We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.
Customize Consent Preferences
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Always Active
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
No cookies to display.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
No cookies to display.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
No cookies to display.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
No cookies to display.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
‘Stargazers’ use fake Minecraft mods to steal player passwords
June 19, 2025
A recent malware campaign has emerged, specifically targeting the vast community of Minecraft players. This operation employs malicious mods and cheats that infiltrate Windows devices, deploying infostealers designed to pilfer sensitive information such as credentials, authentication tokens, and cryptocurrency wallets.
Uncovered by Check Point Research, this campaign is orchestrated by the Stargazers Ghost Network, which skillfully utilizes the expansive modding ecosystem of Minecraft and established platforms like GitHub to engage a wide array of potential victims. The scale of this operation is underscored by the thousands of views on Pastebin links used by the threat actors, highlighting the extensive reach of their tactics.
Stealthy Minecraft malware
The Stargazers Ghost Network operates as a distribution-as-a-service (DaaS) entity, having been active on GitHub since the previous year. Check Point first documented this operation in a campaign that involved the dissemination of infostealers across 3,000 accounts. Notably, this same network was responsible for infecting over 17,000 systems in late 2024 with a novel Godot-based malware.
In their latest findings, researchers Jaromír Hořejší and Antonis Terefos revealed that the campaign targets Minecraft through Java malware that successfully evades detection by all known anti-virus solutions. The researchers identified numerous GitHub repositories managed by Stargazers, camouflaged as Minecraft mods and cheats, including names like Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi.
“We have identified approximately 500 GitHub repositories, including those that are forked or copied, which were part of this operation aimed at Minecraft players,” Terefos shared with BleepingComputer. “We’ve also seen 700 stars generated by around 70 accounts.”
Four repositories participating in this operation Source: Check Point
Upon execution within Minecraft, the initial JAR loader downloads subsequent stages from Pastebin via a base64 encoded URL, ultimately fetching a Java-based stealer. This stealer is designed to target Minecraft account tokens and user data from both the Minecraft launcher and popular third-party launchers such as Feather, Lunar, and Essential.
Additionally, the malware attempts to extract Discord and Telegram account tokens, transmitting the stolen information through HTTP POST requests to the attacker’s server. The Java stealer also functions as a loader for the next phase, a .NET-based stealer dubbed ’44 CALIBER,’ which embodies a more conventional approach to information theft, seeking to capture data from web browsers, VPN accounts, cryptocurrency wallets, and various applications including Steam and Discord.
Overview of the infection chain Source: Check Point
The ’44 CALIBER’ stealer is capable of gathering system information and clipboard data, even capturing screenshots of the victim’s computer. “After deobfuscation, we can observe that it steals various credentials from browsers (Chromium, Edge, Firefox), files (Desktop, Documents, %USERPROFILE%/Source), Cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), Steam, Discord, FileZilla, Telegram,” the researchers caution.
The exfiltrated data is sent via Discord webhooks, often accompanied by Russian comments. This detail, along with UTC+3 commit timestamps, suggests a Russian origin for the operators behind this campaign. To assist in countering this threat, Check Point has made available the full indicators of compromise (IoCs) in their report.
For Minecraft players looking to safeguard their accounts against such threats, it is advisable to download mods exclusively from reputable platforms and verified community portals. When considering downloads from GitHub, players should assess the number of stars, forks, and contributors, carefully examine commits for signs of fraudulent activity, and review recent actions on the repository.
Ultimately, employing a separate “burner” Minecraft account for testing mods while refraining from logging into one’s primary account is a prudent strategy to enhance security.
‘Stargazers’ use fake Minecraft mods to steal player passwords
A recent malware campaign has emerged, specifically targeting the vast community of Minecraft players. This operation employs malicious mods and cheats that infiltrate Windows devices, deploying infostealers designed to pilfer sensitive information such as credentials, authentication tokens, and cryptocurrency wallets.
Uncovered by Check Point Research, this campaign is orchestrated by the Stargazers Ghost Network, which skillfully utilizes the expansive modding ecosystem of Minecraft and established platforms like GitHub to engage a wide array of potential victims. The scale of this operation is underscored by the thousands of views on Pastebin links used by the threat actors, highlighting the extensive reach of their tactics.
Stealthy Minecraft malware
The Stargazers Ghost Network operates as a distribution-as-a-service (DaaS) entity, having been active on GitHub since the previous year. Check Point first documented this operation in a campaign that involved the dissemination of infostealers across 3,000 accounts. Notably, this same network was responsible for infecting over 17,000 systems in late 2024 with a novel Godot-based malware.
In their latest findings, researchers Jaromír Hořejší and Antonis Terefos revealed that the campaign targets Minecraft through Java malware that successfully evades detection by all known anti-virus solutions. The researchers identified numerous GitHub repositories managed by Stargazers, camouflaged as Minecraft mods and cheats, including names like Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi.
“We have identified approximately 500 GitHub repositories, including those that are forked or copied, which were part of this operation aimed at Minecraft players,” Terefos shared with BleepingComputer. “We’ve also seen 700 stars generated by around 70 accounts.”
Source: Check Point
Upon execution within Minecraft, the initial JAR loader downloads subsequent stages from Pastebin via a base64 encoded URL, ultimately fetching a Java-based stealer. This stealer is designed to target Minecraft account tokens and user data from both the Minecraft launcher and popular third-party launchers such as Feather, Lunar, and Essential.
Additionally, the malware attempts to extract Discord and Telegram account tokens, transmitting the stolen information through HTTP POST requests to the attacker’s server. The Java stealer also functions as a loader for the next phase, a .NET-based stealer dubbed ’44 CALIBER,’ which embodies a more conventional approach to information theft, seeking to capture data from web browsers, VPN accounts, cryptocurrency wallets, and various applications including Steam and Discord.
Source: Check Point
The ’44 CALIBER’ stealer is capable of gathering system information and clipboard data, even capturing screenshots of the victim’s computer. “After deobfuscation, we can observe that it steals various credentials from browsers (Chromium, Edge, Firefox), files (Desktop, Documents, %USERPROFILE%/Source), Cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), Steam, Discord, FileZilla, Telegram,” the researchers caution.
The exfiltrated data is sent via Discord webhooks, often accompanied by Russian comments. This detail, along with UTC+3 commit timestamps, suggests a Russian origin for the operators behind this campaign. To assist in countering this threat, Check Point has made available the full indicators of compromise (IoCs) in their report.
For Minecraft players looking to safeguard their accounts against such threats, it is advisable to download mods exclusively from reputable platforms and verified community portals. When considering downloads from GitHub, players should assess the number of stars, forks, and contributors, carefully examine commits for signs of fraudulent activity, and review recent actions on the repository.
Ultimately, employing a separate “burner” Minecraft account for testing mods while refraining from logging into one’s primary account is a prudent strategy to enhance security.