- The malware in Java evade traditional security solutions and steals credentials and personal data of the players.
Chile, June 23, 2025 – Check Point Researchthe threat intelligence division Check Point® Software Technologies Ltd. (Nasdaq: CHKP), has discovered a sophisticated data theft campaign that affects the global community of players from players from players Minecraft. The threat is distributed through Stargazers Ghost Networka platform of Distribution as service (DAAS) that operates in GITHUBand consists of a multi -phase malware that is passed through game modification tools (scripts and macroseither Cheats) as Oringo and Taunahi.
The attack uses a Loader and Stealer developed in Javawhich require that Minecraft be installed on the victim’s device, and a third phase in .Net With expanded capabilities. Because the threat is written in Java – Language often overlooked by traditional safety solutions – has managed to evade most antivirus engines and Sandbox analysis. Check Point Research He has also identified that malware has been developed by a Russian -speaking actor, as they demonstrate multiple artifacts in that language found in malicious archives.
Technical analysis of the Stargazers Ghost Network campaign
From March 2025, Check Point Research It has monitored several Malicious repositories in Github that offered assumptions Mods for Minecraftactually designed to spread malware. Among the identified names are: FUNNYMAP-0.7.5.Jar, Oringo-1.8.9.jar, Polar-1.8.9.jar, Skyblockextras-1.8.9.Jar and Taunahi-v3.jar.
These files were not detected by antivirus engines in Virustotalbecause environments Sandbox They lack the necessary units for their execution. When executing as a Mod in Minecrafthe Java chargerdownloaded a second malicious phase that in turn displayed a Stealer in .net Able to steal Discord credentials, Telegram, Minecraft customers, cryptocurrency and browsers wallets.
Image 1. Virustotal detection
Malware includes Anti-analysis and anti-virtualization techniquesverifying the execution environment before activating. It also uses Pastebin to recover the Download URL of the following phases, and sends stolen information through Discord Webhooks.
Modus operandi and infection chain
- The player downloads and installs a Minecraft mod From a Github repository controlled by the attackers.
- When starting the game, the Malicious mod Download a Stealer in Java.
- This Stealer download and execute a component in .Net more sophisticated, that steals sensitive information from the device.
- The data are compressed and Exfiltrated to a remote server via Discord.
Among the stolen data are Discord tokens and credentials Telegram and others game platforms; Minecraft launch configuration files as Feather, Lunar and Essential; Passwords stored in browsers like Chrome, Edge and Firefox; cryptocurrency wallets; Information about VPNS used; as well as screen captures, active system processes and clipboard content.
This research demonstrates how a threat carried out in Javaapparently a simple Mod for a popular gamecan evade security controls and execute a data theft attack in multiple phases. The community of players from Minecraftthat exceeds 200 million monthly active usershas become an attractive attack vector for cybercriminals. This campaign reinforces the importance of caution when downloading MODS of undisclosed sources.
“We recommend to the community of players and companies that extreme precautions: downloading only mods from official and verified sources, distrusting those who request excessive permits, keeping their safety solutions updated, and implementing application control policies on their corporate devices and environments,” Cristian Vásquez, Territory Manager of Check Point in Chile points out.
Check Point Threat Emulation and Harmony Endpoint They offer advanced coverage in the face of this type of threats, detecting suspicious behaviors before execution.
About Check Point Research
Check Point Research provides intelligence on cyber threats to Check Point Software customers and the intelligence community. The research team collects and analyzes data from global cyber attacks stored in Threatcloud to keep cybercriminals at bay, while ensuring that all Check Point products are updated with the latest protections. The research team is made up of more than 100 analysts and researchers who cooperate with other security suppliers, security forces and several Certs.
About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. is a leading provider in cybersecurity solutions in the cloud based on AI that protects more than 100,000 companies worldwide. Check Point Software takes advantage of the power of AI in all areas to improve the efficiency and precision of cybersecurity through its infinity platform, with leading detection rates in the industry that allow a more agile and intelligent threats and response times. The integral platform includes cloud solutions composed of Check Point Harmony to protect the work environment, Check Point Cloudguard to ensure Cloud, Check Point Quantum to protect the network and Check Point Infinity Core Services for collaborative security operations and services.
© 2025 Check Point Software Technologies Ltd. All rights reserved.
Legal notice about prospective statements
This press release contains prospective statements. Prospective statements generally refer to future events or our future financial or operational performance. The prospective statements included in this press release include, but are not limited to, statements related to our expectations regarding future growth, the expansion of Check Point Software leadership in the industry, the improvement of value for shareholders and the delivery of a leading cybersecurity platform in the industry to clients around the world. Our expectations and beliefs on these issues may not materialize, and future results or events are subject to risks and uncertainties that could make real results or events significantly differ from those projected.
The prospective statements contained in this press release are also subject to other risks and uncertainties, including those described in more detail in our files before the stock and values commission (SEC), including our annual report in form 20-F filed before the SEC on April 2, 2024. Prospective statements in this press release are based on the information available for check point software to date of this document, and Check Point Software renounces any obligation to update any prospective statement, unless the law demands it.
Press team
Postal Press Events
