Minecraft is a beloved game that continues to capture the hearts of millions worldwide. With over 200 million active players each month, it has become one of the most-used and best-selling games in history. For many, a big part of the Minecraft experience comes from mods—user-created modifications that enhance gameplay, fix bugs, improve graphics, and add exciting new content.
But recent cybersecurity research from Check Point Research has discovered a sophisticated cyberattack targeting Minecraft users through malware masqueraded as mods. The attack, carried out by a network called the Stargazers Ghost Network, uses fake mods to steal personal information, including sensitive credentials.
Since March 2025, Check Point Research has been tracking the malware campaign operating on GitHub. GitHub is a platform known for hosting legitimate code repositories, helping give the appearance of trustworthy sources. Even though these files have been hosted on GitHub for months, they were not detected by most security tools, including VirusTotal, which means many players unknowingly downloaded the malicious mods.
By using a method known as Distribution as a Service (DaaS), the attackers have been able to distribute the malware to Minecraft players without raising immediate suspicion.
The attackers have been distributing fake mods through the Stargazers Ghost Network, disguised as tools for Minecraft players. These “mods” are often presented as cheats or automation tools, such as Oringo and Taunahi, but actually contained hidden malware designed to infiltrate players’ systems.
The malware follows a multi-stage infection process. The first stage involves a Java-based downloader, which is installed when players add the fake mod to their Minecraft setup. Once active, the downloader fetches a second-stage malware, which is capable of stealing data from the player’s system. The final stage involves a more advanced .NET-based stealer that collects and exfiltrates sensitive information. The series of hidden steps ran included:
- First Stage: The malicious JAR file acts as a downloader. When players attempt to install the mod, it checks whether the system is running in a virtual machine (often used for testing or analysis). If it detects a virtual environment, the malware halts its execution, ensuring it remains undetected during security scans.
- Second Stage: After bypassing the security checks, the downloader fetches a second piece of malware that starts collecting data. This includes valuable information such as Minecraft tokens, Discord login details, and credentials for popular applications like Telegram and Steam.
- Third Stage: The final stage involves a more advanced .NET stealer that grabs sensitive data like cryptocurrency wallet information, browser passwords, and even screenshots of the infected system. The stolen data is then uploaded to an external server controlled by the attackers.
How Can Minecraft Players Stay Safe?
For Minecraft and online gamers, this discovery serves as a reminder of the importance of caution when downloading third-party mods or software. Some tips to stay safe include:
- Use Antivirus Software: Utilize system and/or trusted antivirus security software and keep them up to date to ensure potential threats are detected and blocked.
- Download Mods from Trusted Sources: Always ensure that mods are downloaded from reputable websites or official channels. Also be wary of any suspicious links to mods or tools that seem too good to be true, especially if they come from unverified or unofficial sources.
This latest research by Check Point Research underscores a growing trend in cyberattacks targeting gaming communities as vectors for malware distribution. As cyber threats continue to evolve, gamers, especially in such a large and active community like Minecraft, must remain vigilant and cautious about the content they download.
It also highlights how even popular and trusted host platforms like GitHub can be exploited by cybercriminals, turning them into conduits for malware.
Both gamers and developers should always prioritize security and ensure that any third-party content and services used are thoroughly scanned and vetted. Stay safe, stay informed, and always be cautious of what you choose to install.
Leave a Reply