Malware Campaign Targets Minecraft Users With Fake Mod Downloads

  • New Malware campaign targets Minecraft players through fake mods distributed on GitHub.
  • Attackers use the Stargazers Ghost Network to spread Java-based malware that delivers an information-stealing tool.
  • The malware collects data such as game tokens, credentials, and files from browsers and other applications.
  • Researchers from Check Point found the attacks began in March 2025 and involve more than 1,500 compromised devices.
  • Separately, new versions of the KimJongRAT stealer linked to North Korean actors have also been observed using innovative delivery methods.

A new wave of cyberattacks is targeting Minecraft players by tricking them into downloading malicious game modifications distributed through GitHub. The campaign began in March 2025 and specifically targets users who seek out cracked software or cheats for the popular game, according to Check Point researchers.

- Advertisement -

The attackers use a service known as Stargazers Ghost Network, which leverages thousands of GitHub accounts to host fake repositories disguised as legitimate mods or Hacking tools. Victims download Java Archive (JAR) files, which only execute if the Minecraft runtime is present on the device. Once run, these files deploy a multi-stage attack that ends with the installation of a .NET-based information stealer capable of extracting sensitive user data.

"The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically," wrote Check Point researchers Jaromír Hořejší and Antonis Terefos in their report. The initial malware stages focus on evading antiviruses by using anti-virtual machine and anti-analysis code. After activation, the loader fetches a second-stage stealer from an IP address posted on Pastebin, which then downloads the .NET stealer.

The final payload gathers a broad range of information. This includes Discord and Minecraft tokens, data from Telegram, browser credentials, cryptocurrency wallets, Steam accounts, FileZilla transfers, and clipboard content. Collected data is then sent to the attacker via a Discord webhook. The signs point to a Russian-speaking group, based on language evidence and time zone data.

Researchers estimate the malware has infected over 1,500 devices. "This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution," the report states, urging caution when downloading third-party add-ons.

In a related development, Palo Alto Networks Unit 42 has identified two new variants of the KimJongRAT malware, likely tied to a North Korean group also implicated in the BabyShark campaign. One variant uses a Portable Executable (PE) file, while the other relies on PowerShell. Both are delivered by getting users to activate Windows shortcut files that download packers from attacker-controlled servers. These new KimJongRAT variants are capable of capturing files, browser data, and credentials.

Unit 42 explained that the KimJongRAT stealer’s evolution, such as using legitimate content delivery networks for payload drop, reflects ongoing threats and increasing technical sophistication. The PE variant also has features to steal file transfer and email client information.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Two Men Indicted in $650M OmegaPro International Fraud Scheme

More than $650 million was allegedly taken from investors between 2019 and 2023. ...

AI-Spawned ‘MechaHitler’ Meme Coin Surges, Sparks Backlash

Multiple tokens named "MechaHitler" launched quickly, trading on both Solana and Ethereum networks. ...

Monero Featured in Mises Wire; Price Up 104% Year-on-Year

Monero saw new public discussions in articles and podcasts highlighting its privacy features. The network's...

Dow Slips as Trump Holds Firm on Tariff Deadline, Banks Weigh

No extension will be given beyond August 1 for major trading partners to...

Congress Debates Stablecoin Regulation Amid Trump’s Crypto Push

Lawmakers are working to create clear federal rules for stablecoins, with a major deadline...

Must Read

What Is a Sim Swap Hack?

You've likely heard the term 'sim-swap,' but do you really know what it means? It's a type of fraud that's rapidly increasing, where scammers...