Cybersecurity researchers at Check Point have uncovered a sophisticated malware campaign targeting millions of Minecraft players worldwide. The attack leverages fake game modifications and cheat tools to distribute dangerous stealer malware, putting users’ personal data, cryptocurrency wallets, and gaming accounts at significant risk.
Large-Scale Operation Affects Over 1,500 Players
The investigation revealed the extensive reach of this cybercriminal operation. Security analysts discovered thousands of views on malicious Pastebin links, indicating widespread distribution of the harmful content. The attackers created approximately 500 fraudulent GitHub repositories, including forked copies specifically designed for this campaign.
To enhance credibility and deceive potential victims, cybercriminals deployed 70 fake accounts to generate around 700 artificial stars on their malicious repositories. This social engineering tactic exploits users’ trust in popular, well-rated projects. Current estimates suggest that more than 1,500 Minecraft players may have fallen victim to this attack, making it one of the largest targeted campaigns against the gaming community this year.
Connection to Stargazers Ghost Network
This malware campaign is directly linked to the notorious Stargazers Ghost Network, a specialized cybercriminal service focused on malware distribution through legitimate-looking GitHub repositories. The network has been operating extensively throughout 2024, with researchers identifying over 3,000 compromised GitHub accounts used for spreading information-stealing malware.
The same criminal group, previously known as Stargazer Goblin, was responsible for distributing the GodLoader malware that infected more than 17,000 systems within just three months. This demonstrates their capability to execute large-scale, persistent attacks against unsuspecting users.
Technical Analysis of the Attack Vector
The cybercriminals created convincing replicas of popular Minecraft modifications, including Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi. The malicious Java-based malware poses a significant detection challenge, as it remains largely undetectable by conventional antivirus solutions.
The infection process operates through a multi-stage mechanism. When executed within the game environment, the JAR loader utilizes a base64-encoded URL to download the next payload stage from Pastebin. Subsequently, a Java-based stealer is deployed on the victim’s system with specific data theft objectives.
Primary Targets of the Java Stealer
The initial malware component focuses on gaming-related credentials and communication platforms:
• Minecraft account tokens and data from the official launcher
• Information from popular third-party launchers including Feather, Lunar, and Essential
• Authentication tokens from Discord and Telegram applications
• Exfiltration of stolen data through POST requests to attacker-controlled servers
Advanced Two-Stage Infection Process
The Java stealer serves as a loader for a more sophisticated .NET-based malware called 44 CALIBER. This secondary payload represents a significantly greater threat, targeting a comprehensive range of sensitive information across the victim’s system.
The advanced stealer extracts browser data from Chromium, Edge, and Firefox; user files from desktop and document folders; cryptocurrency wallets including Armory, AtomicWallet, BitcoinCore, Electrum, Ethereum, and Exodus; VPN configuration data from ProtonVPN, OpenVPN, and NordVPN; and credentials from Steam, FileZilla, and various messaging applications.
Additionally, 44 CALIBER performs comprehensive system reconnaissance, collecting clipboard data and capturing screenshots to gather supplementary confidential information that may not be stored in files.
Attribution and Operational Security Indicators
The stolen information is exfiltrated through Discord webhooks accompanied by Russian-language comments, providing clear attribution indicators. Analysis of commit timestamps reveals activity patterns consistent with the UTC+3 timezone, strongly suggesting involvement of Russian-speaking cybercriminals in orchestrating this campaign.
This attack exemplifies the growing trend of targeted cybercriminal operations against gaming communities. Minecraft players should exercise extreme caution when downloading modifications and cheats from unofficial sources. Security best practices include using only verified repositories, maintaining updated antivirus software, and avoiding installations from unknown developers. The sophistication of this campaign underscores the critical importance of cybersecurity awareness within gaming communities.
