A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network.
“The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically,” Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News.
“The malware was impersonating Oringo and Taunahi, which are ‘Scripts and macros tools’ (aka cheats). Both the first and second stages are developed in Java and can only be executed if the Minecraft runtime is installed on the host machine.”
The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub and deliver a .NET information stealer with comprehensive data theft capabilities. The campaign was first detected by the cybersecurity company in March 2025.
What makes the activity notable is its use of an illicit offering called the Stargazers Ghost Network, which makes use of thousands of GitHub accounts to set up tainted repositories that masquerade as cracked software and game cheats.
These malicious repositories, masquerading as Minecraft mods, serve as a conduit for infecting users of the popular video game with a Java loader (e.g., “Oringo-1.8.9.jar”) that remains undetected by all antivirus engines as of writing.
The Java archive (JAR) files implement simple anti-VM and anti-analysis techniques to sidestep detection efforts. Their main objective is to download and run another JAR file, a second-stage stealer that fetches and executes a .NET stealer as the final payload when the game is started by the victim.
The second-stage component is retrieved from an IP address (“147.45.79.104”) that’s stored in Base64-encoded format Pastebin, essentially turning the paste tool into a dead drop resolver.
“To add mods to a Minecraft game, the user must copy the malicious JAR archive into the Minecraft mods folder. After starting the game, the Minecraft process will load all mods from the folder, including the malicious mod, which will download and execute the second stage,” the researchers said.
Besides downloading the .NET stealer, the second-stage stealer is equipped to steal Discord and Minecraft tokens, as well as Telegram-related data. The .NET stealer, on the other hand, is capable of harvesting credentials from various web browsers and gathering files, and information from cryptocurrency wallets and other apps like Steam, and FileZilla.
It can also take screenshots and amass information related to running processes, the system’s external IP address, and clipboard contents. The captured information is eventually bundled and transmitted back to the attacker via a Discord webhook.
The campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several artifacts written in the Russian language and the timezone of the attacker’s commits (UTC+03:00). It’s estimated that more than 1,500 devices may have fallen prey to the scheme.
“This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content,” the researchers said.
“The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.”
New Variants of KimJongRAT Stealer Detected
The development comes as Palo Alto Networks Unit 42 detailed two new variants of an information stealer codenamed KimJongRAT that’s likely connected to the same North Korean threat actor behind BabyShark and Stolen Pencil. KimJongRAT has been detected in the wild as far back as May 2013, delivered as a secondary payload in BabyShark attacks.
“One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation,” security researcher Dominik Reichel said. “The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.”
While the PE variant’s dropper deploys a loader, a decoy PDF and a text file, the dropper in the PowerShell variant deploys a decoy PDF file along with a ZIP archive. The loader, in turn, downloads auxiliary payloads, including the stealer component for KimJongRAT.
The ZIP archive delivered by the PowerShell variant’s dropper contains scripts that embed the KimJongRAT PowerShell-based stealer and keylogger components.
Both the new incarnations are capable of gathering and transferring victim information, files matching specific extensions, and browser data, such as credentials and details from cryptocurrency wallet extensions. The PE variant of KimJongRAT is also designed to harvest FTP and email client information.
“The continued development and deployment of KimJongRAT, featuring changing techniques such as using a legitimate CDN server to disguise its distribution, demonstrates a clear and ongoing threat,” Unit 42 said. “This adaptability not only showcases the persistent threat posed by such malware but also underscores its developers’ commitment to updating and expanding its capabilities.”
