<div id="post_message_798102">

A large-scale malware campaign specifically targets Minecraft players with malicious mods and cheats that infect Windows devices with infostealers that steal credentials, authentication tokens, and cryptocurrency wallets.<br/>
<br/>
The campaign,<a href="https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/" target="_blank"> discovered by Check Point Research</a>, is conducted by the Stargazers Ghost Network and leverages the Minecraft massive modding ecosystem and legitimate services like GitHub to reach a large audience of potential targets.<br/>
<br/>
Check Point has seen thousands of views, or hits, on Pastebin links used by the threat actors to deliver payloads to targets' devices, indicating the broad reach of this campaign.<br/>
<br/>
<b><font size="4">Stealthy Minecraft malware</font></b><br/>
<br/>
The Stargazers Ghost Network is a distribution-as-a-service (DaaS) operation active on GitHub since last year, first documented by Check Point in a campaign involving <a href="https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/" target="_blank">3,000 accounts</a> spreading infostealers.<br/>
<br/>
The same operation, which is boosted by<a href="https://www.bleepingcomputer.com/news/security/over-31-million-fake-stars-on-github-projects-used-to-boost-rankings/" target="_blank"> fake GitHub stars</a>, was observed <a href="https://www.bleepingcomputer.com/news/security/new-godloader-malware-infects-thousands-of-gamers-using-godot-scripts/" target="_blank">infecting over 17,000 systems</a> in late 2024 with a novel Godot-based malware.<br/>
<br/>
The latest campaign described by Check Point researchers Jaromír Hořejší and Antonis Terefos targets Minecraft with Java malware that evades detection by all anti-virus engines.<br/>
<br/>
The researchers found multiple GitHub repositories run by Stargazers, disguised as Minecraft mods and cheats like Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi.<br/>
<br/>
"We have identified approximately 500 GitHub repositories, including those that are forked or copied, which were part of this operation aimed at Minecraft players," Antonis Terefos told BleepingComputer.<br/>
<br/>
"We've also seen 700 stars produced by approximately 70 accounts."<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/security/m/minecraft/stargazers-fake-mods-malware/fake-minecraft-mods.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Four repositories participating in this operation. Source: Check Point

</td>
</tr>
</table>
</div>Once executed within Minecraft, the first-stage JAR loader downloads the next stage from Pastebin using a base64 encoded URL, fetching a Java-based stealer.<br/>
<br/>
This stealer targets Minecraft account tokens and user data from the Minecraft launcher and popular third-party launchers like Feather, Lunar, and Essential. <br/>
<br/>
It also attempts to steal Discord and Telegram account tokens, sending the stolen data via HTTP POST requests to the attacker's server.<br/>
<br/>
The Java stealer also serves as a loader for the next stage, a .NET-based stealer called '44 CALIBER,' which is a more "traditional" info stealer, attempting to snatch information stored in web browsers, VPN account data, cryptocurrency wallets, Steam, Discord, and other apps.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/chain.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Overview of the infection chain. Source: Check Point

</td>
</tr>
</table>
</div>44 CALIBER also collects system information and clipboard data and can grab screenshots of the victim's computer.<br/>
<br/>
"After deobfuscation we can observe that it steals various credentials from browsers (Chromium, Edge, Firefox), files (Desktop, Documents, %USERPROFILE%/Source), Cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), Steam, Discord, FileZilla, Telegram," warns the researchers.<br/>
<br/>
The stolen data is exfiltrated via Discord webhooks, accompanied by Russian comments. This clue, combined with UTC+3 commit timestamps, suggests that the operators of this campaign are Russian.<br/>
<br/>
Check Point has shared the full indicators of compromise (IoCs) at the bottom of its report to help detect and block the threat.<br/>
<br/>
To stay safe against this and similar campaigns, Microsoft players should only download mods from reputable platforms and verified community portals and stick to trusted publishers.<br/>
<br/>
If prompted to download from GitHub, check the number of starts, forks, and contributors, scrutinize commits for signs of fake activity, and check recent actions on the repository.<br/>
<br/>
Ultimately, it is prudent to use a separate "burner" Minecraft account when testing mods and avoid logging into your main account.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/stargazers-use-fake-minecraft-mods-to-steal-player-passwords/" target="_blank">@ BleepingComputer </a>
</div>