New Malware Campaign Exploits Minecraft Modding to Deliver Credential-Stealing Malware

Cybersecurity researchers have uncovered a new multi-stage malware campaign that targets Minecraft players through malicious mods distributed on GitHub. The operation, active since at least March 2025, uses a distribution-as-a-service (DaaS) platform known as the Stargazers Ghost Network to infect users with a potent credential-stealing malware.

Malware Masquerading as Minecraft Mods

According to Check Point researchers Jaromír Hořejší and Antonis Terefos, the malware campaign impersonates tools like Oringo and Taunahi, which are known among the Minecraft community as script and macro tools—commonly used as cheats. Both the first and second stages of the malware are written in Java and can only execute on systems that have the Minecraft runtime environment installed.

Users are tricked into downloading malicious .jar files from what appear to be legitimate mod repositories on GitHub. To activate the malware, victims must manually place the mod in the Minecraft mods folder, ensuring it loads when the game starts.

Multi-Stage Attack Chain

Once executed, the malicious mod performs anti-analysis checks and downloads a second-stage Java payload. This component is designed to retrieve a .NET-based information stealer from an IP address hidden in Base64 format on Pastebin, a tactic that uses the site as a “dead drop” to evade direct network detection.

The .NET stealer is highly capable. It can:

• Extract credentials from popular browsers.

• Harvest data from cryptocurrency wallets.

• Steal session tokens from Discord, Minecraft, and Telegram.

• Access clipboard contents and take system screenshots.

• Collect app data from platforms like Steam and FileZilla.

All harvested information is bundled and exfiltrated using a Discord webhook, allowing attackers to receive the stolen data in real time.

Stargazers Ghost Network and GitHub Abuse

The Stargazers Ghost Network plays a central role in the campaign’s infrastructure. The group maintains hundreds of GitHub repositories disguised as cracked software and game mods. Researchers identified nearly 500 suspicious repositories and 70 user accounts used to star and promote them, giving an illusion of legitimacy to unsuspecting users.

This campaign appears to be the work of Russian-speaking threat actors, based on language artifacts and time zone indicators (UTC+03:00). Check Point estimates that over 1,500 devices may have been compromised so far.

Why It Matters

This operation highlights a significant risk within online gaming communities. Players looking to enhance their experience with mods can easily be deceived into downloading malware, especially from open-source platforms like GitHub.

Best Practices for Users:

• Avoid downloading mods from unofficial or unknown sources.

• Regularly update antivirus software and Minecraft itself.

• Monitor for unusual device behavior, especially after installing new mods.

As malware continues to evolve, targeting niche online communities becomes a powerful tactic for threat actors seeking to exfiltrate credentials and compromise systems at scale.