I Traced a "Cute" Minecraft Phishing Site to a C2 Server in Chicago

erickcodes-dev — Sun, 05 Apr 2026 07:13:58 +0000

Hello community! As an IT engineering student, I recently conducted a technical investigation into an active threat targeting the gaming community (specifically Minecraft players).

What appeared to be a harmless "cute" website turned out to be a Phishing and Malware-as-a-Service (MaaS) infrastructure. Here is a technical breakdown of my findings:

PHISHING AND MALWARE SPREAD THROUGH DISCORD

The primary domain identified is owocraft.com. At first glance, it uses Tailwind CSS and a Turkish-coded template (identified by source code comments such as /* Sayfa Fade-in Animasyonu */).

The main deception is a download button for a fake "Launcher" that actually points to a malicious .rar file hosted on Dropbox (ID: 3d1d505ajob480fkdnpm3). This file contains a Discord Token Stealer.

Unmasking the Infrastructure
Despite using Cloudflare for obfuscation, I performed a passive DNS analysis and utilized OSINT tools (Censys/Shodan) and other tools to identify the real origin server:

Command & Control (C2) IP: 209.182.219.131

Provider: Kamatera (Global Cloud Infrastructure LLC).

Location: Chicago, IL, USA.

System Info: Windows Server 2016 administered via RDP with the hostname SUNRATE01-1.

Network Correlation
This is not an isolated site. By correlating tracking tokens and CSS fingerprints, I identified several other active domains sharing the same infrastructure and payload:

kittycraft.online
ragnacook.site
cutecraftsmp.com
playsweetcraft.site

There are probably many more, since there are over 19 pages with different domains but the same Cloudflare token.

Incident Response & Mitigation
In accordance with professional ethics, I documented and reported the issue to the relevant global providers:

GoDaddy: Criminal abuse report (Claim ID: DCU101215117).

Google Trust Services: SSL certificate revocation request.

Google Safe Browsing: Malicious site report for browser-level blocking.

Prevention

I recommend the following measures to avoid falling victim to these types of "Social Engineering" attacks:

Verify the Origin: Never trust "Custom Launchers" or "Performance Boosters" from unofficial sources. If it’s not from a verified developer or a reputable open-source repository (like GitHub).

Analyze the URL: Scammers often use domains like .online, .site, or .art because they are cheap to register in bulk. Always check the WHOIS data for the registration date; a site created only 3 months ago claiming to have "10,000+ players" is likely a fraud.

Discord Security: Enable 2FA (Two-Factor Authentication) and never share your Discord Token. Remember: no legitimate application will ever ask you to paste a script into your browser console or download a .rar to "verify" your account.

Virtualize for Safety: If you must test a new mod or client, use a Virtual Machine (VM) or a "Sandbox" environment to isolate the execution and protect your host system.

Although we have identified the C2 infrastructure and the payload distribution system, identifying the individuals behind this network remains difficult.

Use of VPNs and proxies: Attackers almost never connect directly to their servers. They use multiple layers of encrypted VPNs and proxies to hide their original location and IP address.

Infrastructure as a Service (IaaS): By using providers like Kamatera or Cloudflare, they create a barrier between their physical location and the malicious content.

Many of these actors hop from one hosting provider to another, exploiting those that ignore the DMCA and abuse reports.

They use ghost accounts, cryptocurrencies for payments, and encrypted communication channels like Telegram, leaving very little digital trail for law enforcement.

There are probably more reports on this online, so do your research; my content is just a contribution

DEV Community: erickcodes-dev

I Traced a "Cute" Minecraft Phishing Site to a C2 Server in Chicago

PHISHING AND MALWARE SPREAD THROUGH DISCORD

Prevention