Fake Minecraft Mods Used To Steal Gamer Data

Minecraft players are now being targeted by an advanced cyberattack that disguises itself as game mods.

Check Point researchers have found that hackers are distributing fake modifications through GitHub, which pretend to be popular tools like Oringo and Taunahi, to spread a multistage malware chain. The Stargazers Ghost Network uses Java-based malware designed to target systems that run Minecraft.

Researchers Jaromír Hořejší and Antonis Terefos explain that this stealthy and highly targeted operation uses these fake mods to trick players into installing malware that antivirus software has difficulty detecting.

The attack starts with a Java-based fake mod, which serves as a downloader. When the malware activates, it downloads a second-stage, Java-based malware, which subsequently downloads a third-stage, .NET-based stealer. The final malware in the chain steals sensitive information, including Discord and Telegram tokens, Minecraft credentials, and cryptocurrency wallets. It also captures screenshots and monitors clipboard activity.

The malware stops its execution if it detects any indication of a virtual machine or analysis software, according to Check Point. Its stealth is enhanced because it requires Minecraft to run, reducing the likelihood of triggering alerts from general-purpose scanning tools.

The hacker group appears to be Russian-speaking, based on time zone data and Russian-language file artifacts. The attackers, using the usernames “JoeBidenMama” and “P1geonD3v,” have uploaded the malware repeatedly to Pastebin and GitHub.

With more than 200 million monthly Minecraft players worldwide, game mod communities are increasingly vulnerable to malware attacks, researchers warn. The team advises gamers to exercise extreme caution when downloading third-party mods.

Check Point recommends using endpoint protection and avoiding mods from untrusted sources—especially those offering cheats or enhancements that seem too good to be true.