With over 300 million copies sold and more than 200 million monthly active users, Minecraft stands as one of the most popular video games in history. A significant part of its success lies in the game’s customizability through user-created mods, which can enhance gameplay, fix bugs, or introduce new features. However, the same freedom that makes Minecraft so beloved also creates vulnerabilities — and cybercriminals are increasingly exploiting this open ecosystem.
A recent investigation by Check Point Research (CPR) has uncovered a malicious campaign that specifically targets the Minecraft community through a network dubbed the Stargazers Ghost Network. First identified in July 2024 and tracked extensively in March 2025, the campaign uses a distribution-as-a-service (DaaS) model to deliver malware disguised as Minecraft mods. These fake tools, mimicking popular cheat mods like Oringo and Taunahi, have already compromised an estimated 1,500 devices.
According to CPR, this sophisticated attack begins when unsuspecting players download a Minecraft mod from what appears to be a legitimate GitHub repository. These mods are intentionally designed to appeal to players looking for cheat tools or automation add-ons. However, behind the scenes, the files contain a Java-based downloader — the first stage in a multi-step malware chain.
Once the compromised mod is launched within a Minecraft environment, it performs a check to detect whether it’s running in a sandbox or virtual machine, a common setup used by cybersecurity researchers. If the coast is clear, the malware proceeds to download its second-stage payload, which is primarily focused on data theft. This is followed by a third, more advanced spyware module capable of stealing login credentials, browser data, cryptocurrency wallet info, and even sensitive application data from Discord, Steam, Telegram, and others. It can also capture screenshots and extract system information.
To avoid detection, the attackers exfiltrate the stolen data via Discord, blending malicious activity with normal traffic. CPR’s analysis indicates that the UTC+3 time zone and Russian-language code comments hint at a possible Russian-speaking threat actor. However, no definitive attribution has been made as of now.
This revelation is especially concerning given that nearly 65% of Minecraft’s player base is under the age of 21 — a demographic that may lack cybersecurity awareness and tends to be more vulnerable to such threats.
Staying Safe: Tips for Gamers and Users
- Only download mods from verified and trusted sources — avoid GitHub links shared through random forums or Discord channels.
- Avoid cheat mods or automation tools, especially those that promise game-breaking features.
- Keep your antivirus software up to date and scan all downloads before installation.
- Use multi-factor authentication for all your online accounts to minimize damage from data breaches.
- Monitor your system for suspicious activity, such as unexpected logins or performance lags.
