Malicious Minecraft Mods: Stargazers DaaS Exploits Gaming Community

TL;DR

Minecraft players are being targeted by sophisticated malware distributed via the Stargazers DaaS platform. These attacks, disguised as cheat tools, exploit the game’s modding community to steal sensitive information. The multi-stage infection chain, beginning with Java-based malware, highlights the growing threat to gaming communities.

Main Content

Java-Based Malware Targets Minecraft Users via Fake Cheat Tools

Check Point researchers have uncovered a sophisticated malware campaign targeting Minecraft users through the Stargazers Distribution-as-a-Service (DaaS) platform. The attack utilizes Java/.NET stealers disguised as popular cheat tools, posing a significant threat to the gaming community.

Minecraft, with over 200 million monthly players and 300 million copies sold, boasts a vibrant modding community. However, this openness has made it a prime target for cyber threats. In a recent campaign spotted by Check Point, attackers are specifically targeting Minecraft users by disguising malware as cheat tools such as Oringo and Taunahi.

The attackers employ a multi-stage infection chain, with the first two stages written in Java and requiring the Minecraft runtime to execute. This makes the threat highly targeted at the game’s user base.

“Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader,” reads the report published by Check Point. “Those repositories supposedly provided mods for Minecraft and appeared legitimate as multiple accounts starred those repositories.”

The malware, disguised as Minecraft cheat tools Oringo and Taunahi, initiates its attack when a victim manually installs a malicious JAR file posing as a Minecraft mod. Upon launching the game, the fake mod downloads a second-stage stealer, which then fetches an additional .NET-based stealer. The malware is linked to a Russian-speaking threat actor, as indicated by various elements written in Russian within the code.

A malicious mod disguised as a Forge plugin initiates a multi-stage malware attack. The first Java-based loader checks for virtual machines and analysis tools to avoid being analyzed. It then downloads a second-stage Java stealer, which extracts Minecraft and Discord data. Additionally, it downloads a third-stage .NET stealer that collects browser credentials, crypto wallets, VPN data, and more, sending everything to a Discord webhook.

“Disguised as Minecraft mods, these malicious Java archives often evade sandbox analysis due to missing dependencies. The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.” concludes the report that also provides Indicators of Compromise.

“The threat actor behind these campaigns is likely of Russian origin. This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, gaming)

For more details, visit the full article: source

Conclusion

The recent malware campaign targeting Minecraft users underscores the growing threat to gaming communities. By exploiting the trust and enthusiasm of players seeking to enhance their gameplay, attackers are distributing sophisticated malware that can steal sensitive information. Players must exercise caution when downloading third-party content and ensure they verify the authenticity of any mods or tools they use. As the gaming industry continues to grow, so too will the need for robust cybersecurity measures to protect its users.

References