Full Report
A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network. "The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically," Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News. "The malware was
Analysis Summary
# Incident Report: Minecraft Mod Malware Campaign (Stargazers Ghost Network)
## Executive Summary
A multi-stage malware campaign utilizing a distribution service named "Stargazers Ghost Network" targeted Minecraft users by disguising malicious Java-based loaders as popular game "cheats" or mods. The infection chain ultimately deployed a .NET information stealer capable of comprehensive credential theft from browsers, cryptocurrency wallets, and gaming platforms. The compromise, first detected in March 2025, is estimated to have affected over 1,500 devices, highlighting the risks associated with downloading third-party gaming modifications.
## Incident Details
- **Discovery Date:** March 2025
- **Incident Date:** Campaign active prior to March 2025 detection
- **Affected Organization:** Individual Minecraft users globally
- **Sector:** Gaming/Entertainment
- **Geography:** Global (implied, specific location of victims not detailed)
## Timeline of Events
### Initial Access
- **Date/Time:** Post-March 2025 detection (timeline implies ongoing activity)
- **Vector:** Infected Minecraft mod downloads hosted on GitHub repositories.
- **Details:** Attackers used the Stargazers Ghost Network (using thousands of GitHub accounts) to host repositories masquerading as popular mods/cheats (e.g., Oringo, Taunahi). Users were tricked into downloading a malicious `.jar` file (e.g., "Oringo-1.8.9.jar") into their Minecraft mods folder.
### Lateral Movement
- **Details:** The execution of the malicious mod initiated the multi-stage payload download chain, including the retrieval of the second-stage stealer from Pastebin-resolved IP addresses.
### Data Exfiltration/Impact
- **Details:** The final .NET stealer exfiltrated Discord/Minecraft tokens, Telegram data, browser credentials, files from cryptocurrency wallets, Steam information, FileZilla credentials, system information, and clipboard contents. Data was exfiltrated via a Discord webhook.
### Detection & Response
- **Detection:** First detected by Check Point researchers in March 2025.
- **Response:** Researchers published a report detailing the malware's operation and the use of the Stargazers Ghost Network. (Specific organizational containment/eradication actions by targeted users are not detailed in the source.)
## Attack Methodology
- **Initial Access:** Social engineering via malicious Minecraft mods/cheats distributed via GitHub repositories managed by the Stargazers Ghost Network.
- **Persistence:** Secondary stage payload execution upon game start, leading to the final stealer loader.
- **Privilege Escalation:** Not explicitly detailed, but execution relies on the prerequisite of the Minecraft runtime being present.
- **Defense Evasion:** Java JAR files implemented anti-VM and anti-analysis techniques to evade antivirus detection.
- **Credential Access:** Final .NET stealer targets browser credentials, Steam, FileZilla, and crypto wallet data.
- **Discovery:** Stealer gathers running processes and system details (IP address).
- **Lateral Movement:** Not extensively detailed, focus was on local infection and data collection.
- **Collection:** Stealing Discord/Minecraft tokens, Telegram data, files matching specific extensions, browser data.
- **Exfiltration:** Data bundled and transmitted via Discord webhook.
- **Impact:** Comprehensive theft of user credentials, tokens, and sensitive application data.
## Impact Assessment
- **Financial:** Implied financial loss due to cryptocurrency wallet compromise and credential theft.
- **Data Breach:** Credentials (browser, gaming, messaging), system information, files, and tokens. Estimated over 1,500 devices compromised.
- **Operational:** Disruption to individual users' account security and systems upon successful infection.
- **Reputational:** Reputational damage to the affected gaming communities (Minecraft modding).
## Indicators of Compromise
- **Network indicators:** IP address resolved from Base64 encoded Pastebin: `147.45.79.104` (defanged).
- **File indicators:** Malicious Java Archive (JAR) files masquerading as mods (e.g., "Oringo-1.8.9.jar").
- **Behavioral indicators:** Execution of Java-based loader upon Minecraft game launch, execution of a secondary JAR, download and execution of a final .NET stealer payload via external resolver.
## Response Actions
- *(Note: Actions described are those of the security researchers/public disclosure.)*
- **Containment measures:** (Not specified for affected entities)
- **Eradication steps:** (Not specified for affected entities)
- **Recovery actions:** (Not specified for affected entities)
- **Disclosure:** Check Point researchers publicly disclosed findings and details regarding the Stargazers Ghost Network operation.
## Lessons Learned
- Popular gaming communities and modding scenes are high-value vectors for sophisticated malware distribution.
- Threat actors are leveraging infrastructure like GitHub (Stargazers Ghost Network) and Pastebin as trusted conduits to distribute multi-stage payloads.
- Custom Java loaders can be effective at evading mainstream endpoint protection through anti-analysis techniques.
## Recommendations
- Users must exercise extreme caution when downloading and installing third-party content, especially mods or cheats for games like Minecraft, even when sourced from seemingly legitimate repositories like GitHub.
- Implement stronger endpoint detection capabilities capable of monitoring complex, multi-stage execution chains initiated by legitimate applications (like the Minecraft runtime).
- Review security logging around application data folders (like the Minecraft mods folder) for anomalous JAR execution.