Ddos 
A new report from Check Point Research exposes a sophisticated malware campaign that has weaponized the modding community of one of the world’s most popular games—Minecraft—to distribute a multi-stage infostealer through GitHub. The threat actor, believed to be Russian-speaking, is using a malware-as-a-service (MaaS) framework dubbed the Stargazers Ghost Network, leveraging Distribution-as-a-Service (DaaS) tactics to remain stealthy and effective.
With over 300 million copies sold and 200 million monthly active players, Minecraft is a prime target. Its thriving modding ecosystem—with more than 1 million active modders—offers a perfect attack surface for malware masquerading as user-created game enhancements.
“The malware impersonates, among others, Oringo and Taunahi, which are ‘Scripts & Macro’ tools (a.k.a cheats),” the report notes.
The attack chain involves three key components:
Stage 1 – Java Downloader (Mod Loader)
The infection begins with a JAR file disguised as a mod (e.g., Oringo-1.8.9.jar, Taunahi-V3.jar). This file must be installed manually in the Minecraft Forge mods folder. When the game starts, the mod performs several tasks:
- Anti-analysis checks for virtual machines and debugging tools like Wireshark and TCPView.
- Downloads a base64-encoded link from Pastebin.
- Retrieves and loads a Java-based stealer (MixinLoader-v2.4.jar) into memory.
“This Java downloader is undetected by all antivirus engines across VirusTotal… as sandbox engines do not contain the required dependencies,” the report warns.
Stage 2 – Java Stealer
Once loaded, the stealer collects:
- Minecraft tokens
- Account credentials from popular launchers (Feather, Lunar, Essential)
- Discord tokens
- Telegram data
- IP addresses and player UUIDs
Stolen data is posted to a Pastebin-hosted URL, and a .NET-based stealer is downloaded via the SSHaccess class for further payload deployment.
Stage 3 – .NET Stealer (“44 CALIBER”)
This component is significantly more aggressive. It steals:
- Browser data (Chrome, Edge, Firefox)
- Cryptocurrency wallet credentials (e.g., Monero, Electrum, Atomic, Zcash, Jaxx)
- VPN credentials (NordVPN, ProtonVPN, OpenVPN)
- Files from Desktop, Documents, and Source directories
- Screenshots and clipboard contents
- Credentials from Steam, Discord, Telegram, FileZilla
Several pieces of evidence point to a Russian-speaking developer:
- Russian-language comments in source code
- Commits from GitHub accounts with UTC+3 time zone
- Package names referencing Baikal (a Siberian lake)
- Assembly copyright: “FuckTheSystem © 2021”
This campaign demonstrates the increasing weaponization of online gaming ecosystems. The malware is stealthy, platform-aware, and spreads by exploiting community trust in modding platforms like GitHub.
“What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers,” Check Point warns.
Related Posts:
- 50,000 Minecraft players are infected with a malicious program
- Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
- Hackers are actively exploiting BleedingPipe vulnerability in Minecraft mods
- Roblox Cheaters Targeted: Skuld Stealer and Blank Grabber Malware Lurks in PyPI Packages
Donate