SessionID-Stealer Defuser

Project

Discord Bot

Automated scanner that analyzes uploaded Minecraft mod files for malicious payloads — webhooks, session stealers, and data exfiltration code.

Research

Malware Analysis

Reverse-engineering rat mods, cataloguing attack patterns, and building detection heuristics to stay ahead of new variants.

Role

Community Lead

Founded and ran the Defuser Discord server, coordinating volunteer analysts and growing the community across multiple servers.

The Problem

"Ratting" — distributing Minecraft mods that secretly contain Remote Access Trojans — became an epidemic in the Hypixel SkyBlock community around 2021–2022. Attackers would inject malicious code into seemingly legitimate Forge/Fabric mods that would:

Steal Minecraft session tokens via the getSessionID method, allowing full account takeover.
Exfiltrate personal data — browser cookies, screenshots, files from the Downloads folder — to a Discord webhook controlled by the attacker.
Persist silently, so the victim often had no idea they were compromised.

New rats were appearing hourly, and players were sharing modpacks from untrusted sources with no way to verify safety.

The Solution

I built a Discord bot that lets users upload .jar mod files for automated analysis. The bot decompiles the archive and scans for a growing set of malicious indicators:

Discord webhooks embedded in the code (almost never present in legitimate mods).
Calls to getSessionID and related Minecraft authentication APIs.
Suspicious file-system access — reading browser data, screenshots, credential stores.
Obfuscated or encoded payloads designed to evade simple string matching.

When a webhook is found, the bot automatically defuses it — sending a DELETE request to the webhook URL so the attacker's exfiltration channel is destroyed before they can use it.

How It Works

1. Upload

A user attaches a .jar file to a message in any server where the bot is installed.

2. Decompile

The bot extracts and decompiles class files from the JAR archive to inspect the source.

3. Scan

A rule engine checks for known malicious patterns — webhooks, token access, file exfiltration, and more.

4. Report & Defuse

Results are posted back. If a webhook is found, it's deleted via REST API so the attacker can't receive stolen data.

Impact

Rats detected hourly — the scale of the problem was far larger than the community realized.
The bot was made invitable to any Discord server, spreading protection across the ecosystem.
A team of volunteer "Experienced Defusers" provided manual review on top of automated scanning for edge cases.
Received 40+ positive reactions and strong community support when announced on the Hypixel Forums (May 2022).

Challenges & Limitations

No scanner is perfect. The system faced several ongoing challenges:

False positives — occasionally flagging legitimate mods that used Discord integrations.
False negatives — sophisticated obfuscation or novel exfiltration methods could slip past detection.
ChatTriggers modules — a different mod format that the scanner couldn't yet process at launch.
Evolving threat landscape — new detection rules had to be added continuously as attackers adapted.

The honest acknowledgement of these limitations was intentional — the bot was always positioned as a second layer of defence, never a replacement for downloading mods only from trusted sources.

Team & Acknowledgements

ScorchChamp — Creator, lead developer, community organizer.
IlluminatiFish — Key contributor to detection rules and player safety.
Plutie — Core team member who helped keep countless players safe.

Original Hypixel Thread →