What just happened? Hundreds of GitHub repositories offering Minecraft mods have become the latest battleground in a sophisticated malware campaign, targeting the game’s vast and creative player community. At the heart of this operation is the Stargazers Ghost Network, an elaborate cybercriminal infrastructure uncovered by Check Point Research.
Unlike typical malware campaigns, Stargazers Ghost Network is a distribution-as-a-service operation that leverages thousands of fake GitHub accounts to spread malicious software disguised as legitimate mods and cheat tools. This operation uses GitHub’s trusted platform to distribute malicious Java archives, evading detection while compromising over 1,500 devices since March 2025.
The attack begins when players install counterfeit mods, often in pursuit of gameplay advantages. These JAR files – designed as Minecraft Forge mods – activate only when the game launches, immediately deploying anti-analysis defenses. The loader checks for virtual machines, security tools like Wireshark, and network monitors, terminating itself if detected to bypass automated sandboxes.
Upon passing these checks, it retrieves a Base64-encoded Pastebin URL that points to a second-stage Java stealer hosted on attacker-controlled IP addresses. This intermediate payload specifically targets authentication tokens from Minecraft’s official and third-party launchers, while simultaneously harvesting Discord and Telegram session data. The stolen credentials are transmitted via HTTP POST requests to command-and-control servers.
The infection escalates as this stealer downloads and executes “44 CALIBER” – a .NET-based final payload. Identified in its assembly metadata and featuring Russian-language copyright messages like “F*ckTheSystem Copyright © 2021,” this advanced stealer targets browser credentials, cryptocurrency wallets, VPN configurations, and files stored in the Desktop and Documents folders. It captures screenshots, clipboard contents, and system metadata before exfiltrating everything through Discord webhooks.
Evidence points to Russian-speaking operators behind the Stargazers Ghost Network, with UTC+3 timestamps on malicious commits, Russian comments embedded in the code, and package names that reference Lake Baikal in Siberia all supporting this conclusion.
Fake “stars” from approximately 70 accounts make malicious mods appear legitimate, while Pastebin hit counters suggest at least 1,500 successful infections. Financially motivated, the group has reportedly earned up to $8,000 monthly, with total profits potentially reaching $100,000.
Minecraft’s player base – over 200 million monthly users, with the majority under age 21 or in their early 20s – makes it a high-value target. Young players seeking unofficial enhancements often overlook security risks, while the malware’s Java foundation allows it to evade traditional antivirus scans.
As new repositories emerge daily, experts urge players to source mods exclusively from vetted platforms like CurseForge. Check Point Research continues to monitor the Stargazers Ghost Network, with ongoing investigations revealing new infection vectors.
