What These "Hytale Mods" are really doing?

A security researcher analyzes a campaign of fake Hytale mod repositories on GitHub that distribute malware. The malicious repos impersonate legitimate projects like the Spectre anti-cheat, use AI-generated README content, and spoof contributor identities. The payloads are obfuscated Lua scripts disguised as other file types, which install persistent scheduled tasks under fake names (Creative Cloud, Audio Manager, Cloud Drive) and connect to a C2 server. Notably, the malware uses blockchain-based C2 hiding (Ethereum/Polygon) to make takedowns nearly impossible. The campaign appears to be an info-stealer targeting developers, with one variant sending ~3MB of data back to the attacker. Indicators of compromise include the presence of an 'odm5' file and IP geolocation API calls used for anti-analysis.