Episode Hive Logo
Featured image

Published 01:22 PM 6/20/2025

Over 1,500 Minecraft Players Infected by Java Malware Disguised as Mods on GitHub

ByAuthor IconEpisode Hive

Java-Based Malware Targets Minecraft Players via Fake Mods on GitHub

A new malware campaign is targeting Minecraft players using a multi-stage Java-based attack.

According to researchers at Check Point, the campaign relies on a distribution-as-a-service (DaaS) operation known as Stargazers Ghost Network

The operation uses fake GitHub repositories to trick users into downloading malicious Minecraft mods.

What’s the Threat?

The campaign, first observed in March 2025, is designed to deliver a .NET-based information stealer through a carefully constructed attack chain.

It begins with victims downloading what they believe to be legitimate Minecraft modifications or cheat tools—such as Oringo or Taunahi—from GitHub. Both tools appear as .jar files and can only run if Minecraft is installed, ensuring they specifically target that user base.

Once executed, the Java-based loader silently fetches and runs a second-stage Java payload, which in turn downloads the final .NET stealer. None of these components were detected by antivirus engines at the time of analysis.

Stargazers Ghost Network: The Distribution Engine

Check Point’s Antonis Terefos reported that the attackers used approximately 500 GitHub repositories, some of which were forks or copies of one another.

These repositories were made to look like cracked software or game cheats. Around 70 accounts were used to generate 700 GitHub stars, increasing their visibility and credibility to unsuspecting users.

The malware repositories delivered files like Oringo-1.8.9.jar, which incorporate anti-analysis techniques and avoid detection in virtual environments.

When placed in the Minecraft mods folder, these files are automatically loaded when the game starts, launching the infection sequence.

The Infection Chain

  1. Initial Loader – The downloaded .jar file acts as the first-stage payload.
  2. Second-Stage Stealer – Another Java-based loader retrieves a Pastebin link containing a base64-encoded IP address.
  3. Final Payload – A .NET stealer is downloaded and executed.

The .NET payload is designed to extract a wide range of sensitive data, including:

  • Credentials from web browsers
  • Discord and Minecraft tokens
  • Telegram-related files
  • Steam and FileZilla account data
  • Cryptocurrency wallet information
  • Clipboard contents, running processes, and screenshots

All stolen data is transmitted to the attacker using a Discord webhook.

Who’s Behind It?

The researchers believe the campaign is likely operated by a Russian-speaking threat actor. This conclusion is based on Russian-language artifacts in the code and timestamps from commits made in the UTC+3 time zone. It’s estimated that over 1,500 devices may have been compromised so far.

Why This Matters

This campaign highlights how popular gaming communities—especially those like Minecraft with large modding ecosystems—can be weaponized to spread malware. Fake mod downloads provide a high-trust, low-suspicion entry point for attackers to distribute advanced threats.

“What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers capable of exfiltrating credentials and other sensitive data,” Check Point said.

Related Threat: KimJongRAT Variants Resurface

Separately, Palo Alto Networks’ Unit 42 reported the discovery of two new variants of KimJongRAT, a long-running North Korean-linked information stealer. These variants were delivered via .lnk Windows shortcut files and featured:

  • A PE (Portable Executable) version that deploys a loader, a fake PDF, and a text file.
  • A PowerShell variant that drops a ZIP file containing scripts and embedded stealer components.

Both forms are designed to collect:

  • Sensitive documents based on specific extensions
  • Browser credentials
  • FTP and email data
  • Cryptocurrency wallet details

Unit 42 noted that the use of legitimate content delivery networks (CDNs) to distribute KimJongRAT underlines the evolving tactics of its operators.

“This adaptability not only showcases the persistent threat posed by such malware but also underscores its developers’ commitment to updating and expanding its capabilities,” the researchers concluded.