In a concerning development for the gaming community, Check Point researchers have uncovered a sophisticated malware campaign targeting Minecraft users through a distribution-as-a-service (DaaS) model known as Stargazers. This malicious software, cleverly disguised as cheat tools, leverages Java and .NET stealers to infiltrate the systems of unsuspecting players.
Targeting the Minecraft Community
Minecraft, with its extensive player base exceeding 200 million monthly users and over 300 million copies sold, boasts a dynamic modding community where creativity flourishes. However, this very openness has rendered it vulnerable to cyber threats. The recent findings by Check Point reveal a multi-stage infection chain that specifically preys on this community.
According to the report, the attackers have been active since March 2025, utilizing GitHub repositories that masquerade as legitimate mod offerings. These repositories, which have garnered attention from users, feature malicious JAR files disguised as popular Minecraft mods such as Oringo and Taunahi. The first two stages of the malware are executed only if the Minecraft runtime is present, making it particularly insidious.
The infection process begins when a victim unwittingly installs the compromised JAR file. Upon launching Minecraft, the fake mod triggers the download of a second-stage stealer, which subsequently retrieves a .NET-based stealer. The analysis indicates a connection to Russian-speaking threat actors, highlighted by the presence of Russian language elements within the code.
Multi-Stage Attack Mechanism
The malicious mod, camouflaged as a Forge plugin, initiates a complex multi-stage attack. Initially, a Java-based loader checks for virtual machines and analysis tools to evade detection. It then downloads a second-stage Java stealer that extracts sensitive data from Minecraft and Discord. Following this, a third-stage .NET stealer collects a broader range of information, including browser credentials, cryptocurrency wallet details, and VPN data, all of which are sent to a Discord webhook for exploitation.
Check Point’s report emphasizes the deceptive nature of these malicious Java archives, which often escape scrutiny during sandbox analysis due to their missing dependencies. The Stargazers Ghost Network has been identified as the active distributor of this malware, capitalizing on the desires of Minecraft players seeking to enhance their gaming experience.
Furthermore, the report underscores the importance of vigilance within popular gaming communities, which can serve as effective conduits for malware distribution. As the landscape of online gaming continues to evolve, the need for caution when downloading third-party content has never been more critical.
