Introduction

Minecraft, with its open-ended gameplay and rich modding ecosystem, attracts over 200 million monthly active players globally. However, in June 2025, a malicious campaign orchestrated by the Russian-speaking criminal group “Stargazers Ghost Network” exposed vulnerabilities in the modding community.

Attackers distributed malware disguised as popular cheat tools via GitHub, resulting in over 1,500 players being infected with information-stealing programs.

This article, based on reports from Check Point Research, The Hacker News, and The Register, provides an in-depth analysis of the attack techniques, indicators of compromise (IoC), potential impacts, and protective recommendations for players.

Incident Background

Attack Overview

  • Discovery Date: March 2025, tracked by Check Point researchers Jaromír Hořejší and Antonis Terefos, publicly disclosed on June 18, 2025.
  • Attackers: Russian-speaking criminal group “Stargazers Ghost Network,” characterized by Russian-language code and UTC+3 time zone.
  • Attack Scale: Approximately 500 GitHub repositories (including forked copies), receiving around 700 “Stars” from 70 accounts, infecting over 1,500 devices.
  • Target: Minecraft players, particularly teenagers seeking free cheat tools.

Attack Impact

  • Data Breaches: Theft of Minecraft tokens, Discord tokens, browser credentials, cryptocurrency wallets (e.g., MetaMask, Trust Wallet), Telegram data, Steam and FileZilla credentials, system information, screenshots, etc.
  • Financial Losses: Some victims lost thousands of dollars due to stolen cryptocurrency.
  • Social Propagation: Using stolen Discord tokens, attackers impersonated victims to send phishing links to their contacts, further spreading the infection.
  • Platform Trust: The abuse of GitHub’s open platform raised concerns about its security mechanisms.

Attack Technique Analysis

1. Disguise and Distribution

Attackers distributed malware through the following methods:

  • Malicious Repositories: Created approximately 500 GitHub repositories mimicking popular cheat tool names, such as “Oringo-Client” and “Taunahi-V3.”
  • False Credibility: Used automated tools to add around 700 “Stars” from approximately 70 accounts to create an illusion of popularity.
  • Multi-Channel Promotion: Shared “free cheat” links on X, Discord servers, and Minecraft forums to lure downloads.

Example Repositories:

2. Multi-Stage Malware Loading

The malware employs a three-stage infection chain, leveraging Java and .NET technologies:

  • Stage 1: Java Downloader
    • Requirement: Requires a Minecraft runtime environment (e.g., Forge 1.8.9).
    • Function: Downloads the second-stage payload via a Base64-encoded Pastebin URL (e.g., hxxps://pastebin.com/raw/xCa3vSiP).
    • Anti-Detection: Includes Anti-VM and anti-sandbox checks, blocking keywords related to virtual machines (e.g., “vmware,” “virtualbox”) and processes (e.g., “VBoxTray.exe”).
    • Example Filenames: Oringo-1.8.9.jar, FunnyMap-0.7.5.jar.
  • Stage 2: Java Stealer
    • Function: Steals Minecraft tokens and data from third-party launchers (e.g., Feather, Lunar) and sends it via Discord Webhooks.
    • Communication: Uses IPs (e.g., 147.45.79.104) or Pastebin as a dead drop.
  • Stage 3: .NET Advanced Stealer
    • Function: Steals browser data (Chrome, Edge, Firefox), cryptocurrency wallets, application tokens (Discord, Steam, Telegram), system information, screenshots, etc.
    • Persistence: Modifies the registry (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
    • Data Exfiltration: Transmits data via Discord or other encrypted channels.

3. Exploiting Player Psychology

Attackers targeted young players, especially teenagers, exploiting their desire for free cheats. Check Point noted that Minecraft’s modding community, with over a million active users, is an ideal target. Attackers posted “exclusive cheat” advertisements on X, enticing players to take the bait.

Indicators of Compromise (IoC)

The following IoCs, extracted from the three reports, aid security practitioners in identifying the threat:

Category Details
GitHub Repositories - https://github.com/A1phaD3v/Oringo-Client - https://github.com/AlphaPigeonDev/Polar-Client - https://github.com/AlphaPigeonDev/Skyblock-Extras - https://github.com/P1geonD3v/Funny-Map-Extras - https://github.com/P1geonD3v/Taunahi-V3
Malicious JAR Filenames - FunnyMap-0.7.5.jar - Oringo-1.8.9.jar - Oringo-Client.1.8.9.jar - Polar-1.8.9.jar - PolarClient-v2.6.jar - SkyblockExtras-1.8.9.jar - Taunahi-V3.jar - TaunahiPlus-V3.jar
Pastebin URLs - hxxps://pastebin.com/raw/xCa3vSiP - hxxps://pastebin.com/raw/C9QvUqi3
Malicious Domains/IPs - hxxp://147.45.79.104/download - hxxp://147.45.79.104/cookies - hxxp://147.45.79.104 - hxxp://147.45.79.104:80 - hxxp://негры.рф/MixinLoader-v2.4.jar - hxxp://185.95.159.125/upload - негры.рф
SHA256 (Stage 1) - 05b143fd7061bdd317bd42c373c5352bec351a44fa849ded58236013126d2963 - 9ca41431df9445535b96a45529fce9f9a8b7f26c08ac8989a57787462da3342f - c5936514e05e8b1327f0df393f4d311afd080e5467062151951e94bbd7519703 - 9a678140ce41bdd8c02065908ee85935e8d01e2530069df42856a1d6c902bae1
SHA256 (Stage 2) - 4c8a6ad89c4218507e27ad6ef4ddadb6b507020c74691d02b986a252fb5dc612 - 51e423e8ab1eb49691d8500983f601989286f0552f444f342245197b74bc6fcf - 5d80105913e42efe58f4c325ac9b7c89857cc67e1dcab9d99f865a28ef084b37 - 97df45c790994bbe7ac1a2cf83d42791c9d832fa21b99c867f5b329e0cc63f64 - 4c944b07832d5c29e7b499d9dd17a3d71f0fd918ab68694d110cbb8523b8af49 - 5590eaa4f11a6ed4351bc983e47d9dfd91245b89f3108bfd8b7f86e40d00b9fa
SHA256 (Stage 3) - 7aefd6442b09e37aa287400825f81b2ff896b9733328814fb7233978b104127f - 886a694ee4be77242f501b20d37395e1a8a7a8f734f460cae269eb1309c5b196 - a1dc479898f0798e40f63b9c1a7ee4649357abdc757c53d4a81448a5eea9169f - a427eeb8eed4585f2d51b62528b8b4920e72002ab62eb6fc19289ebc2fba5660 - f08086257c74b1de394bf150ad8aacc99ca5de57b4baa0974bc1b59bb973d355

Protection Recommendations

  1. Choose Trusted Sources
    Download mods from the Minecraft Official Marketplace or CurseForge, avoiding GitHub or unverified forums.
  2. Review Repositories
    Check GitHub repositories for creation dates, commit histories, and developer information. Be cautious of new accounts or repositories with single commits.
  3. Deploy Security Software
    Use antivirus software like Huorong, 360 Security Guard, or international solutions such as Malwarebytes or Check Point Harmony Endpoint to monitor Java and .NET files.
  4. Enable MFA
    Activate multi-factor authentication for Minecraft, Discord, cryptocurrency wallets, etc., to reduce the risk of account compromise.
  5. Beware of Phishing Links
    Avoid clicking “free cheat” links on X, QQ Zone, or Discord.
  6. System Checks
    Regularly inspect %APPDATA%\Minecraft\mods and %TEMP% directories, delete suspicious JAR or DLL files, and monitor unusual processes using Task Manager.

Industry Insights

  • GitHub Improvements: GitHub should enhance new account vetting, detect abnormal “Star/Fork” behavior, and swiftly ban malicious repositories.
  • Community Education: Mojang could issue security warnings in the game launcher to raise awareness about mod safety.
  • Security Collaboration: Security firms should optimize detection of Java and .NET hybrid threats and share IoCs for faster response.
  • Player Awareness: Parents and schools should educate teenagers on recognizing phishing links and malware.

Conclusion

The “Stargazers Ghost Network” exploited Minecraft players’ enthusiasm and GitHub’s openness to execute a targeted malware campaign. The infection of over 1,500 players underscores the need for both technical defenses and heightened awareness in cybersecurity.

Players should opt for trusted sources, deploy protective tools, and stay vigilant. Platforms and the security industry must collaborate to build a safer digital ecosystem.

Key References

Keywords: Minecraft, Malware, GitHub, Stargazers Ghost Network, Information Stealer, Mod Security