- New Malware campaign targets Minecraft players through fake mods distributed on GitHub.
- Attackers use the Stargazers Ghost Network to spread Java-based malware that delivers an information-stealing tool.
- The malware collects data such as game tokens, credentials, and files from browsers and other applications.
- Researchers from Check Point found the attacks began in March 2025 and involve more than 1,500 compromised devices.
- Separately, new versions of the KimJongRAT stealer linked to North Korean actors have also been observed using innovative delivery methods.
A new wave of cyberattacks is targeting Minecraft players by tricking them into downloading malicious game modifications distributed through GitHub. The campaign began in March 2025 and specifically targets users who seek out cracked software or cheats for the popular game, according to Check Point researchers.
The attackers use a service known as Stargazers Ghost Network, which leverages thousands of GitHub accounts to host fake repositories disguised as legitimate mods or Hacking tools. Victims download Java Archive (JAR) files, which only execute if the Minecraft runtime is present on the device. Once run, these files deploy a multi-stage attack that ends with the installation of a .NET-based information stealer capable of extracting sensitive user data.
"The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically," wrote Check Point researchers Jaromír Hořejší and Antonis Terefos in their report. The initial malware stages focus on evading antiviruses by using anti-virtual machine and anti-analysis code. After activation, the loader fetches a second-stage stealer from an IP address posted on Pastebin, which then downloads the .NET stealer.
The final payload gathers a broad range of information. This includes Discord and Minecraft tokens, data from Telegram, browser credentials, cryptocurrency wallets, Steam accounts, FileZilla transfers, and clipboard content. Collected data is then sent to the attacker via a Discord webhook. The signs point to a Russian-speaking group, based on language evidence and time zone data.
Researchers estimate the malware has infected over 1,500 devices. "This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution," the report states, urging caution when downloading third-party add-ons.
In a related development, Palo Alto Networks Unit 42 has identified two new variants of the KimJongRAT malware, likely tied to a North Korean group also implicated in the BabyShark campaign. One variant uses a Portable Executable (PE) file, while the other relies on PowerShell. Both are delivered by getting users to activate Windows shortcut files that download packers from attacker-controlled servers. These new KimJongRAT variants are capable of capturing files, browser data, and credentials.
Unit 42 explained that the KimJongRAT stealer’s evolution, such as using legitimate content delivery networks for payload drop, reflects ongoing threats and increasing technical sophistication. The PE variant also has features to steal file transfer and email client information.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- JD.com to Seek Stablecoin Licenses Globally for B2B Payments
- NMECON Launches AI 5.0 Crypto Exchange Platform in U.S. Market
- BlackRock’s BUIDL Fund Now Accepted as Collateral on Crypto.com
- Prenetics Invests $20M in Bitcoin, Aims for Top Healthcare Holder
- Startups Fast-Track FedRAMP Authorization With DevSecOps Approach