Over 1,500 Minecraft Players Targeted by Java Malware Disguised as Game Modifications on GitHub

A new multi-stage malware campaign is targeting Minecraft users through a Java-based malware utilizing a distribution-as-service (DaaS) model known as Stargazers Ghost Network.

This campaign was identified as a multi-phase attack chain specifically targeting Minecraft players, as noted by researchers from Check Point. The malware masquerades as tools called Oringo and Taunahi, which are associated with scripts and macros (commonly referred to as cheats). Both the initial and subsequent stages of the malware are coded in Java, contingent upon the installation of the Minecraft runtime on the host system for execution.

The principal objective of this malicious campaign is to deceive users into downloading a Minecraft modification from GitHub, ultimately delivering a .NET-based information stealer capable of extensive data theft. This activity was first documented by cybersecurity experts in March 2025.

The activity is particularly significant due to the exploitation of an illicit service termed the Stargazers Ghost Network, which employs thousands of compromised GitHub accounts to create malicious repositories that disguise themselves as cracked software and game cheats. Researchers have flagged approximately 500 GitHub repositories, including both forked and copied instances, while noting that approximately 700 stars had been erroneously attributed to about 70 accounts.

These malicious repositories, disguised as Minecraft mods, act as channels for user infection by distributing a Java loader (e.g., “Oringo-1.8.9.jar”) that successfully evades detection by all antivirus solutions at the time of reporting. The Java archive files implement various anti-virtual machine and anti-analysis strategies to elude detection. Their primary function is to download and launch an additional JAR file, a second-stage information stealer, which retrieves and executes a .NET stealer as the final payload once the game is initiated.

The second-stage component is sourced from an IP address stored in a Base64-encoded format on Pastebin, effectively utilizing the paste tool as a dead drop resolver. To incorporate mods in Minecraft, users must transfer the harmful JAR file into the Minecraft mods directory. Upon launching the game, the Minecraft process loads all mods, including the malicious entry, leading to the download and execution of the subsequent stage.

Beyond merely downloading the .NET stealer, the second-stage loader is engineered to capture Discord and Minecraft tokens in addition to data tied to Telegram. The .NET stealer possesses the capability to extract credentials from several web browsers and collect files and information from cryptocurrency wallets and applications such as Steam and FileZilla. Furthermore, it can capture screenshots and compile data related to ongoing processes, the system’s external IP address, and clipboard content. This harvested information is then aggregated and sent back to the attacker utilizing a Discord webhook.

The campaign is believed to be orchestrated by a Russian-speaking threat actor, indicated by various artifacts composed in the Russian language and the time zone reflected in the attacker’s commit activities (UTC+03:00). It is estimated that over 1,500 devices may have been adversely impacted by this operation.

This instance underscores how popular gaming communities can be exploited to function as effective conduits for malware distribution, highlighting the necessity for users to exercise caution when downloading third-party content. The Stargazers Ghost Network has been persistently disseminating this malware, targeting Minecraft enthusiasts in search of mods to enhance their gaming experience, as seemingly harmless downloads are actually Java-based loaders deploying further stealers capable of extracting sensitive data.

In related developments, Palo Alto Networks Unit 42 has reported the emergence of two new variants of an information stealer dubbed KimJongRAT. This malware is likely linked to the same North Korean threat actor behind previous attacks attributed to BabyShark and Stolen Pencil. KimJongRAT has been observed in the wild since May 2013, typically serving as a secondary payload during BabyShark incidents.

One of the new variants operates through a Portable Executable (PE) file, while the other employs a PowerShell implementation. Both variants are triggered by the activation of a Windows shortcut (LNK) file, which downloads a dropper file from an attacker-controlled content delivery network (CDN).

The PE variant’s dropper facilitates the deployment of a loader, along with a decoy PDF and a text file, while the PowerShell variant’s dropper also includes a decoy PDF along with a ZIP file. The loader subsequently downloads auxiliary payloads, including the KimJongRAT stealer component.

The ZIP archive provided by the PowerShell variant’s dropper comprises scripts that incorporate the KimJongRAT PowerShell-based stealer and keylogger components. Both variants are equipped to collect and transfer victim data, files of specific extensions, and browser information such as credentials and details from cryptocurrency wallet extensions. The PE variant is additionally designed to gather FTP and email client information.

The ongoing evolution and deployment of KimJongRAT, characterized by tactics such as utilizing legitimate CDN servers to obscure its distribution, illustrates an enduring threat. This adaptability highlights not only the persistent menace posed by such malware but also the dedication of its developers to continually enhance and expand its capabilities.