The Yoink RAT Incident

Everything you need to know about the Yoink RAT Incident.

Initial Discovery

On January 22, 2021 a new message was sent in the Rocan Utility Mod Discord, Unbeknownst to the people that saw it, this would set in motion one of the largest ratting incidents Minecraft has ever seen.

injector-forgedefault.jar

Within minutes of the message being sent, countless users in the Rocan discord began to find the mysterious file, injector-forgedefault.jar. Hidden deep within the Minecraft directory the file injected itself into Forge whenever the victim launched Minecraft.

injector-forgedefault.jar

The jar file contained a link, the link led to a jar file, Inside that jar file contained another link that lead to the file that shocked the entire anarchy community, obf.jar.

Approximately 30 minutes after the Yoink RAT was initially uncovered, an anarchy player by the name of OMA contacted John200410, the developer of RusherHack about the incident. Initially thinking it was a legitimate file to allow Forge to work, the jar file was reverse engineered which uncovered the true secret of obf.jar.

The payloads of the Yoink RAT.

Fallout

The incident was then posted to the subreddit r/minecraftclients, which was then spread through many Discord servers. Due to the extreme growth of knowledge about the RAT, a brand new program that removed the Yoink RAT was created by Crystallinqq, who also, ironically, was the perpetrator of the Phobos RAT.

Yoink RAT removal program - https://github.com/qqTechnologies/qqAntiVirus

Reddit Post- https://www.reddit.com/r/minecraftclients/comments/l2zmfn/emergency_check_this_file_path_right_now/

Within a day of the exposal, credit card fraud was committed by several members in the Rocan Utility Mod Discord who also happened to be friends with Yoink, the developer of the RAT.

69hr and LeafyIsGone, shamelessly admitted the affiliation and boasted the amount of goods they received through the stolen credit card information.

LeafyIsGone also later sent a picture of a victims desktop.

The source code of the RAT was uploaded to GitHub, however it was taken down in less than a hour by GitHub staff. in the README of the repository Yoink stated "I am so fucking sorry" along with links to Crystallinqs program and backdoor, and Travis's W+2 backdoor.