Detects a Minecraft phishing kit that's being spread through Discord
title: Minecraft Phishing Kit 85f1cdf0
description: |
Detects a Minecraft phishing kit that's being spread through Discord
references:
- https://urlscan.io/result/c1532fae-edac-4e99-9333-7c083c062d79/ # hypixelverification.ru
- https://urlscan.io/result/c635f07c-5caa-4653-b661-ffee683cbaa1/ # verifyhypixel.net
- https://urlscan.io/result/8a1cfa2f-d443-413f-97b4-d6265bb48abc/ # verify.qolhub.info
- https://urlscan.io/result/85f1cdf0-5a35-4162-a32f-605b527c1422/ # verifyhypixel.com
- https://urlscan.io/result/15fec1fe-b1cb-4fc2-a497-5c9f9d5adf00/ # verifyhypixel.xyz
- https://urlscan.io/result/7c9aab8b-e0f8-44e1-b27c-873b62f419a3/ # fragbot.ru
- https://urlscan.io/result/f72c8b69-ac59-4302-97f5-e5e033703cd1/ # verify.fragbot.net
- https://urlscan.io/result/bf2a7227-2f6a-457d-9182-5fcb1dc88d5a/ # verify.fragbot.online
detection:
jsFile:
js|contains:
- 'xsts?userhash='
- '&xsts='
- '&xbl='
- '&accessToken=' # Query params that send data
- 'rp://api.minecraftservices.com/' # Minecraft RelayingParty
favicon:
html|contains:
- '<link rel="icon" type="image/png" href="https://www.freepnglogos.com/uploads/discord-logo-png/discord-logo-logodownload-download-logotipos-1.png">'
discordBackground:
requests|contains: 'https://cdn.mos.cms.futurecdn.net/my8AUCgUhKERqBBwdPQuXG.jpg'
fakeCaptchaButton:
html|contains: '<button class="svelte-1ca0u07">I''m not a Robot</button>'
linkAccountButton:
html|contains: '<div class="center svelte-194ct39"><button class="svelte-wewfeb">Link account →</button> </div>'
condition: jsFile and favicon and ((discordBackground and fakeCaptchaButton) or (linkAccountButton))
tags:
- kit
- target.minecraft