{
	"id": "ec1873be-6f68-4a17-8672-ec0f88f33a42",
	"created_at": "2026-04-06T00:16:16.354804Z",
	"updated_at": "2026-04-10T13:12:06.51465Z",
	"deleted_at": null,
	"sha1_hash": "dd12d6f4b7c9d452b9be9a10a718625b18491046",
	"title": "MCCrash: Cross-platform DDoS botnet targets private Minecraft servers | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 802118,
	"plain_text": "MCCrash: Cross-platform DDoS botnet targets private Minecraft\r\nservers | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-12-15 · Archived: 2026-04-05 16:35:09 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. DEV-1028 is now tracked as Storm-1028.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nMalware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly\r\ntargeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from\r\nPCs to IoT devices, growing their infrastructure rapidly. The Microsoft Defender for IoT research team recently analyzed a\r\ncross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating\r\nto a variety of Linux-based devices.\r\nThe botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because\r\nIoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk\r\nto attacks like this botnet. The botnet’s spreading mechanism makes it a unique threat, because while the malware can be\r\nremoved from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as\r\npart of the botnet.\r\nMicrosoft tracks this cluster of activity as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices,\r\nand IoT devices. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private\r\nMinecraft servers.\r\nOur analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using\r\ncrafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet\r\nover the three months from the time of this analysis also revealed that most of the devices were in Russia:\r\nFigure 1. IP distribution of devices infected by the botnet\r\nThis type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just\r\ntraditional endpoints but also IoT devices that are often less secure. In this blog post, we share details on how this botnet\r\naffects multiple platforms, its DDoS capabilities, and recommendations for organizations to prevent their devices from\r\nbecoming part of a botnet. We also share Minecraft server version information for owners of private servers to update and\r\nensure they are protected from this threat.\r\nCross-platform botnet targets SSH-enabled devices\r\nMicrosoft researchers observed that the initial infection points related to the botnet were devices infected through the\r\ninstallation of malicious cracking tools that purport to acquire illegal Windows licenses.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 1 of 6\n\nFigure 2. Cracking tools used to spread the botnet.\r\nThe cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell\r\ncommand. In some cases, the downloaded file is named svchosts.exe.\r\nFigure 3. The code of the .NET executable that downloads and runs svchost.exe\r\nNext, svchost.exe launches malicious.py, the main Python script that contains all the logic of the botnet, whichthen scans the\r\ninternet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are\r\ncommonly enabled for remote configuration) and launches a dictionary attack to propagate. Once a device is found, it\r\ndownloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then\r\ndownloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles\r\nall the Python runtime and libraries necessary to initiate malicious.py.\r\nFigure 4. The DDoS botnet attack flow\r\nWhile malicious.py has specific functionalities depending on whether the file launches on a Windows or Linux-based device\r\n(for Windows, the file establishes persistency by adding the registry key Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nwith the executable as the value), the executable is compiled to operate on both Windows and Linux-based devices. The file\r\ncommunicates with its command-and-control (C2) server to launch the following commands:\r\nEstablish TCP connection to repo[.]ark-event[.]net on port 4676.\r\nSend initial connection string.\r\nReceive a key from the server for encryption and decryption, and then encrypt further communication using the\r\nFernet symmetric algorithm.\r\nSend version information to the server:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 2 of 6\n\nWindows device: The current Windows version\r\nLinux device: Hardcoded version (2.19 in the sample we analyzed)\r\nContinue receiving encrypted commands from the server\r\nBased on our analysis, the botnet is primarily used to launch DDoS attacks against private Minecraft servers using known\r\nserver DDoS commands and unique Minecraft commands. Below is the list of commands established in the code:\r\nCommand Description\r\nSYNC Check that malware is running\r\nPROXY_\u003curl\u003e Set proxy servers\r\nDOWNLOAD_\u003curl\u003e Download file\r\nEXEC_\u003ccommand \u003e Run specific command line\r\nSCANNER[ON|OFF] Default credentials attack on SSH servers to spread\r\nATTACK_TCP Send random TCP payloads\r\nATTACK_[HOLD|HANDSHAKE] Send random TCP payloads through proxy\r\nATTACK_UDP Send random UDP payload\r\nATTACK_VSE Attack on Valve Source Engine protocol\r\nATTACK_RAKNET Attack on RakNet protocol (used by Minecraft servers)\r\nATTACK_NETTY Minecraft – Login handshake Packet\r\nATTACK_[MCBOT|MINE] Minecraft – Login Start Packet\r\nATTACK_[MCPING|PING] Minecraft – Login Success Packet\r\nATTACK_MCDATA Minecraft – Login Handshake, Login Start and Close Window\r\nPackets\r\nATTACK_MCCRASH Minecraft – Login Handshake and Login Start packets, using\r\nUsername with env variable\r\nATTACK_JUNK Send Tab-Complete packet\r\nATTACK_HTTP-GET Send GET request\r\nATTACK_HTTP-FAST Send HEAD request\r\nSTOP_ATTACK Stop the previous attack\r\nWhile most of the commands are methods of DDoS, the most notable command run by the botnet is ATTACK_MCCRASH.\r\nThe command sends ${env:random payload of specific size:-a} as the username in order to exhaust the resources of the\r\nserver and make it crash.\r\nFigure 5. MCCrash TCP payload seen in a packet capture\r\nTCP payloads on port 25565 have the following binary structure:\r\nBytes [0:1] – Size of packet\r\nBytes [1:2] – Login Start command\r\nBytes [2:3] – Size of username\r\nBytes [3:18] – Username string\r\nThe usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources\r\n(not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method.\r\nA wide range of Minecraft server versions could be affected\r\nWhile testing the impact of the malware, researchers found that the malware itself was hardcoded to target a specific version\r\nof Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack. There\r\nis a slight modification in the Minecraft protocol in server version 1.19, which was released earlier in 2022, that prevents the\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 3 of 6\n\nuse of the Minecraft specific commands, the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE] and ATTACK_MCDATA,\r\nwithout modification of the attack code.\r\nFigure 6. Distribution of Minecraft servers by version\r\nFigure 7. Distribution of Minecraft servers that could be affected by MCCrash\r\nThe wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to\r\naffect versions beyond 1.12.2. The unique ability of this threat to utilize IoT devices that are often not monitored as part of\r\nthe botnet substantially increases its impact and reduces its chances of being detected.\r\nProtecting endpoints from cross-platform DDoS botnets like MCCrash\r\nTo harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and\r\ntheir devices, including access limitation. Solutions must detect downloads of malicious programs and malicious attempts to\r\ngain access to SSH-enabled devices and generate alerts on anomalous network behavior. Below are some of our\r\nrecommendations for organizations:\r\nEnsure employees are not downloading cracking tools as these are abused as an infection source for spreading\r\nmalware.\r\nIncrease network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory\r\n(now part of Microsoft Entra) MFA. Enable network protection to prevent applications or users from accessing\r\nmalicious domains and other malicious content on the internet.\r\nMicrosoft 365 Defender protects against attacks related to botnets by coordinating threat data across identities,\r\nendpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to\r\ncomprehensively detect and remediate end-to-end attack chains—from malicious downloads to its follow-on\r\nactivities in endpoints. This rich set of tools like advanced hunting let defenders surface threats and gain insights for\r\nhardening networks from compromise.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 4 of 6\n\nAdopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and\r\nmonitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR\r\nplatforms such as Microsoft Sentinel and Microsoft 365 Defender. Defender for IoT is updated regularly with\r\nindicators of compromise (IoCs) from threat research like the example described in this blog, alongside rules to\r\ndetect malicious activity.\r\nOn the IoT device level:\r\nEnsure secure configurations for devices: Change the default password to a strong one, and block SSH from\r\nexternal access.\r\nMaintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\r\nUse least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict\r\nremote access to the device.\r\nFor users hosting private Minecraft servers, update to version 1.19.1 and above.\r\nAdopt a comprehensive Windows security solution\r\nManage the apps your employees can use through Windows Defender Application Control and for unmanaged\r\nsolutions, enabling Smart App Control.\r\nFor commercial customers, enable application and browser controls such as Microsoft Defender Application\r\nGuard for enhanced protection for Office and Edge.\r\nPerform timely cleanup of all unused and stale executables sitting on your organizations’ devices.\r\nProtect against advanced firmware attacks by enabling memory integrity, Secure Boot, and Trusted Platform\r\nModule 2.0, if not enabled by default, which hardens boot using capabilities built into modern CPUs.\r\nIndicators of compromise (IOCs)\r\ne3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25 (KMSAuto++.exe)\r\n143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320 (W10DigitalActivation.exe)\r\nf9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30 (dcloader.exe)\r\n4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f (updater.zip)\r\neb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382 (svchosts.exe)\r\n93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251 (fuse)\r\n202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1 (malicious.py)\r\nrepo[.]ark-event[.]net\r\nDetections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the malware used in this attack as the following:\r\nTrojanDownloader:MSIL/MCCrash.NZM!MTB\r\nTrojan:Win32/MCCrash.MA!MTB\r\nTrojanDownloader:Python/MCCrash!MTB\r\nTrojan:Python/MCCrash.A\r\nTrojanDownloader:Linux/MCCrash!MTB\r\nTrojan:Python/MCCrash.RPB!MTB\r\nTrojan:Python/MCCrash.RPC!MTB\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\r\nEmerging threat activity group DEV-1028 detected\r\nSystem file masquerade\r\nAnomaly detected in ASEP registry\r\nSuspicious process launched using cmd.exe\r\nSuspicious file launch\r\nMicrosoft Defender for IoT\r\nMCCrash-related activity on IoT devices would raise the following alerts in Microsoft Defender for IoT:\r\nUnauthorized SSH access\r\nExcessive login attempts\r\nMicrosoft Defender for Cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 5 of 6\n\nMicrosoft Defender for Cloud raises the following alert for related activity:\r\nVM_SuspectDownload\r\nAdvanced hunting queries\r\nMicrosoft 365 Defender\r\nRun the following queries to search for related files in your environment:\r\nDeviceFileEvents\r\n| where SHA256 in\r\n(\"e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25\",\"143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320\",\"f\r\nDeviceFileEvents\r\n| where FolderPath endswith @\":\\windows\\svchost.exe\"\r\nDeviceRegistryEvents\r\n| where RegistryKey contains \"CurrentVersion\\\\Run\"\r\n| where RegistryValueName == \"br\" or RegistryValueData contains \"svchost.exe\" or RegistryValueData contains\r\n\"svchosts.exe\"\r\nDeviceProcessEvents\r\n| where FileName in~ (\"cmd.exe\", \"powershell.exe\")\r\n| where ProcessCommandLine has_all (\"-command\", \".downloadfile(\", \"windows/svchost.exe\")\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious domain indicators\r\nmentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can\r\ninstall the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their\r\nSentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nTo supplement this indicator matching, customers can use the following queries against data ingested into their workspaces\r\nto help find devices with exposed SSH endpoints, and devices that might be under SSH brute force attempts.\r\nPotential SSH brute force attempt: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/ssh_potentialBruteForce.yaml\r\nExposed critical ports in Azure: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/CriticalPortsOpened.yaml\r\nDavid Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, Microsoft Defender for IoT Research Team\r\nRoss Bevington, Microsoft Threat Intelligence Center (MSTIC)\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/"
	],
	"report_names": [
		"mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers"
	],
	"threat_actors": [
		{
			"id": "997ba414-8483-458d-821f-515de159992c",
			"created_at": "2023-11-08T02:00:07.163584Z",
			"updated_at": "2026-04-10T02:00:03.43131Z",
			"deleted_at": null,
			"main_name": "DEV-1028",
			"aliases": [],
			"source_name": "MISPGALAXY:DEV-1028",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd12d6f4b7c9d452b9be9a10a718625b18491046.pdf",
		"text": "https://archive.orkl.eu/dd12d6f4b7c9d452b9be9a10a718625b18491046.txt",
		"img": "https://archive.orkl.eu/dd12d6f4b7c9d452b9be9a10a718625b18491046.jpg"
	}
}