Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data research.checkpoint.com/2025/mine…

Check Point Research discovered a multistage campaign targeting Minecraft users via the distribution as a service (DaaS) Stargazers Ghost Network, which operates on GitHub. The malware impersonates, among others, Oringo and Taunahi, which are “Scripts & Macro” tools (a.k.a cheats).

The first-stage downloader and the second-stage stealer are implemented in Java and require Minecraft to be installed on the host. The third and last stage malware is a .NET stealer with extended capabilities.

Minecraft malware is written in Java, which is often overlooked by security solutions. The malware is developed by a Russian-speaking threat actor and contains several artifacts written in the Russian language.