If you have ever looked for a mod to have better swords, change the interface or make the Creepers explode in rainbow, you are likely to explore beyond Cursaforge. And if you ended up in github … eye, you could be in the spotlight of a network of cybercriminals that you are using Minecraft false mods as bait to sneak into your PC.
This is the Stargazers Ghost Networkan operation discovered by Check Point Research that uses malicious files disguised as Mods Forge to steal game credentials, discord accounts, personal data and even cryptocurrencies. More than 1,500 players have already been infected Since March 2025.
The mod that opens the door to Nether … of your privacy
Cybercriminals are taking advantage of Minecraft’s huge mods ecosystem to infiltrate their malware. They use github – a legitimate platform and widely used by Modders – to publish files that seem harmless. But these files, when executing together with the Minecraft launcher, activate an infection process in several phases.
The first thing that does the fake mod is to check if it can operate without being detected: Seek if you are in a virtual machine, if you have active analysis tools (such as Wireshark) or if it is in a controlled environment. If it detects something weird, it closes. If not, progress.
The MOD then connects with a Secret Board of Pastebin, where the code of the second step is hidden: A “Stealer” specialized in stealing your access keys To Minecraft (official and unofficial), your discord and Telegram sessions, and other sensitive data. All this sends it to servers controlled by the attackers.
From Creeper to the crypto-dr: What does the malware hidden
But the infection does not end there. Then, the Stealer downloads a third program called “44 Caliber”written in .net, with a fairly explicit firm in Russian: “Fckthesystem ”*.
This payload goes for everything: keep your browser passwords, look for your cryptocurrency wallets, your VPN configurations, important desk and documents files. He even takes screenshots, copy what you have on the clipboard and send all the information by a discord channel created by the attackers.
The investigation is still open. Check Point assures that New false repositories appear every dayand that the attackers are testing different vectors. They could even expand to other games with mods support such as Terraria, Valheim or even Roblox.
The problem is not that there are false mods – that has always happened – but now they are designed with surgical precision for steal everything you can while you play. And they do it from an environment (github) that many consider safe by default.
To prevent your PC from ending stolen data, download mods only from reliable platforms such as Cursaforge or official Fabric and Forge sites. Do not execute files. Always activate two steps verification in Minecraft and Discord, and if a mod does not sound, investigate or consultation in forums before installing it.
Why Minecraft?
Because it is The most popular sandbox game in the worldwith more than 200 million active players every month. And because your community loves to modify, improve and customize experience. The mods are an essential part of the game, but there is also the risk, especially depending on the site where they are downloaded.
Many players – especially the youngest – do not know well the dangers of downloading files from unsecured sites. Github seems like a reliable place, but the reality is that The attackers have created hundreds of false accountsuploading false projects with attractive names, convincing descriptions and “stars” (likes) bought to look popular.
According to Check Point, even 70 false github accounts They are involved, and the network has generated up to $ 8,000 per month for the benefit of cybercriminals. Malicious files already accumulate more than 1,500 confirmed downloads.
