Stargazers' Malicious Minecraft Mods Steal Player Passwords

A **malware campaign** specifically targets **Minecraft** players with **malicious mods and cheats** that infect **Windows devices** with **infostealers**. The campaign, discovered by **Check Point Research**, is conducted by the **Stargazers Ghost Network** and leverages the **Minecraft massive modding ecosystem** and legitimate services like **GitHub** to reach a large audience of potential targets. The **Stargazers Ghost Network** is a **distribution-as-a-service (DaaS) operation** active on **GitHub** since last year, first documented by **Check Point** in a campaign involving **3,000 accounts** spreading **infostealers**. The campaign targets **Minecraft account tokens** and **user data** from the **Minecraft launcher** and popular third-party launchers like **Feather**, **Lunar**, and **Essential**. The **Java stealer** also serves as a loader for the next stage, a **.NET-based stealer** called '44 CALIBER,' which is a more traditional **info stealer**, attempting to snatch information stored in **web browsers**, **VPN account data**, **cryptocurrency wallets**, **Steam**, **Discord**, and other apps. To stay safe against this and similar campaigns, **Minecraft players** should be cautious when downloading mods and cheats, and ensure they are from trusted sources. They should also keep their **operating systems** and **security software** up to date, and use **strong passwords** and **two-factor authentication** to protect their accounts.

• The Stargazers Ghost Network is conducting a large-scale malware campaign targeting Minecraft players
• The campaign uses malicious mods and cheats to infect Windows devices with infostealers
• The campaign targets Minecraft account tokens and user data from the Minecraft launcher and popular third-party launchers
• The campaign could have significant consequences for Minecraft players, including the theft of sensitive information and financial loss
• Game developers and platforms should take steps to protect their users from cyber threats

The **Stargazers Ghost Network** campaign is a significant **cyber threat** that targets **Minecraft players**. The use of **malicious mods and cheats** to infect **Windows devices** with **infostealers** is a common tactic used by **cybercriminals**. The fact that the campaign is using **GitHub** as a platform suggests that the **Stargazers Ghost Network** is trying to take advantage of the **Minecraft modding community**. However, it is also possible that the campaign is not limited to **Minecraft players** and could be targeting a broader audience. [[check-point-research|Check Point Research]] has provided **indicators of compromise (IoCs)** to help detect and block the threat.

The discovery of this **malware campaign** by **Check Point Research** is a positive step towards protecting **Minecraft players** from **cyber threats**. The fact that the **Stargazers Ghost Network** is using **fake GitHub stars** to boost their operation suggests that they are trying to appear legitimate, which could make it easier for **security researchers** to track them down. Additionally, the use of **GitHub** as a platform for the campaign could provide an opportunity for **GitHub** to improve its security measures and prevent similar campaigns in the future. [[github|GitHub]] has already taken steps to address the issue, and [[minecraft|Minecraft]] players can take steps to protect themselves by being cautious when downloading mods and cheats.

The **Stargazers Ghost Network** campaign is a serious **cyber threat** that could have significant consequences for **Minecraft players**. The use of **malicious mods and cheats** to infect **Windows devices** with **infostealers** could lead to the theft of **sensitive information**, including **passwords**, **cryptocurrency wallets**, and **personal data**. The fact that the campaign is using **GitHub** as a platform suggests that the **Stargazers Ghost Network** is trying to appear legitimate, which could make it harder for **security researchers** to track them down. Additionally, the use of **Russian comments** and **UTC+3 commit timestamps** suggests that the operators of the campaign may be based in **Russia**, which could make it more difficult to bring them to justice. [[russia|Russia]] has been linked to several high-profile **cyber attacks** in the past.

Originally reported by BleepingComputer