Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Fake Minecraft Mods On GitHub Spread Malware

June 19, 2025
Reading Time: 2 mins read
in Alerts
Fake Invoices Deliver Sorillus RAT In Europe

A new multi-stage malware campaign is currently targeting many different Minecraft users with a sophisticated Java-based malware. The campaign uses a distribution-as-a-service (DaaS) offering which is known by the name Stargazers Ghost Network. Check Point researchers said this campaign specifically targets Minecraft users with malware that impersonates popular tools like Oringo and Taunahi. The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub to deliver a .NET information stealer. This malware has comprehensive data theft capabilities, and the campaign was first detected by the cybersecurity company in March of 2025.

What makes this particular activity notable is its use of the illicit offering called the Stargazers Ghost Network by the attackers.

This network makes use of thousands of different GitHub accounts to set up many tainted repositories that masquerade as cracked software. These malicious repositories, which are disguised as Minecraft mods, serve as a conduit for infecting users of the popular video game. They deliver a Java loader, for example “Oringo-1.8.9.jar,” that currently remains undetected by all antivirus engines as of this writing. The Java archive files also implement simple anti-VM and anti-analysis techniques to sidestep any possible detection efforts by security researchers.

The main objective of the initial Java loader is to download and run another JAR file, a second-stage stealer payload.

This second-stage component is retrieved from an IP address that’s stored in Base64-encoded format on the website Pastebin. This effectively turns the legitimate paste tool into what is known as a dead drop resolver for the malicious malware. Besides downloading the final .NET stealer, the second-stage stealer is also equipped to steal Discord and Minecraft tokens. It can also steal Telegram-related data from the compromised computer, which gives the attackers significant access to user accounts. This multi-stage approach complicates detection.

The .NET stealer, which is the final payload, is capable of harvesting credentials from various different web browsers and gathering files. It also steals information from cryptocurrency wallets and other popular apps like Steam, and also the FTP client FileZilla. It can also take screenshots of the user’s screen and amass information related to all of the currently running processes. The captured information is eventually bundled up and then transmitted back to the attacker via a Discord webhook for their use. This campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several Russian artifacts.

  • Minecraft Players Targeted By Malware Hidden In Fake Mods On GitHub
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJune 2025
ADVERTISEMENT

Related Posts

New Godfather Trojan Hijacks Banking Apps

Winos 4.0 Malware Hits Taiwan Via Tax Phish

June 20, 2025
New Godfather Trojan Hijacks Banking Apps

New Godfather Trojan Hijacks Banking Apps

June 20, 2025
New Godfather Trojan Hijacks Banking Apps

New Amatera Stealer Delivered By ClearFake

June 20, 2025
Russian Phishing Scam Bypasses Google 2FA

Russian Phishing Scam Bypasses Google 2FA

June 19, 2025
Fake Invoices Deliver Sorillus RAT In Europe

Fake Invoices Deliver Sorillus RAT In Europe

June 19, 2025
New Linux Flaws Allow Easy Root Access

New Linux Flaws Allow Easy Root Access

June 18, 2025

Latest Alerts

Winos 4.0 Malware Hits Taiwan Via Tax Phish

New Amatera Stealer Delivered By ClearFake

New Godfather Trojan Hijacks Banking Apps

Fake Minecraft Mods On GitHub Spread Malware

Fake Invoices Deliver Sorillus RAT In Europe

Russian Phishing Scam Bypasses Google 2FA

Subscribe to our newsletter

    Latest Incidents

    Massive Leak Exposes 16 Billion Credentials

    Tonga Health System Down After Ransomware

    Chinese Spies Target Satellite Giant Viasat

    German Dealer Leymann Hacked Closes Stores

    Hacker Mints $27M From Meta Pool Gets 132K

    UBS and Pictet Hit By Vendor Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial