With over 300 million copies sold and more than 200 million monthly active players, Minecraft is one of the most popular video games of all time. Part of its appeal comes from the ability to customise and enhance the game through mods, user-created tools that improve gameplay, fix bugs and add new content. But where there’s popularity, cybercriminals find opportunity. With approximately 65% of Minecraft’s player base under the age of 21, the platform presents an attractive target for cyber criminals looking to exploit a large, engaged, and often less-protected audience.
In March 2025, Check Point Research (CPR) began tracking a malicious campaign targeting Minecraft players through a network known as Stargazers Ghost Network. First identified by CPR in July 2024, this network operates under a distribution-as-a-service (DaaS) model, leveraging multiple GitHub accounts to spread malicious links and malware at scale.
The network delivered a multistage attack designed to quietly infect users' machines, masquerading as popular mods like Oringo and Taunahi, both commonly known as cheat tools within the community. The malware was developed in several stages. The first two stages were written in Java and required Minecraft to be pre-installed on the victim's device, allowing the attackers to target a specific vulnerable group: active Minecraft players.
A hidden threat disguised as Minecraft mods
As per CPR, the malicious GitHub repositories that appear to offer Minecraft mods look legitimate, targeting players seeking new tools and enhancements. In reality, they contain a Java-based downloader, a small piece of malware designed to quietly install additional malicious software on the victim’s device.
To increase their chances of being downloaded and installed, the files mimic popular cheat and automation tools used within the Minecraft community. This allows the malware to blend in with legitimate mods, making it difficult for users and many security solutions to detect.
As per Check Point Research, limited information is available about the threat actor behind this campaign. However, the attacker’s activity appears to align with the UTC+3 time zone, and some of the files contain comments written in Russian, suggesting a Russian-speaking origin.
Malicious Minecraft mods: How the attack works
The infection begins when a player downloads the seemingly harmless Minecraft mod from GitHub. This is the first stage of a multi-step malware chain. Once the game is launched, the mod checks whether it’s operating in a virtual environment, a common approach used by security researchers and sandboxes to run samples in an isolated environment. If no virtual environment or analysis tools are detected, it proceeds to the next phase.
The malicious mod then downloads a second-stage payload designed to steal sensitive information. This is followed by a third and final component: a more advanced spyware tool capable of harvesting credentials from web browsers, cryptocurrency wallets, and applications such as Discord, Steam, and Telegram. It can also capture screenshots and collect detailed information about the infected system.
The stolen data is discreetly bundled and exfiltrated via Discord, a tactic that allows the activity to blend in with legitimate traffic. Based on insights from the attacker’s infrastructure, CPR estimates that more than 1,500 devices may have been compromised to date.
Tips for gamers and everyday users
Here are some tips to stay safe from cyberattacks:
- Only download mods from trusted, verified sources.
- Be sceptical of tools that promise cheats, hacks, or automation features.
- Keep your antivirus and system software up to date.
- If something seems too good to be true, it probably is.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
