A recent malware campaign has infected over 1,500 Minecraft players by disguising Java-based malware as legitimate game mods on GitHub. This operation, identified by Check Point researchers, leverages a distribution-as-a-service (DaaS) platform called the Stargazers Ghost Network to spread its malicious payloads.
How the Attack Works
• The malware is distributed through fake Minecraft mods and cheats, uploaded to hundreds of GitHub repositories that appear to offer cracked software or game enhancements.
• Victims are tricked into downloading a malicious JAR file (e.g., “Oringo-1.8.9.jar”) and placing it in their Minecraft mods folder.
• When Minecraft is launched, the mod is loaded and the first-stage Java loader executes, downloading a second-stage stealer from a Pastebin link, which is encoded in Base64 to avoid detection.
• The second-stage Java stealer then downloads and executes a .NET-based information stealer as the final payload.
Capabilities and Impact
• The malware campaign is highly stealthy, using anti-VM and anti-analysis techniques to evade antivirus detection.
• The .NET stealer can:
• Harvest credentials from web browsers
• Steal Discord, Minecraft, and Telegram tokens
• Exfiltrate data from cryptocurrency wallets, Steam, FileZilla, and more
• Take screenshots, gather system information, and capture clipboard contents
• Send all stolen data to the attacker via a Discord webhook
• The attack specifically targets users running Minecraft, as the malicious mods only execute if the Minecraft runtime is present.
• Researchers estimate that over 1,500 devices have been compromised in this campaign.
Attribution and Context
• Evidence suggests the campaign is operated by a Russian-speaking threat actor, based on Russian-language artifacts and time zones associated with the attacker’s activity.
• The Stargazers Ghost Network has a history of using thousands of GitHub accounts to distribute malware, previously infecting tens of thousands of systems with other strains.
