Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers – Source: securityaffairs.com

Java-based malware targets Minecraft users via fake cheat tools, utilizing the Stargazers Ghost Network distribution-as-a-service (DaaS).

Check Point researchers found a multi-stage malware on GitHub targeting Minecraft users via Stargazers DaaS, using Java/.NET stealers disguised as cheat tools.

Minecraft, one of the world’s most popular games with over 200 million monthly players and 300 million copies sold, has a vibrant modding community. Over a million players actively use and create mods to enhance gameplay. However, this openness has also made it a target for cyber threats.

In a recent campaign spotted by Check Point, the attackers specifically targeted Minecraft users by disguising the malware as cheat tools like Oringo and Taunahi. Threat actors employ a multi-stage infection chain, with the first two stages written in Java and requiring the Minecraft runtime to execute, making the threat highly targeted at the game’s user base.

“Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader.” reads the report published by Check Point. “Those repositories supposedly provided mods for Minecraft and appeared legitimate as multiple accounts starred those repositories.”

The malware posed as Minecraft cheat tools Oringo and Taunahi, with its first two Java-based stages only running if the Minecraft runtime is installed.

The attack starts when a victim manually installs a malicious JAR file disguised as a Minecraft mod. Upon launching the game, the fake mod downloads a second-stage stealer, which then fetches an additional .NET-based stealer. The malware is linked to a Russian-speaking threat actor, as indicated by various elements written in Russian within the code.

A malicious mod disguised as a Forge plugin initiates a multi-stage malware attack. The first Java-based loader checks for virtual machines and analysis tools to avoid being analyzed, then downloads a second-stage Java stealer, which extracts Minecraft and Discord data. It also downloads a third-stage .NET stealer that collects browser credentials, crypto wallets, VPN data, and more, sending everything to a Discord webhook.

“Disguised as Minecraft mods, these malicious Java archives often evade sandbox analysis due to missing dependencies. The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.” concludes the report that also provides Indicators of Compromise.

“The threat actor behind these campaigns is likely of Russian origin. This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, gaming)