Over 1,500 Minecraft players have been compromised by a sophisticated Java-based malware campaign. Disguised as game modifications on GitHub, this multi-stage attack leverages a distribution-as-a-service (DaaS) offering known as Stargazers Ghost Network, ultimately deploying a potent .NET information stealer.

Minecraft Mod Malware Uncovered

Cybersecurity researchers at Check Point first detected this malicious activity in March 2025. The campaign specifically targets Minecraft users, tricking them into downloading what appear to be legitimate game mods from GitHub. These seemingly harmless downloads, such as "Oringo-1.8.9.jar," are in fact Java loaders designed to bypass antivirus detection.

The Multi-Stage Attack Chain

The attack unfolds in several stages:

1. Initial Infection: Users download a malicious JAR file, disguised as a Minecraft mod, from a tainted GitHub repository.

2. First-Stage Loader: This JAR file, equipped with anti-VM and anti-analysis techniques, downloads a second-stage Java stealer.

3. Second-Stage Stealer: Retrieved from an IP address stored in Base64-encoded Pastebin, this component is loaded when the game starts. It then fetches and executes the final payload.

4. Final Payload: A .NET information stealer is deployed, initiating comprehensive data theft.

Data Compromised

The malware is designed to exfiltrate a wide array of sensitive information:

• Second-Stage Stealer Capabilities:Discord tokensMinecraft tokensTelegram-related data

• .NET Stealer Capabilities:Credentials from various web browsersFiles and information from cryptocurrency walletsData from applications like Steam and FileZillaScreenshotsRunning processes informationSystem's external IP addressClipboard contents

All captured data is then transmitted to the attackers via a Discord webhook.

Stargazers Ghost Network: A Malicious Infrastructure

A key element of this campaign is the Stargazers Ghost Network, an illicit service that utilizes thousands of GitHub accounts to create deceptive repositories. These repositories masquerade as cracked software and game cheats, serving as the primary distribution channel for the malware. Researchers identified approximately 500 such repositories, including forks and copies, and noted 700 stars generated by around 70 accounts, indicating the scale of this operation.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Key Takeaways

• Over 1,500 Minecraft players have been infected by Java malware disguised as game mods.

• The attack leverages a sophisticated multi-stage process, culminating in a powerful .NET information stealer.

• The Stargazers Ghost Network, a distribution-as-a-service offering, is central to the malware's spread via GitHub.

• Compromised data includes credentials, cryptocurrency wallet information, and sensitive application data.

• The campaign is suspected to be linked to a Russian-speaking threat actor.

• This incident underscores the critical importance of caution when downloading third-party content, especially within popular gaming communities.

Sources

• 1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub, The Hacker News.