Minecraft Mods Used to Spread Malware | Stargazers Hackers Steal Passwords, Discord Tokens, and Crypto Wallets Through Fake Mods on GitHub

A newly uncovered cyber campaign by the Stargazers Ghost Network has targeted thousands of Minecraft players worldwide by distributing malicious mods through GitHub. Disguised as legitimate cheats and tools like Skyblock Extras and Polar Client, these mods deploy a multi-stage malware infection chain designed to steal sensitive data. Once installed, they execute a Java-based infostealer that captures Minecraft session tokens, Discord and Telegram credentials, and even loads a .NET-based stealer named "44 CALIBER" to exfiltrate browser passwords, VPN logins, cryptocurrency wallets, and more. With over 500 malicious GitHub repositories and thousands of views, this attack showcases how popular gaming ecosystems like Minecraft are being exploited for data theft. Security experts urge players to stick to trusted mod platforms, validate GitHub repositories carefully, and use burner accounts to minimize exposure.

  Security News & Threat Intelligence   Jun 21, 2025   12  Add to Reading List
Minecraft Mods Used to Spread Malware | Stargazers Hackers Steal Passwords, Discord Tokens, and Crypto Wallets Through Fake Mods on GitHub

Table of Contents

Introduction: When Your Favorite Game Becomes a Threat

Minecraft is not just a game—it's a universe of creativity, collaboration, and customization. But this freedom comes with risks. In a recent revelation by Check Point Research, a cybercrime group known as the Stargazers Ghost Network has launched a massive malware campaign using fake Minecraft mods. These malicious downloads aren't just crashing games—they're stealing passwords, authentication tokens, crypto wallets, and more.

What Is This Attack About?

The Stargazers campaign is targeting Minecraft players by disguising malware as mods and cheats. These mods appear legit, hosted on trusted platforms like GitHub, and named after real or well-known tools like:

  • Skyblock Extras

  • Polar Client

  • FunnyMap

  • Oringo

  • Taunahi

But once installed, they execute malicious Java code that begins stealing sensitive data from the user’s system.

Key Findings from Check Point Research

  • Over 17,000 systems were infected in a previous wave using a Godot-based malware in 2024.

  • In the latest attack, Check Point identified over 500 GitHub repositories used to spread Java-based malware.

  • These repos were boosted using fake stars and forks to seem trustworthy to unsuspecting gamers.

  • The malware evades antivirus detection and uses base64-encoded URLs via Pastebin to download its payload.

The Multi-Stage Infection Chain: How It Works

Stage 1: JAR Loader

Once a user installs the mod:

  • A Java Archive (JAR) loader runs.

  • It fetches the next payload from a Pastebin link.

  • This payload is a Java-based infostealer.

Stage 2: Java Stealer

This stealer:

  • Extracts Minecraft tokens and session data from official and third-party launchers like:

    • Lunar

    • Feather

    • Essential

  • It also targets Discord and Telegram tokens.

  • Sends stolen data to attacker servers using HTTP POST.

Stage 3: 44 CALIBER – .NET Infostealer

This .NET-based malware is more traditional and dangerous:

  • Steals saved credentials from browsers: Chrome, Edge, Firefox

  • Extracts VPN credentials (NordVPN, OpenVPN, ProtonVPN)

  • Grabs cryptocurrency wallets:

    • BitcoinCore

    • Ethereum

    • Exodus

    • Jaxx

    • Monero

  • Snatches Discord, Telegram, Steam, FileZilla, and other sensitive app data.

  • Takes screenshots, collects clipboard content, and harvests system info.

Indicators of Russian Origin

  • Comments in Russian were found in the code.

  • Timestamps in UTC+3, which aligns with Moscow time.

  • All data is exfiltrated using Discord webhooks, a common tactic in Eastern European malware circles.

Why Is This So Effective?

  • Minecraft's modding ecosystem is huge and decentralized.

  • GitHub is a trusted platform and often used by legitimate developers.

  • The use of fake stars, forks, and commits made these repositories appear genuine.

  • Anti-virus engines didn’t detect the early payloads.

Real Danger to Gamers

Anyone using third-party Minecraft mods without verification is at risk. The attackers aren’t just stealing game data—they’re after:

  • Banking details

  • Crypto wallets

  • Social media tokens

  • System credentials

How to Protect Yourself

✅ Stick to Trusted Sources

Only download Minecraft mods from verified community portals like:

  • CurseForge

  • PlanetMinecraft

  • The official Minecraft Forum

✅ Double-Check GitHub Repositories

Before downloading mods from GitHub:

  • Verify stars and forks

  • Look at the contributor list

  • Check recent commits for bot-like behavior

✅ Use a Burner Account

When testing new mods:

  • Avoid using your primary Minecraft or Microsoft account

  • Create a separate login with no sensitive data linked

✅ Use Endpoint Protection

Install security tools that scan for infostealers, not just viruses. Solutions like:

  • Malwarebytes

  • Kaspersky Threat Detection

  • SentinelOne or CrowdStrike for advanced users

✅ Monitor Pastebin Links

If a mod tries to connect to external pastebin or strange URLs—exit immediately and remove the files.

Conclusion: When Mods Turn Malicious

The Stargazers campaign is a wake-up call for the Minecraft and gaming communities. It shows how even something as innocent as a mod can be used to launch advanced cyberattacks. Whether you're a casual builder or a PvP warrior, always think twice before downloading that new cheat or mod.

FAQ

What is the Stargazers malware campaign in Minecraft?

The Stargazers malware campaign is a large-scale cyberattack targeting Minecraft players through fake mods and cheats. It uses GitHub repositories to distribute Java-based malware that steals account credentials, cryptocurrency wallets, and personal data.

How does the Stargazers malware infect devices?

The infection begins when users install fake Minecraft mods from GitHub. A malicious JAR file is executed, downloading a stealer payload via a hidden Pastebin URL. This leads to multiple stages of data theft using Java and .NET-based malware.

What data is targeted by the malware?

Stargazers malware targets Minecraft account tokens, Discord and Telegram credentials, web browser passwords, VPN configurations, cryptocurrency wallets, and even screenshots and clipboard data.

What is 44 CALIBER malware?

44 CALIBER is a .NET-based infostealer used in the final stage of the Stargazers attack. It collects login credentials, financial data, and sensitive app information from the infected system.

Which Minecraft mods are used in this attack?

Fake mods reported in the campaign include:

  • Skyblock Extras

  • Polar Client

  • Oringo

  • Taunahi

  • FunnyMap

These are designed to look like legitimate mods but contain malicious payloads.

How can I check if a GitHub mod is fake?

  • Look for suspicious usernames or bot-like contributor profiles

  • Check stars and forks for abnormal growth

  • Review commit history for copy-paste or generic changes

  • Avoid repos with no README or documentation

What platforms are affected?

The attack primarily targets Windows OS, but any Minecraft player using Java mods from unverified sources can be vulnerable.

How many systems have been affected?

According to Check Point Research, previous Stargazers malware has affected over 17,000 systems, with the current Minecraft-targeted campaign spreading through 500+ repositories and thousands of Pastebin views.

Is this malware detectable by antivirus?

The initial Java-based stage evades most antivirus engines. Advanced endpoint protection is recommended for detection and remediation.

Why is Discord used for exfiltration?

Discord webhooks are a common method for attackers to send stolen data discreetly. It allows instant transfer without detection from traditional security systems.

Are Russian hackers involved?

The campaign shows signs of Russian origin:

  • Russian comments in the source code

  • UTC+3 timestamps

  • Infrastructure common in Eastern European attacks

Can this malware steal crypto wallets?

Yes. 44 CALIBER targets popular cryptocurrency wallets like:

  • BitcoinCore

  • Monero

  • Exodus

  • Ethereum

  • Zcash

  • AtomicWallet

  • Jaxx

What are the GitHub IOCs (Indicators of Compromise)?

Check Point has shared a full list of:

  • Malicious GitHub repos

  • IP addresses

  • Domains

  • Payload links (Pastebin URLs)

These help in detecting infection and blocking known sources.

How do I stay safe when using Minecraft mods?

  • Only use mods from trusted platforms (like CurseForge)

  • Don’t trust GitHub mods without background checks

  • Use a burner Minecraft account for testing

  • Avoid installing anything that asks for admin access

Are Minecraft launchers like Feather or Lunar at risk?

Yes. The malware specifically targets:

  • Minecraft Launcher

  • Feather

  • Lunar

  • Essential

It steals tokens and login sessions from these platforms.

What are infostealers?

Infostealers are malware designed to collect:

  • Login credentials

  • Session tokens

  • Payment information

  • Wallets and system data

What is Distribution-as-a-Service (DaaS)?

In this context, DaaS refers to malicious actors offering malware distribution infrastructure—such as GitHub repositories and delivery scripts—to other cybercriminals.

Is there a fix for infected players?

Steps to mitigate infection include:

  • Run full antivirus/malware scans

  • Clear browser and app tokens

  • Reset all account passwords

  • Format the system if necessary

  • Avoid reusing passwords

Can antivirus detect 44 CALIBER?

Some modern antivirus engines may detect it now, but earlier versions evaded signature-based detection. Behavioral analysis tools work better.

What is the role of base64 encoding?

The attackers encode URLs in base64 to hide the payload download links from simple scans and static analysis tools.

Why are mods a common attack vector?

Mods are often open-source and come from many unknown developers, creating opportunities for malicious code to be introduced without scrutiny.

Does Microsoft have any protection mechanisms?

Minecraft does not currently vet all mods from GitHub or third-party launchers. Microsoft recommends sticking to verified modding platforms.

Can this malware spread to mobile devices?

No, this malware is specific to Windows desktop systems, especially those running Java-based Minecraft mods.

What is a JAR loader?

It is a Java-based executable used to launch the first stage of the malware infection in this campaign.

How can schools and organizations protect student gamers?

  • Educate students on safe modding practices

  • Deploy network-level security tools to block malicious Pastebin or GitHub links

  • Use antivirus with real-time behavior detection

How fast does the infection spread?

Once installed, the JAR loader executes instantly, and data exfiltration to Discord begins within seconds.

Is GitHub doing anything about this?

GitHub has started removing malicious repositories once reported, but due to the volume and replication (forks), many still remain active.

Are Discord and Telegram doing anything?

Both platforms actively shut down malicious webhook channels, but detection can be delayed unless flagged.

Can the malware be removed manually?

Yes, but it requires:

  • Identifying all stages (Java JAR + .NET)

  • Terminating malicious processes

  • Deleting stolen config files

  • Reinstalling affected applications

  • Changing all credentials

What is Pastebin's involvement?

The malware uses Pastebin to host encoded payload URLs. Pastebin is not inherently malicious but is misused for covert communication.

What are some signs of infection?

  • Minecraft logouts

  • Browser autofill errors

  • Discord/Telegram session hijacks

  • Unexpected lag or system errors

  • Antivirus alerts on GitHub files

Join Our Upcoming Class!

Tags