Beware! Malicious Minecraft Mods Can Take Over Your Computer

A recent cybersecurity report by Check Point Research has exposed a cunning campaign targeting Minecraft enthusiasts worldwide.

This attack leverages the popularity of Minecraft mods user-created customizations to enhance gameplay to infiltrate players’ computers and steal sensitive data.

Since March 2025, a threat actor known as the Stargazers Ghost Network has operated a “distribution as a service” (DaaS) on GitHub, distributing seemingly innocent Minecraft mods that are, in fact, malicious droppers.

These files impersonate well-known cheat and automation tools like Oringo and Taunahi, which are sought after by competitive players for in-game advantages.

Multi-Stage Malware Hidden in Minecraft Mods

The infection process is deviously simple yet technically sophisticated:

1. Initial Infection:
The attack begins when a user downloads a malicious JAR file and places it in their Minecraft mods folder. These files, named to emulate popular mods (e.g., “FunnyMap-0.7.5.jar,” “Oringo-1.8.9.jar”), may be hosted on legitimate-looking GitHub repositories with multiple stars to feign credibility.

2. Anti-Analysis and Evasion:
The first-stage loader is a Java-based Minecraft Forge mod. It does not activate if run as a standalone program, only when loaded by Minecraft itself. The loader implements advanced anti-analysis techniques:

• Anti-Virtual Machine Checks: It checks the system for keywords related to virtual environments (such as “vmware,” “virtualbox,” “qemu”) and terminates if detected.
• Process Analysis: It scans for processes associated with analysis tools (e.g., Wireshark, HTTP Debugger, TCPView) and virtualizers like VMware and VirtualBox.
• Dynamic Loading: If the environment is deemed safe, the loader retrieves a second-stage payload from a Pastebin paste, decodes it, and fetches a Java stealer from a remote server.

3. Data Theft and Further Infection:
The second-stage stealer, also written in Java, begins harvesting data:

• Game Tokens: Minecraft session and authentication tokens.
• Game Client Files: Account information from Feather, Essential, and Lunar launchers.
• Messaging Tokens: Discord and Telegram authentication data.
• Exfiltration: The stolen data is POSTed to remote servers in JSON format, including usernames, UUIDs, tokens, IP addresses, and more.

4. .NET Stealer: The Final Blow
The third stage involves a .NET-based stealer, downloaded and executed by the previous stage. This component is highly versatile:

• Steals: Browser credentials, cryptocurrency wallets, VPN data, Steam credentials, FileZilla, and more.
• Collects: System information, running processes, clipboard contents, and takes screenshots.
• Exfiltrates: All collected data is zipped and sent to a Discord webhook, accompanied by Russian-language comments and statistics about the stolen data.

Who is at Risk and How to Protect Yourself?

Minecraft’s massive user base over 200 million monthly active players—makes it a prime target for cybercriminals.

The Stargazers Ghost Network’s attack is highly targeted, with the malware often evading detection by antivirus engines and sandboxes due to its reliance on Minecraft-specific dependencies.

Protection Tips:

• Download Mods from Trusted Sources: Only use reputable sources for Minecraft mods.
• Keep Software Updated: Ensure your Minecraft client and launcher are up to date.
• Use Security Solutions: Deploy advanced endpoint protection and threat emulation tools, such as those provided by Check Point.
• Check Indicators of Compromise (IoCs): Look for the specific JAR file SHAs and URLs listed in the report.

This campaign highlights the growing trend of exploiting gaming communities for cybercrime.

The combination of social engineering, technical evasion, and multi-stage payloads makes these attacks particularly dangerous.

Minecraft players are urged to exercise extreme caution when downloading and installing mods to protect their personal data and devices from theft and compromise.

Indicators of Compromise

Description	SHA256
stage 1 JAR	05b143fd7061bdd317bd42c373c5352bec351a44fa849ded58236013126d2963
stage 1 JAR	9ca41431df9445535b96a45529fce9f9a8b7f26c08ac8989a57787462da3342f
stage 1 JAR	c5936514e05e8b1327f0df393f4d311afd080e5467062151951e94bbd7519703
stage 1 JAR	9a678140ce41bdd8c02065908ee85935e8d01e2530069df42856a1d6c902bae1
stage 2 JAR	4c8a6ad89c4218507e27ad6ef4ddadb6b507020c74691d02b986a252fb5dc612
stage 2 JAR	51e423e8ab1eb49691d8500983f601989286f0552f444f342245197b74bc6fcf