• Malicious Minecraft Mods Discovered: Check Point Research (CPR) uncovered a multistage malware campaign in which the malware itself was embedded within fake Minecraft mods, shared on GitHub to specifically target active players.
  • Three-Stage Infection Chain: The attack involves a Java downloader, a second-stage stealer, and a final advanced stealer that harvests passwords, crypto wallets, and other sensitive data.
  • Russian-Speaking Threat Actor Likely Involved: Russian-language comments and behavior aligned with the UTC+3 time zone suggest the malware was developed by a Russian-speaking attacker.

With over 300 million copies sold and more than 200 million monthly active players, Minecraft is one of the most popular video games of all time. Part of its appeal comes from the ability to customize and enhance the game through mods, user-created tools that improve gameplay, fix bugs, and add new content. It’s estimated that more than a million players actively mod Minecraft, forming a vibrant and creative community.

But where there’s popularity, cyber criminals find opportunity. With approximately 65% of Minecraft’s player base under the age of 21, the platform presents an attractive target for cyber criminals looking to exploit a large, engaged, and often less-protected audience.

In March 2025, Check Point Research (CPR) began tracking a malicious campaign targeting Minecraft players through a  network known as Stargazers Ghost Network. First identified by CPR in July 2024, this network operates under a distribution-as-a-service (DaaS) model, leveraging multiple GitHub accounts to spread malicious links and malware at scale.

The network delivered a multistage attack designed to quietly infect users’ machines, masquerading as popular mods like Oringo and Taunahi, both commonly known as cheat tools within the community. The malware was developed in several stages. The first two stages were written in Java and required Minecraft to be pre-installed on the victim’s device, allowing the attackers to target a specific vulnerable group: active Minecraft players.

To learn more about the technical details behind this campaign, read the full research report here: https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/

A Hidden Threat Disguised as Minecraft Mods

Since March 2025, CPR has been tracking malicious GitHub repositories that appear to offer Minecraft mods. On the surface, these files look legitimate, targeting players seeking new tools and enhancements. In reality, they contain a Java-based downloader, a small piece of malware designed to quietly install additional malicious software on the victim’s device.

Malicious repositories

To increase their chances of being downloaded and installed, the files mimic popular cheat and automation tools used within the Minecraft community. This allows the malware to blend in with legitimate mods, making it difficult for users and many security solutions to detect.

Limited information is available about the threat actor behind this campaign. However, the attacker’s activity appears to align with the UTC+3 time zone, and some of the files contain comments written in Russian, suggesting a Russian-speaking origin.

How the Attack Works

The infection begins when a player downloads the seemingly harmless Minecraft mod from GitHub. This is the first stage of a multi-step malware chain. Once the game is launched, the mod checks whether it’s operating in a virtual environment, a common approach used by security researchers and sandboxes to run samples in an isolated environment. If no virtual environment or analysis tools are detected, it proceeds to the next phase.

The malicious mod then downloads a second-stage payload designed to steal sensitive information. This is followed by a third and final component: a more advanced spyware tool capable of harvesting credentials from web browsers, cryptocurrency wallets, and applications such as Discord, Steam, and Telegram. It can also capture screenshots and collect detailed information about the infected system.

The stolen data is discreetly bundled and exfiltrated via Discord, a tactic that allows the activity to blend in with legitimate traffic. Based on insights from the attacker’s infrastructure, CPR estimates that up to 1,500 devices may have been compromised to date.

Conclusion: When Mods Turn Malicious

This campaign reminds us that even the most familiar digital spaces can become a playground for cyber criminals. By disguising malware as Minecraft mods, attackers were able to quietly target an engaged and unsuspecting user base with a multistage, Java-based infection chain. Because these files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk.

As gaming communities grow, they increasingly attract malicious actors seeking fresh opportunities for profit. This research underlines the importance of thinking twice before downloading third-party content, even from trusted platforms.

Tips for Everyday Users and Gamers:
  • Only download mods from trusted, verified sources.
  • Be skeptical of tools that promise cheats, hacks, or automation features.
  • Keep your antivirus and system software up to date.
  • If something seems too good to be true, it probably is.

Check Point’s Threat Emulation and Harmony Endpoint solutions provide full coverage against the techniques and malware used in this campaign, keeping users and organizations protected.

To learn more about the technical details behind this campaign, read the full research report here: https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/

You may also like