Welcome to the Hangar Open Beta. Please report any issue you encounter on GitHub!
Avatar for AJA_RETRO

Comprehensive Malware and Trojan scanner. Built with security on mind and fixes all the mistakes of legacy plugins.

Report DeMalware-RETRO?

🛡️ DeMalware-RETRO | Enterprise Minecraft Server Security & Backdoor Scanner

Aegis v2.8.5 Class Early-Bootstrap JVM Agent and Security Transformer

Modrinth Hangar GitHub

If you run a public Minecraft server, securing your host machine against malicious plugins, backdoored jars, and zero-day exploits (like RCEs or ForceOP exploits) is critical. DeMalware-RETRO provides the ultimate security shield at the JVM level, protecting your server against malicious plugins and dynamic memory exploits before they can compromise your host.


🚀 Quick Copy-Paste Startup Arguments

Copy and paste this single line into your server host's "Startup Command", "Extra JVM Flags", or "Java Arguments" text field to enable active protection:

-javaagent:plugins/DeMalware-RETRO.jar -XX:+DisableAttachMechanism -Djdk.attach.allowAttachSelf=false

💡 Simple Explanation (No Tech Jargon!)

Why do I need this?

Normally, standard security plugins load too late. If a backdoored or hacked plugin loads before your security plugin, the hack can easily turn off your security plugin or infect your server. DeMalware-RETRO loads first. It starts before any Minecraft server code or plugins are executed. It inspects every plugin class file as it loads. If any plugin tries to run malicious commands, download files, or steal OP permissions, DeMalware blocks it instantly before it can run.

What does it block?

  • ForceOP Protection: Blocks plugins from secretly giving players administrator/OP status.
  • Malicious System Commands: Prevents plugins from running command prompts, installing malware, or accessing files on your server computer.
  • Hidden Network Outflow: Intercepts and logs where plugins are sending data to the internet, showing you exactly where they are connecting.
  • AI Threat Audits: Translates complex security logs into plain English using Gemini AI to tell you if a plugin is safe or a hacker backdoor.

🔍 How it Works (Technical Details)

Standard security plugins run at the Spigot/Paper API layer, meaning they load after the server has already booted up. This creates a massive security gap:

  1. Late Initialization: Malicious plugins loaded early in the startup sequence can hijack the class loader, modify other plugins, or disable standard security plugins before they even initialize.
  2. API Bypass: Sophisticated malware uses native JNI code loading (System.load), direct memory modification (sun.misc.Unsafe), or dynamic class definitions (MethodHandles.Lookup) to bypass the Spigot/Paper API completely, executing shell commands or web callbacks under the radar.

The JVM Agent Advantage

DeMalware-RETRO operates as a JVM Bootstrap Agent (-javaagent). It hooks directly into the Java Virtual Machine at startup.

  • It intercepts the raw bytecode of every class file at the class loader level before it is loaded or executed.
  • If a class tries to execute a shell process, hook unauthorized libraries, or grant operator permissions, DeMalware intercepts it, blocks the class loader request, and throws a SecurityException, keeping your server immune to execution.

⚡ Core Security Features & How to Use Them

1. JVM Early-Boot Classloader Interceptor

  • How it works: Inspects all class definitions as they load. Prevents package spoofing (e.g. malware pretending to be a Bukkit or Minecraft utility class to evade detection).
  • How to use: Operating automatically once registered as a -javaagent in your startup command. No manual triggers needed.

2. Active Runtime Sandboxing & Bytecode Heuristics

  • How it works: Analyzes bytecode patterns dynamically to catch remote code execution (RCE) attempts, shell command executions (ProcessBuilder), dynamic attach APIs, and low-level memory writes.
  • How to use: Enable or disable specific rules in /plugins/DeMalware-RETRO/config.yml.

3. In-Memory Trojan Inoculation (Malware Vaccine)

  • How it works: Instead of throwing standard class loading exceptions when blocking common trojans (like the notorious l/M/x loader)—which crashes the host premium plugins—DeMalware dynamically injects a harmless empty dummy class. This neutralizes the trojan while letting the parent plugin boot safely.
  • How to use: Runs automatically in the background.

4. Wireshark-like Outbound Network Interceptor

  • How it works: Intercepts outgoing connection attempts (java.net.Socket.connect) initiated by any plugin, geolocates the destination IP via IPinfo.io, and logs details about what plugin initiated the request.
  • How to use: Logs are automatically reported and can be reviewed in real-time on your Threat Sentinel Web Dashboard.

5. Gemini AI Threat Audit (Paid License Feature)

  • How it works: Sends threats and network logs to the Gemini 2.5 Flash API to generate deep semantic audits of outbound network activities and suspicious bytecode anomalies.
  • How to use: Requires a Paid license tier (Tier 1 or higher). Input your Gemini API key in the dashboard Settings tab, and click 🪄 AI Threat Audit under your connected Node Server in the threats dashboard.

⚙️ Configuration Reference (config.yml)

# DeMalware-RETRO Configuration
block-mode: true

# Restrict OP modifications strictly to the server console sender
console-only-op: true

# Enabled Heuristics rules
rules:
  force-op: true
  shell-exec: true
  jar-injector: true
  unsafe-reflection: true

# Whitelisted package prefixes (Core JVM/System classes bypass scanning)
whitelisted-packages:
  - "org.bukkit"
  - "org.spigotmc"
  - "com.destroystokyo.paper"
  - "io.papermc"
  - "dev.ajaretro.demalware"

🔒 Dedicated JVM Hardening Flags

To seal the final gap in server containment and prevent dynamic agent attachment exploits (post-boot injections), copy these parameters into your startup command:

-XX:+DisableAttachMechanism -Djdk.attach.allowAttachSelf=false

⚡ Production Startup Parameters

🔴 Option A: Enterprise Low-Latency (ZGC & Attach Protection)

Recommended for high-performance Paper/Folia servers running Java 17 to Java 21+:

java -XX:+UseZGC -XX:+GenerationalZGC -XX:+DisableAttachMechanism -Djdk.attach.allowAttachSelf=false -javaagent:plugins/DeMalware-RETRO.jar -jar paper.jar nogui

🟣 Option B: G1GC Multi-threaded Flag Suite

java -XX:+DisableAttachMechanism -Djdk.attach.allowAttachSelf=false -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1ReservePercent=15 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -javaagent:plugins/DeMalware-RETRO.jar -jar paper.jar nogui

💎 Store Pricing & Commercial Licensing

If you run a public server network, choose a licensing tier matching your connected server instances. Purchase licenses or configure alternative payments via the AJA RETRO Store:

Tier Price Supported Server Instances Gemini AI Audit Purchase Link
Free / Community Free ($0) 1 Server Instance No (Paid Only) Get Free Key
Tier 1 (Personal) $10 / 30 Days 1 Server Instance Yes (Full) Buy Tier 1
Tier 2 (Pro) $25 / 30 Days 5 Server Instances Yes (Full) Buy Tier 2
Tier 3 (Enterprise) $50 / 30 Days 12 Server Instances Yes (Full) Buy Tier 3
Tier 4 (Overdrive) $100 / 30 Days 30 Server Instances Yes (Full) Buy Tier 4
Custom Unlimited Negotiable (DMs) Unlimited Instances Yes (Full) Contact DMs

Note

  • Gemini AI Audits are restricted strictly to paid licenses (Tier 1 or higher).
  • Direct Bank Transfers and custom partner pricing plans are available! Contact us in Discord DMs to arrange bank transfers or get custom quotes.

  • DeMalware-RETRO - Advanced JVM agent early-boot malware protection scanner.
  • CircuitBreaker - Dynamic lag machine culler and entity optimizer.
  • FoliaCore - Multi-threaded native essentials suite built for Folia.
  • RetroWorldPurger - Automatic region file purger and storage optimizer.
  • RetroMail - High-performance SMTP server integration for mail delivery.

💬 Contact & Custom Quotes

Need direct support or custom Minecraft software? We design everything from lightweight server optimizations to enterprise backend services:

Information

CategoryAdmin Tools
Published onJuly 11, 2026
LicenseALL RIGHTS RESERVED
Downloads2
Stars0
Watchers0
Supports Folia

Members