(Global) Minecraft is a popular video game with a huge global players base, with more than 200 million monthly active players. The game has also sold more than 300 million copies, which makes it one of the best -selling video games in history. Minecraft admits mods (modifications created by users), which enrich the user experience by improving playability, correct errors, optimize graphics and add new content. It is estimated that more than one million players actively participate in the creation of Mods in Minecraft.
Check Point Research discovered malicious repositories that distributed malware through Stargazers Ghost Network, which operates as a distribution as a service (DAAS).
The campaigns resulted in a chain of several stages attacks specifically aimed at Minecraft users. Malware supplanted Oringo and Taunahi, which are “scripts and macros tools” (also known as tricks). Both the first and the second stage are developed in Java and can only be executed if the Minecraft execution environment is installed in the Host team.
Stargazers ghost network campaigns
Since March 2025, Check Point Research has been tracking Malicious Github repositories that attack Minecraft users with a Java downloader not detected. These repositories supposedly provided mods for Minecraft and seemed legitimate, since several accounts had marked them as favorites.
The repositories contained several malicious files, whose names used to supplant various trap and automation tools. The names of the detected files are listed below:
FUNNYMAP-0.7.5.Jar
Oringo-1.8.9.jar
Oringo-Client.1.8.9.jar
Polar-1.8.9.jar
Polarclient-V2.6.jar
Skyblockextras-1.8.9.jar
Taunahi-v3.jar
This Java downloader is not detected by all Virustotal antivirus engines, since it is especially aimed at Minecraft users and Sandbox engines do not contain the necessary dependencies, which will allow malware to be executed.
While we have little information about the attacker, one thing is consistent with respect to their confirmations: all are carried out in the UTC+3 hourly zone and the Russian comments found in some malicious files also suggest the probable country of origin.
General Malware Description
The infection chain begins with a JAR file lodged, which the victim must download and install manually as a mod of Minecraft (“mod” is an abbreviation of “modification”, which consists of an addition or alteration of the original version created by the user. Mods can add new functions, improve the game experience and customize the player’s experience). When the victim starts the game, the malicious mod download the second stage thief, which in turn discharges another .net thief. Malware is developed by a Russian company.
Part I – Static Analysis – Loader of the First Stage
The initial JAR file is designed as a mod of Minecraft Forge. Does not include the Main -Class attribute in the manifesto, so execute “Java -jar
To develop custom mods, the developer must respect a specific structure and include specific dependencies. The main class @mod contains a reference to IfmlLoadingplugin. FML acronyms mean Forge mods charger.
The loader implements simple anti-VM and anti-analysis techniques. Initially, the charger obtains the names of the following three properties (the results are equivalent to calling “Java -xshowsettings: Properties -version”).
- Os.name
- Java.vm.name
- Java.vm.vendor
If any of the aforementioned configurations contains a blocked keyword (related to several virtual machines), malware (Minecraft mod) is self -elimin. This is the list of blocked keywords:
VMware
Virtualbox
KVM
Qemu
Hyperv
Xen
PARALALLS
Vbox
VPC
Vboxguest
SSHD
Headd
Next, the usefulness of the task list is called to list all the processes in execution. If any of the blocked processes is detected, the execution of the MOD is ended. These processes are associated with virtual machines (VBOX, PARALLELS, VMWARE), protocols analyzers (Wireshark, HTTP Debugger) and programs to list network connections (TCPView).
This is the list of blocked processes:
Vboxtray.exe
Vboxservice.exe
PRL_CC.EXE
PRL_Tools.exe
Sharedintapp.exe
vmusrvc.exe
VMSRVC.Exe
vmtoolsd.exe
Wireshark.exe
Httpdebuggerui.exe
Httpdebuggersvc.exe
tcpView.exe
After overcoming the previous checks, the first stage discharges the content of a Pastebin paste file (hxxps: //pastebin.com/raw/xca3vsip). The contents coded based64 is decoded and the malware recovers a link (hxxp: //147.45.79.104/download) for the second stage. The downloader loads in memory the Java Stealer called Mixinloader-V2.4.jar.
Interestingly, the Paste file was created by the user Jaebidenmama, who created three more pastes:
- Google Statistics 3 (plaintext), hxxp: //147.45.79 (.) 104/cookies
- Google Statistics 2 (Base64 ENCODED), HXXP: //147.45.79 (.) 104/Download
- Google Statistics (plaintext), hxxp: //147.45.79 (.) 104
- Google Statistics (plaintext), hxxp: //147.45.79 (.) 104: 80
Pastebin’s “Hits” column shows how many times the Paste file has been seen or downloaded. This gives us an approximate estimate of the maximum number of victims that could have been attacked or infected, since the Paste file is accessed every time the infected plugin is executed. Check Point Research continued to monitor this account and discovered that more campaigns and URL of Paste were added, with a total number of visits greater than 1500
Part II – Dynamic Analysis – Loader of the First Stage
To add mods to a Minecraft game, the user must copy the Malicious JAR file in the Minecraft mods folder. After starting the game, the Minecraft process will load all the mods of the folder, including the malicious, which will download and execute the second stage.
Therefore, all we need to do is execute the Minecraft client and install the appropriate type and version of the MODS charger.
Once the installation is completed, we can copy our malicious jar file to the MODS directory (
When executing the malicious JAR complement in a virtual machine, we observe the execution of the task list just before the malicious complement ends due to the detection of the virtual environment. For demonstration purposes, we edit the original mod jart to execute the notes instead of the task list. When executing this modified mod, Notepad is executed, as shown in the animation below.
Part III – Stealer of 2nd stage
When the charger exceeds all the verifications of the environment, it loads the main component, the Stealer. Some samples may be obfuscated with Skidfuscator. The interesting classes and functions of the Stealer are shown in the list below.
BAIKAL CLASS: A class that implements the actions carried out in the pre -initialization stage.
Method: Init: Not implemented.
Method: Preinit: Executing the Start () method of the Start class.
Class Start
Method: Start
- Download and run .net stealer
- Obtain the external IP of Checkip.amazonaows.com
- Steal
-ToCraft’s Token
-Archivo accounts.json of the customer/launcher feather
-Acounts.jcon of the client/estennial launcher
-Archivo accounts.json of the client/lunar pitcher
-Token of Discord
-Telegram
-Token from Pizzaclient
-User name
-Id of the player
- The coded type value is established in B0.5, which is probably a version of the thief.
- Obtain the pastebin exfiltration url (hxxps: // pastebin (.) Com/raw/c9qvuqi3).
- Publish stolen data in JSON format.
SSHACCESS class: class responsible for downloading and executing another file (a .net file thief), which is analyzed in more detail in section IV.
Method: Downloadarchive
Method: Execute anarchive
Discord class: Class responsible for stealing discord tokens. List the files in %Appdata %/Discord/Local storage/Leveldb, read the content of the files with the .ldB and search tokens extension.
Method: Robardiscord
HTTP class: Auxiliary class that implements GET and post requests.
Method: Fetchurl: Get application.
Method: Post: Post application.
Telegram class: Class responsible for stealing Telegram data. Find the Telegram tdata folder, compress and extract it.
Method: Execute.
Part IV – 3rd Stage of Stealer .NET
The SSHACCESS class is responsible for downloading an additional Stealer written in .net and exfiltrate it to a discord webhook. A webhook is a tool that allows external services or applications to send messages, notifications or data to a specific discord channel without logging with a bot or a user account.
(Assembly: Assemblytitle (“44 Caliber”))
(Assembly: Assemblycopyright (“Fuckthesystem Copyright © 2021”))))
After the defuscation we can see that it steals several browse credentials (Chromium, Edge, Firefox), files (desktop, documents, %userprofile %/source), cryptocurrency wallets (Armory, Atomicwallet, Bitcoincore, Bytecoin, Dashcore, Electrum, Ethereum, Ethereum, Lithoincore, Lithoincore MONERO, EXODUS, ZCASH, JAXX), VPN (Protonvpn, OpenVPN, Nordvpn), Steam, Discord, Filezilla, Telegram, as well as collects information about the infected machine, such as execution processes, external IP, clipboard content and takes a screenshot.
The stolen data are compressed and, together with the following statistics, are discussed in Russian and charged on the Discord webhook.
“\ N <@& 945424667102031903> FIXED File Size \ n”,
Environment.
“”,
Systeminfo.country (),
“\ N ———————- \ n пассвоsesд:“,
Counting.passwords.tostring (),
“\ N ———————- \ n сздил:”,
(Counting.discord> 0)? “\ N – дискорд”: “”,
(Counting.wallets> 0)? “\ N – холоди”: “”,
(Counting.telegram> 0)? “\ N – т”: “”,
(Counting.Steam> 0)? “\ N – стеме”: “”,
(Counting.nordvpn> 0)? “\ N – нордвпн”: “”,
(Counting.openvpn> 0)? “\ N – орытьвпн”: “”,
(Counting.protonvpn
Conclusion
A new Java -based malware discharger has remained practically unnoticed during a long period. Camoufled as Minecraft mods, these malicious Java files usually evade sandbox analysis due to the lack of dependencies. The Stargazers Ghost network has been actively distributing this malware, aimed at Minecraft players looking for Mods to improve their game experience. What seemed to be harmless discharges were, in fact, Java -based chargers that implemented two additional thieves, capable of exfiltrating credentials and other confidential data.
The threat actor behind these campaigns is probably of Russian origin. This case shows how popular players communities can be exploited as effective vectors for malware distribution, which emphasizes the importance of caution when downloading third party content.
See more: Wi-Fi: essential connectivity, but also an entrance door for cyberattacks
See more: Why are we still “hacked”?
See more: Discord: Cybercriminals take advantage of vulnerability in invitation links
