Scammers hijack trusted contacts to push zipped files that install trojans when loaded locally. The official platform cannot scan these private shares and has now issued fresh guidance as reports spike across the Minecraft modding scene.
If an old Minecraft buddy who has been silent for months suddenly DMs you about a must try modpack or private server zip, delete it. That is the core of an active scam making the rounds right now. The attackers use hacked Discord accounts to pose as people you trust and push files that bypass normal protections once imported locally.
Exactly How The Attack Works
- Compromised account reaches out pretending to need help testing a modpack or joining a server
- They send a zip file often branded like AnkaraCraft or similar custom name
- Instructions direct users to import it through CurseForge or run it directly
- The package requests extra permissions or drops trojans that steal logins browser data and more
- Infected machine then gets used to hit the victims own friends list repeating the chain
CurseForge cannot scan files sent privately through Discord or other chat apps even though they scan everything hosted on their own platform. In response they have rolled out larger warning prompts in the latest app update and published detailed guidance on spotting suspicious modpacks. The post comes after a clear uptick in victim reports.
We have seen a big rise in people sending malicious modpack ZIPs and mods via Discord and asking others to import these projects into their CurseForge apps. These often contain malicious content and are not verified projects on our platform.
Basic defenses work. Enable 2FA everywhere use a password manager avoid reusing credentials across sites and never run unsolicited zips or executables. If a contact you have not spoken with recently offers a modpack google the name and fetch it from the official site instead. The CurseForge blog has the full checklist.
This is not a one off. Similar campaigns have hit players before including extortion attempts tied to stolen data from infected modpacks. The current wave shows the tactic remains effective because the community defaults to trusting friends. Treat every unexpected file share as hostile until proven otherwise.
