Gamers Targeted! Fake Minecraft Mods Enable Attackers to Take Control of Your System

Minecraft, the wildly popular sandbox game with over 200 million monthly active players, has become the latest hunting ground for cybercriminals.

Check Point Research recently uncovered a sinister campaign targeting Minecraft users through the Stargazers Ghost Network, a Distribution as a Service (DaaS) platform operating on GitHub.

This network distributes malware disguised as legitimate Minecraft mods user-created modifications that enhance gameplay or add new features.

Malware Disguised as Popular Mods

Masquerading as popular tools like Oringo and Taunahi, often used as cheats or automation scripts, these malicious files initiate a multi-stage attack chain designed to steal sensitive data and compromise systems.

The campaign, active since March 2025, exploits the trust of gamers seeking to enrich their gaming experience, turning harmless downloads into a gateway for cyber threats.

The malware, primarily written in Java, capitalizes on the fact that Minecraft mods require the game’s runtime environment to execute, often evading detection by traditional security solutions.

The infection begins with a malicious JAR file, which users manually download and install as a mod.

Once activated within the Minecraft client, this first-stage downloader checks the environment for virtual machines or analysis tools using anti-VM and anti-analysis techniques.

If clear, it retrieves a second-stage Java stealer from a Pastebin link, which then downloads a third-stage .NET stealer with advanced capabilities.

This final payload extracts a wide range of sensitive information, including Minecraft tokens, Discord credentials, browser data, cryptocurrency wallets, VPN details, and even system screenshots.

Sophisticated Multi-Stage Attack Chain

The stolen data is exfiltrated via Discord webhooks, often accompanied by Russian-language comments, hinting at the likely origin of the threat actor operating in the UTC+3 timezone.

What makes this campaign particularly dangerous is its stealth. The malicious JAR files, hosted on seemingly legitimate GitHub repositories with artificial credibility from multiple starred accounts, remain undetected by most antivirus engines on platforms like VirusTotal.

Sandbox environments fail to flag the threat due to missing Minecraft dependencies, allowing the malware to operate under the radar.

Specific filenames such as “Oringo-1.8.9.jar” and “Taunahi-V3.jar” impersonate trusted mods, luring unsuspecting players into the trap.

Check Point Research also noted Pastebin statistics suggesting over 1,500 potential victims, highlighting the scale of this attack.

The sophistication of the malware evident in its modular design and targeted approach underscores the growing risk within gaming communities, where enthusiasm for mods can overshadow caution.

This incident serves as a stark reminder of the dangers lurking in third-party downloads, even within trusted ecosystems like GitHub.

Gamers must exercise vigilance, verifying the authenticity of mods and avoiding unofficial sources.

Check Point’s Threat Emulation and Harmony Endpoint solutions offer protection against such threats, covering diverse attack vectors and file types.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates