New Delhi: 

 The malicious users adopt a deceptive technique that necessitates installation of Minecraft on the victim machine. After downloading, the fake mod activates a series of malware that steals such sensitive data as passwords, crypto wallets, and the credentials of apps. The network that is distributing the campaign is called Stargazers Ghost Network and has been active since March 2025. Language and time zone activity clues make experts think that a Russian-speaking threat actor is behind the operation.

Millions of Minecraft players are in danger of a new cyberattack. Check Point Research (CPR) found that hackers are distributing malware in the form of popular Minecraft mods on GitHub. These mods that seem to provide in-game benefits are just a component of a three-step malware attack on active players, particularly those who use cheat tools. Having sold more than 300 million copies and with a huge number of players being under the age of 21, Minecraft is now one of the best hunting spots for cyber criminals.

Multi-stage malware chain

The malware starts with a Java downloader. It is then followed by a second-stage stealer that takes the important information out of the device of the user. The last step is an advanced spyware application that attacks browsers, applications such as Discord and Steam, and crypto wallets. The stolen data is relayed through Discord, which assists the malware to conceal itself in normal traffic. It is estimated so far that more than 1,500 devices have been hacked.

Fake mods used to lure victims

CPR discovered that this malware was distributed via GitHub repositories that pretended to be mods such as Oringo and Taunahi, which are popular cheat tools among the Minecraft community. These files pose like genuine mods, and this makes them difficult to be identified by the security tools or by the unwary users. After being installed, the mod will determine whether it is running in a sandbox or virtual environment to prevent analysis. Otherwise, the malware goes to the next step.

Protecting from mod-based threats

This attack shows that even well-known platforms such as GitHub may contain malicious files. Players are advised to avoid downloading third-party content, particularly applications that claim to provide cheats or automation. Gaming communities are also subjected to cybercrime due to their community size, activity, and youthfulness.

Russian connection suspected

The origin of the threat actor is unclear, but there is evidence suggesting Russian speaking. The malware files contain some comments in Russian, and the activity corresponds to UTC+3, a widespread time zone in Russia. Attackers applied distribution-as-a-service (DaaS) methodology to scale the attack, creating several GitHub accounts to distribute the infected mods.

Read More:

EPOS launches new Impact 100 VFM headset for call centres