A widespread malware campaign is actively targeting Minecraft players through malicious mods and cheats designed to infect Windows systems with info-stealing malware.
These threats are aimed at stealing credentials, authentication tokens, and cryptocurrency wallet data.
The operation, uncovered by Check Point Research, is being run by the Stargazers Ghost Network and takes advantage of Minecraft’s extensive modding community and legitimate platforms like GitHub to reach a large number of victims.
According to Check Point, Pastebin links used by the attackers to deliver malware have received thousands of views, suggesting a wide-scale impact.
Malicious Mods Disguised as Cheats
The Stargazers Ghost Network, which operates under a distribution-as-a-service (DaaS) model, has been active on GitHub since 2023. Previously documented for campaigns involving over 3,000 GitHub accounts, the group reportedly infected more than 17,000 systems in late 2024 using malware built with the Godot engine.
In the latest wave, Stargazers has shifted focus to Java-based malware hidden inside fake Minecraft mods and clients, including names like Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi.
Check Point researchers identified around 500 related GitHub repositories, many of which were forks or clones, and noted approximately 700 fake stars generated by 70 accounts to boost the legitimacy of the malware-laced repositories.
Stealthy Multi-Stage Infection Chain
Once a victim runs the malicious mod in Minecraft, a first-stage JAR file executes and retrieves the next stage of malware via a base64-encoded Pastebin URL. This stage contains a Java-based stealer that targets:
- Minecraft tokens from official and third-party launchers (Feather, Lunar, Essential)
- Discord and Telegram authentication tokens
The Java malware then acts as a loader, delivering a second-stage payload named 44 CALIBER, a .NET-based info stealer. This tool expands the attack by extracting:
- Browser credentials (Chrome, Edge, Firefox)
- Files from common directories
- Data from cryptocurrency wallets (BitcoinCore, Ethereum, Monero, Exodus, etc.)
- VPN credentials (ProtonVPN, NordVPN, OpenVPN)
- Account data from apps like Steam, FileZilla, and Telegram
- System information, clipboard contents, and screenshots
The stolen data is transmitted to attackers using Discord webhooks. Russian-language comments in the code and commit timestamps aligned with UTC+3 suggest the campaign may be operated by Russian threat actors.
Safety Recommendations
Check Point has published full indicators of compromise (IoCs) to help detect and block these threats. To reduce the risk of infection:
- Download Minecraft mods only from reputable sources and trusted developers.
- Be cautious when downloading from GitHub—verify repository stars, forks, contributor activity, and recent commits for authenticity.
- Avoid logging into your main Minecraft account when testing unknown mods; use a separate “burner” account for experimentation.
- Remaining vigilant and sticking to official channels is essential to avoid falling victim to malware hidden in seemingly harmless game modifications.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
