430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

Java-based malware targets Minecraft users via fake cheat tools, utilizing the Stargazers Ghost Network distribution-as-a-service (DaaS). Check Point researchers found a multi-stage malware on GitHub targeting Minecraft users via Stargazers DaaS, using Java/.NET stealers disguised as cheat tools. Minecraft, one of the world’s most popular games with over 200 million monthly players and 300 million […]

Minecraft

Java-based malware targets Minecraft users via fake cheat tools, utilizing the Stargazers Ghost Network distribution-as-a-service (DaaS).

Check Point researchers found a multi-stage malware on GitHub targeting Minecraft users via Stargazers DaaS, using Java/.NET stealers disguised as cheat tools.

Minecraft, one of the world’s most popular games with over 200 million monthly players and 300 million copies sold, has a vibrant modding community. Over a million players actively use and create mods to enhance gameplay. However, this openness has also made it a target for cyber threats.

In a recent campaign spotted by Check Point, the attackers specifically targeted Minecraft users by disguising the malware as cheat tools like Oringo and Taunahi. Threat actors employ a multi-stage infection chain, with the first two stages written in Java and requiring the Minecraft runtime to execute, making the threat highly targeted at the game’s user base.

“Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader.” reads the report published by Check Point. “Those repositories supposedly provided mods for Minecraft and appeared legitimate as multiple accounts starred those repositories.”

The malware posed as Minecraft cheat tools Oringo and Taunahi, with its first two Java-based stages only running if the Minecraft runtime is installed.

The attack starts when a victim manually installs a malicious JAR file disguised as a Minecraft mod. Upon launching the game, the fake mod downloads a second-stage stealer, which then fetches an additional .NET-based stealer. The malware is linked to a Russian-speaking threat actor, as indicated by various elements written in Russian within the code.

A malicious mod disguised as a Forge plugin initiates a multi-stage malware attack. The first Java-based loader checks for virtual machines and analysis tools to avoid being analyzed, then downloads a second-stage Java stealer, which extracts Minecraft and Discord data. It also downloads a third-stage .NET stealer that collects browser credentials, crypto wallets, VPN data, and more, sending everything to a Discord webhook.

“Disguised as Minecraft mods, these malicious Java archives often evade sandbox analysis due to missing dependencies. The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.” concludes the report that also provides Indicators of Compromise.

“The threat actor behind these campaigns is likely of Russian origin. This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, gaming)