Minecraft Players Targeted by Java Malware Disguised as Game Mods

A new **multi-stage malware campaign** is targeting **Minecraft** users with a **Java-based malware** that employs a distribution-as-service (DaaS) offering called **Stargazers Ghost Network**. The malware is disguised as **Minecraft mods** on **GitHub** and can only be executed if the **Minecraft runtime** is installed on the host machine. The campaign was first detected by **Check Point** researchers in **March 2025** and has resulted in over **1,500 devices** being infected. The malware is capable of stealing **Discord and Minecraft tokens**, as well as **Telegram-related data**, and can also harvest **credentials from various web browsers** and gather **files and information from cryptocurrency wallets**. This incident highlights the importance of caution when downloading **third-party content**, especially in popular **gaming communities**. For more information on **Minecraft** and **gaming security**, see [[minecraft|Minecraft]] and [[gaming-security|Gaming Security]]. The **Stargazers Ghost Network** has been actively distributing this malware, targeting **Minecraft players** seeking **mods** to enhance their gameplay. The campaign is suspected to be the work of a **Russian-speaking threat actor**, owing to the presence of several artifacts written in the **Russian language** and the timezone of the attacker's commits (**UTC+03:00**). For more information on **Russian-speaking threat actors**, see [[russian-speaking-threat-actors|Russian-Speaking Threat Actors]].

• The Minecraft malware campaign has infected over 1,500 devices
• The malware is disguised as Minecraft mods on GitHub
• The malware is capable of stealing Discord and Minecraft tokens, as well as Telegram-related data
• The campaign is suspected to be the work of a Russian-speaking threat actor
• The use of Java-based malware and Stargazers Ghost Network demonstrates the evolving nature of cyber threats

The **Minecraft malware campaign** is a complex issue that involves multiple factors, including **user behavior**, **software development**, and **cybersecurity**. While the campaign has resulted in over **1,500 devices** being infected, it is also an opportunity for **gaming communities** and **cybersecurity professionals** to learn and improve. The use of **Java-based malware** and **Stargazers Ghost Network** demonstrates the evolving nature of **cyber threats** and the need for **continuous monitoring** and **incident response**. For more information on **cyber threats**, see [[cyber-threats|Cyber Threats]].

The discovery of this malware campaign highlights the importance of **cybersecurity research** and the need for **gaming communities** to be aware of the risks associated with downloading **third-party content**. The fact that **Check Point** researchers were able to detect and analyze the malware demonstrates the effectiveness of **threat intelligence** and **incident response**. Furthermore, the use of **GitHub** as a distribution channel for the malware underscores the need for **developers** and **users** to be vigilant when interacting with **open-source repositories**. For more information on **threat intelligence**, see [[threat-intelligence|Threat Intelligence]].

The **Minecraft malware campaign** is a disturbing example of the risks associated with **online gaming** and the **lack of security awareness** among **users**. The fact that the malware was able to infect over **1,500 devices** without being detected for several months highlights the **ineffectiveness of traditional security measures**. Furthermore, the use of **GitHub** as a distribution channel for the malware underscores the **vulnerabilities** in **open-source repositories** and the need for **better security practices** among **developers**. For more information on **online gaming security**, see [[online-gaming-security|Online Gaming Security]].

Originally reported by The Hacker News