Particle.news
Download on the App Store

Fake Minecraft Mods on GitHub Spread Data-Stealing Malware

Check Point Research warns that a Russian-linked network has infected over 1,500 devices by embedding malware in 500 GitHub repositories since March

Overview

  • The Stargazers Ghost Network operates as a distribution-as-a-service outfit, using roughly 500 repositories and about 70 accounts to attract 700 stars for malicious Minecraft mods and cheats.
  • The multi-stage attack begins with a Java loader that uses anti-analysis checks to evade sandbox environments and installs a .NET stealer dubbed 44 CALIBER.
  • Victims’ Windows systems are compromised to harvest Minecraft tokens, authentication data, cryptocurrency wallets, browser credentials and information from apps like Discord and Steam.
  • File metadata and UTC+3 commit timestamps indicate the operators are likely Russian, and the malware remains undetected by all antivirus engines on VirusTotal.
  • Security experts advise players to download mods only from verified sources, scrutinize GitHub activity for fake stars and forks, and test new mods on secondary accounts.