Minecraft cheaters never win ... but they may get malware
(2025/06/18)
- Reference: 1750280799
- News link: https://www.theregister.co.uk/2025/06/18/minecraft_mod_malware/
- Source link:
Trojanized Minecraft cheat tools hosted on GitHub have secretly installed stealers that siphon credentials, crypto wallets, and other sensitive data when executed by players.
According to Check Point Research, which [1]spotted the Minecraft mod malware, about 500 GitHub repositories were part of this operation targeting gamers and about 70 accounts gave the malicious repos 700 stars. Upwards of 1,500 devices may have been infected to date.
Considering the video game's popularity — Minecraft has more than [2]200 million monthly active players — the potential for data theft is huge.
[3]
This campaign has been active since March, and the researchers attribute it to Russian-speaking malware developers operating as part of the so-called [4]Stargazers Ghost Network — a network of GitHub accounts that distribute malware and malicious links through malicious repositories.
[5]
[6]
The malware purports to be popular cheat tools like Oringo and Taunahi, and once executed, kicks off a multi-stage attack with the first two written in Java and requiring Minecraft to be pre-installed on the victim's device.
The first-stage malware loader, a malicious JAR mod, runs at game launch and uses anti-VM and anti-analysis checks to spot and abort in sandbox environments, ensuring it only proceeds on a real victim's machine.
[7]Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank
[8]Necro malware continues to haunt side-loaders of dodgy Android mods
[9]4chan, the 'internet's litter box,' appears to have been pillaged by rival forum
[10]DeepSeek installer or just malware in disguise? Click around and find out
Assuming the loader passes these and other environment checks, it then loads the second stage: stealer malware that swipes users' Minecraft tokens and Microsoft account info, as well as Discord tokens and Telegram data.
This second-stage payload also downloads and executes the final stealer, written in .NET, and exfiltrating it to a Discord webhook, which allows the malware to send the stolen info to a Discord channel.
[11]
The final malware harvests credentials from Firefox and Chromium-based web browsers, as well as cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), and applications including Steam, Discord, FileZilla and Telegram.
It also collects information about the infected machine and captures screenshots before sending all of this data to the attackers' Discord server.
While these kinds of attacks are reprehensible, it's also a good reminder for the kids: Cheaters never win. ®
Get our [12]Tech Resources
[1] https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/
[2] https://www.demandsage.com/minecraft-statistics/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/
[8] https://www.theregister.com/2024/09/23/necro_malware_android/
[9] https://www.theregister.com/2025/04/15/4chan_breached/
[10] https://www.theregister.com/2025/06/11/deepseek_installer_or_infostealing_malware/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
According to Check Point Research, which [1]spotted the Minecraft mod malware, about 500 GitHub repositories were part of this operation targeting gamers and about 70 accounts gave the malicious repos 700 stars. Upwards of 1,500 devices may have been infected to date.
Considering the video game's popularity — Minecraft has more than [2]200 million monthly active players — the potential for data theft is huge.
[3]
This campaign has been active since March, and the researchers attribute it to Russian-speaking malware developers operating as part of the so-called [4]Stargazers Ghost Network — a network of GitHub accounts that distribute malware and malicious links through malicious repositories.
[5]
[6]
The malware purports to be popular cheat tools like Oringo and Taunahi, and once executed, kicks off a multi-stage attack with the first two written in Java and requiring Minecraft to be pre-installed on the victim's device.
The first-stage malware loader, a malicious JAR mod, runs at game launch and uses anti-VM and anti-analysis checks to spot and abort in sandbox environments, ensuring it only proceeds on a real victim's machine.
[7]Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank
[8]Necro malware continues to haunt side-loaders of dodgy Android mods
[9]4chan, the 'internet's litter box,' appears to have been pillaged by rival forum
[10]DeepSeek installer or just malware in disguise? Click around and find out
Assuming the loader passes these and other environment checks, it then loads the second stage: stealer malware that swipes users' Minecraft tokens and Microsoft account info, as well as Discord tokens and Telegram data.
This second-stage payload also downloads and executes the final stealer, written in .NET, and exfiltrating it to a Discord webhook, which allows the malware to send the stolen info to a Discord channel.
[11]
The final malware harvests credentials from Firefox and Chromium-based web browsers, as well as cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), and applications including Steam, Discord, FileZilla and Telegram.
It also collects information about the infected machine and captures screenshots before sending all of this data to the attackers' Discord server.
While these kinds of attacks are reprehensible, it's also a good reminder for the kids: Cheaters never win. ®
Get our [12]Tech Resources
[1] https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/
[2] https://www.demandsage.com/minecraft-statistics/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/
[8] https://www.theregister.com/2024/09/23/necro_malware_android/
[9] https://www.theregister.com/2025/04/15/4chan_breached/
[10] https://www.theregister.com/2025/06/11/deepseek_installer_or_infostealing_malware/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFM26HQ0AUJ0cQtTbLdN7wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/