A new malware campaign called the Stargazers Ghost Network has emerged in 2025, specifically targeting Minecraft players. Cybersecurity experts at Check Point discovered the threat in March, revealing that attackers use fake Minecraft mods hosted on GitHub to distribute multi-stage malware designed to steal sensitive information.
Unlike generic phishing tactics, this campaign impersonates known cheat tools like Oringo and Taunahi. These Java-based tools attract gamers who want gameplay advantages. However, once players install these mods, they unknowingly initiate the infection chain.
The attackers created over 500 fake repositories on GitHub using nearly 70 different accounts. These repositories, masquerading as cracked software or game enhancements, trick users into downloading a malicious .jar file, such as Oringo-1.8.9.jar. When the Minecraft game launches, it automatically executes the mod, activating a second-stage loader that fetches a .NET-based information stealer.
To bypass detection, the Java loader employs anti-analysis techniques. It avoids execution in virtual machines and evades common security tools. The malware downloads its next stage from a Pastebin link, where the command-and-control IP address is hidden in Base64. This method turns Pastebin into a covert delivery channel.
After executing the second stage, the malware deploys the .NET stealer. This advanced tool collects Discord and Minecraft tokens, Telegram data, browser credentials, and cryptocurrency wallet files. It also harvests Steam account details, clipboard contents, and system process information. Finally, it bundles and transmits all stolen data through a Discord webhook, completing the attack.
Check Point’s researchers linked the campaign to a Russian-speaking group. They based this on Russian language artifacts in the code and time zone data from GitHub commits, which align with UTC+03:00. According to estimates, the operation may have infected more than 1,500 devices.
This campaign proves the Stargazers Ghost Network malware uses a sophisticated distribution-as-a-service model to infect victims undetected. Although the mods appear harmless, they function as delivery mechanisms for stealthy malware. Since many players regularly install third-party mods, these attacks blend seamlessly with normal behavior.
In addition to Stargazers, a separate report from Palo Alto Networks’ Unit 42 revealed two new versions of the KimJongRAT malware. Researchers believe a North Korean threat actor—previously linked to BabyShark and Stolen Pencil—developed these variants.
The newer KimJongRAT forms include a PE executable and a PowerShell-based version. Both initiate through a malicious shortcut file. Once clicked, the executable drops a decoy PDF and the loader, while the PowerShell script delivers a ZIP archive containing embedded keyloggers and stealers.
These tools extract browser data, crypto wallet details, and file system information. They can also collect credentials from FTP clients and email software. To mask the malware’s presence, attackers use legitimate content delivery networks (CDNs), hiding their infrastructure behind trusted services.
Ultimately, both campaigns reflect a sophisticated evolution in threat delivery. Hackers now combine social engineering, trusted platforms like GitHub, and modular payloads to maximize effectiveness. For users—especially gamers—this highlights the importance of verifying all downloads, even when they appear familiar or useful.
Cybersecurity experts recommend that users avoid installing unofficial Minecraft mods unless they come from a verified, secure source. Furthermore, keeping antivirus tools updated and monitoring browser permissions can significantly reduce exposure to such threats.
READ: Winos 4.0 Malware Spreads via Fake Installers in 2025 Campaign
