Cybersecurity researchers just uncovered a massive malware scheme disguised as Minecraft mods. Hackers hide dangerous Java loaders in popular cheat tools. They delivered stealer malware directly to unsuspecting players. Check Point Research maps this attack to the “Stargazers Ghost Network,” a sprawling GitHub-based distribution-as-a-service. It has already infected more than 1,500 computers.

This campaign began in March 2025. Hackers upload fake Oringo, Taunahi, and similar tools. They copied branding and star counts to seem legitimate. Victims download mod-like JARs into their Minecraft mods folder. Once Minecraft runs, the malware performs anti‑VM checks. If it passes, it pulls down a second‑stage Java stealer, followed by a .NET payload.

Malware hunts for browser credentials, crypto wallets, and more

The .NET stealer hunts for browser credentials, crypto wallets, and app tokens for Discord, Steam, Telegram, and more. It also grabs screenshots, clipboard data, system details, and saved files. The stolen data then travels to a Discord webhook under hacker control.

Researchers warn this loader evades antivirus engines. Its targeted design for Minecraft evades sandbox defenses. The malware uses low detection rates on VirusTotal, blending with trusted game processes.

Check Point records around 500 malicious GitHub repositories and 70 supporting accounts. They amassed over 700 stars before researchers flagged them. Download logs and Pastebin hits confirm at least 1,500 infections. Estimates may rise as attackers refine obfuscation and repository tactics.

Analysts link the campaign to Russian‑speaking groups. Git commits show UTC+3 timestamps, and code comments contain Russian text.

This threat comes as Minecraft reaches over 200 million monthly users. More than one million actively use mods. Many run unauthorized cheat tools, making them prime malware targets.

Experts urge gamers to avoid cheat tools or unofficial mods. Use only trusted sources like CurseForge. Keep antivirus software updated with real‑time protection.

Parents should educate young players about modding risks. This attack shows how a game mod can become a data breach. Community awareness limits malware spread.

Cheaters never win

“Cheaters never win,” one analyst says. Fake cheat mods backfire—infecting user machines. Reddit users report Steam account theft and crypto wallet loss.

“Very punishing karma for cheaters to get their data stolen like Steam account info and crypto wallet info.”

Always scrutinize downloads. Even familiar file names can hide threats. Verify URLs, repo stars, and official endorsements.

If infected, disconnect from the internet, run full antivirus scans, reset all compromised accounts, and monitor for unauthorized access.

In a world full of creativity, Minecraft modding thrives. But now, vigilance is part of safe gaming.