Malware Disguise and Delivery
The new Python RAT hides inside a fake Minecraft mod called “Nursultan Client.” Attackers built it using PyInstaller, turning it into a 68 MB executable. The large file size helps bypass scanners that skip oversized binaries.
When launched, the program shows a fake installation progress bar. It hides its console window to appear legitimate. In the background, it drops files, edits registry entries, and prepares persistence. The malware adds a startup key named NursultanClient to Windows. However, its command points to a Python script, not the compiled binary. Because of that, the persistence often fails after a reboot.
Command and Control Through Telegram
The RAT communicates using Telegram’s Bot API. It contains a hard-coded token and a list of approved user IDs. Only the attacker’s Telegram account can send commands.
This design shows a Malware-as-a-Service model. Each buyer gets a version that responds only to their Telegram ID. That approach limits interference between clients and strengthens control for the operator.
Through Telegram, attackers can send commands to capture screenshots, exfiltrate data, and delete evidence. Using a trusted communication platform also helps the malware blend into normal traffic.
Data Theft and Spy Features
Once active, the RAT collects information aggressively. It searches browsers such as Chrome, Edge, Firefox, Opera, and Brave for stored credentials. It also extracts Discord tokens and system details including OS version, CPU, and network data.
The malware can capture screenshots or webcam images on command. All stolen data goes back to the attacker’s Telegram channel. Every sample contains the signature by fifetka, linking it to a small developer group that sells the tool online.
Impact on Gamers and Security Teams
This campaign targets gaming communities where users often install mods without caution. Many gamers trust unofficial installers because they appear harmless. Attackers exploit that trust to deploy full-featured remote-access malware.
Security professionals should note that the gaming ecosystem is now part of the threat landscape. Mod installers and fan-made clients can deliver real malware. Teams must treat them as unverified third-party software.
Detection based only on file size or startup entries will miss these threats. Instead, analysts should monitor behaviors like Telegram traffic or unexpected screenshot requests. Awareness and behavioral analysis are more effective than static checks.
Mitigation Recommendations
-
Verify installers. Only use mods or clients from verified, digitally signed sources.
-
Limit executable types. Use application-control policies to block unsigned or oversized binaries.
-
Inspect Telegram activity. Detect bot communications from devices that should not use the platform.
-
Educate users. Warn gamers that free mods can hide malware. Awareness prevents many infections.
-
Monitor credential stores. Track token theft and browser data access to catch compromise early.
Each of these steps helps reduce exposure to RAT infections disguised as game software.
The Python RAT known as “Nursultan Client” proves that malware operators are exploiting gaming culture. They disguise powerful tools as harmless mods and use social engineering to gain trust.
For defenders, the message is clear: treat every executable game-related or not as a potential risk. Monitor unusual network traffic, review startup keys, and watch for Telegram connections from non-user apps.
Staying alert can stop these threats before they spread further across the gaming world.
One thought on “Minecraft Mod Exploit: RAT Built in Python Targets Gaming PCs”