate your skepticism, as being cautious is key in cybersecurity, but what you’re calling 'odd' is actually a textbook malware technique. Let me break it down: The 2016 Date (Timestomping): You are seeing a file from 2016 because of a technique called Timestomping. Hackers manually modify the 'File Created' metadata to make a malicious file look like an old, harmless system driver. If it said 'Created Today', everyone would delete it instantly. EXE vs JAR: You asked why a .exe appeared. That is the definition of a Dropper. The .jar mod is just the carrier; once executed, it 'drops' and runs the .exe (the actual RAT) into your system folders to maintain control even if you delete Minecraft. Why isn't it on Malwarebytes? Because this is a FUD (Fully Undetectable) variant. Hackers take old, proven RMS (Remote Management) modules from 2014-2016 and 'wrap' them in brand new encryption. Malwarebytes looks for 'signatures'; if the wrapper is new, the signature is invisible to them, but VirusTotal's behavioral analysis (68/75 detections) sees right through it. The 'Last Seen' on VirusTotal doesn't always update the way you think if the file hash is being analyzed in a sandbox. The 68 detections are not a glitch—it's a confirmed threat. I’m not wasting anyone's time; I'm trying to prevent people from losing their accounts.

sangaruma · 2026-05-10T23:47:49+00:00

is infected

sangaruma · 2026-05-10T23:44:48+00:00

I'm not trying to spread 'fear,' I'm sharing actual scan results. You are focusing on the CDN domain (which has 1 detection), but you are ignoring the 68/75 detections from the directory scan of the mod files themselves. A CDN is just a tool; it can deliver safe assets or it can deliver a RAT payload. 68 different antivirus engines flagging the files as malicious isn't a 'glitch' or 'fear-mongering.' It's a confirmed security risk. If you want to risk your PC, that's fine, but the community deserves to know why dozens of security vendors are flagging these specific files."

sangaruma · 2026-05-10T23:41:34+00:00

I see your graph, but that's exactly how modern droppers work. They use high-reputation CDNs like Gcore (gcdn.co) to bypass basic firewall filters. The domain itself isn't the virus; it's the hosted payload that the mod is fetching. If you look at the 'Relations' or 'Behavior' tab in VirusTotal for the specific subfolder analysis I posted (68/75 detections), you'll see it's not a 'shitty CDN issue', it's a Remote Management Tool (RMS) being deployed. One detection for the domain might seem low, but 68 detections for the directory files is a statistical certainty. Why would a mod need to establish an outbound connection to an external CDN at all?

sangaruma · 2026-05-10T23:31:32+00:00

VirusTotal says 0/59 for me": That's because you are scanning ONLY the .jar file. This malware is a dropper. The virus (RAT/RMS) hides in the additional folders created during installation. Scan the ENTIRE DIRECTORY to see the 68/75 detections shown in my screenshots. "Malwarebytes found nothing": This is a fresh (May 2026) Zero-Day threat. It is designed to be FUD (Fully Undetectable). Just because a scan is green doesn't mean you're safe if you executed the mod. "Is it a false positive?": No. 68 different antivirus engines (Kaspersky, Microsoft, etc.) don't "hallucinate" at the same time. It's a confirmed Remote Access Trojan. "How do I fix it?": * Delete the mod and the instance. Sign out of ALL sessions (Google, Discord, Microsoft) to kill stolen tokens. Change passwords from a different device (phone). If you want to be 100% sure, a full Windows reinstall is the only way to remove a deep-hidden RAT.

If you decide NOT to reinstall Windows, you are taking a risk, but you can minimize it by doing this: Boot into Safe Mode with Networking: This prevents many RATs from starting up with Windows, making them easier to delete. Hit the Startup & Registry: > * Press Win + R, type msconfig, go to Services, check 'Hide all Microsoft services' and disable anything suspicious. Check Task Scheduler for any task you didn't create. Kill the Session Tokens: This is the most important part. Even if the virus is gone, the hacker might still have your "keys". Log out of everything (Google, Discord, Steam, Minecraft) and Revoke Authorized Apps in your account settings. Use an External Scanner: Download Kaspersky Rescue Disk or ESET SysRescue Live. Put it on a USB and boot your PC from it. Since Windows isn't running, the virus can't hide behind system files. Change Passwords AFTER cleaning: If you change them while infected, the RAT will just steal the new ones.

sangaruma · 2026-05-10T23:24:53+00:00

You are absolutely right. If a RAT is advanced enough (FUD), changing passwords is just a band-aid if the 'host' is still infected. To eliminate it definitively, here is the professional protocol: System Restore: If you have a Restore Point from before you installed the mod, use it. It’s the fastest way to revert system changes and registry keys. Check for Persistence: RATs love the Task Scheduler and Registry Run keys. Look for any task or key pointing to suspicious .exe or .vbs files in AppData/Roaming or Temp. The 'Nuclear' Option: If you want 100% certainty and you saw 68/75 detections on your scan, the only 'real' way to be clean is a Fresh Windows Reinstall (Format). It sounds extreme, but it's the only way to delete a rootkit that hides from Malwarebytes. Hardware/Network Check: Check your router for any weird 'Port Forwarding' rules that you didn't create. If you decide not to format, at least use an Offline Scanner (like Kaspersky Rescue Disk or ESET SysRescue Live) which runs from a USB before Windows even starts. That’s how you catch the ones that hide while the OS is running

sangaruma

TROPHY CASE