A new multi-stage malware campaign is currently targeting many different Minecraft users with a sophisticated Java-based malware. The campaign uses a distribution-as-a-service (DaaS) offering which is known by the name Stargazers Ghost Network. Check Point researchers said this campaign specifically targets Minecraft users with malware that impersonates popular tools like Oringo and Taunahi. The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub to deliver a .NET information stealer. This malware has comprehensive data theft capabilities, and the campaign was first detected by the cybersecurity company in March of 2025.
What makes this particular activity notable is its use of the illicit offering called the Stargazers Ghost Network by the attackers.
This network makes use of thousands of different GitHub accounts to set up many tainted repositories that masquerade as cracked software. These malicious repositories, which are disguised as Minecraft mods, serve as a conduit for infecting users of the popular video game. They deliver a Java loader, for example “Oringo-1.8.9.jar,” that currently remains undetected by all antivirus engines as of this writing. The Java archive files also implement simple anti-VM and anti-analysis techniques to sidestep any possible detection efforts by security researchers.
The main objective of the initial Java loader is to download and run another JAR file, a second-stage stealer payload.
This second-stage component is retrieved from an IP address that’s stored in Base64-encoded format on the website Pastebin. This effectively turns the legitimate paste tool into what is known as a dead drop resolver for the malicious malware. Besides downloading the final .NET stealer, the second-stage stealer is also equipped to steal Discord and Minecraft tokens. It can also steal Telegram-related data from the compromised computer, which gives the attackers significant access to user accounts. This multi-stage approach complicates detection.
The .NET stealer, which is the final payload, is capable of harvesting credentials from various different web browsers and gathering files. It also steals information from cryptocurrency wallets and other popular apps like Steam, and also the FTP client FileZilla. It can also take screenshots of the user’s screen and amass information related to all of the currently running processes. The captured information is eventually bundled up and then transmitted back to the attacker via a Discord webhook for their use. This campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several Russian artifacts.
