Word to the Minecraft massif. Be very careful about the mods and tools (definitely no cheats...) you choose to install. They may come with an unwanted payload of malware that will steal your Minecraft login, all your browser credentials, and even your Steam profile and cryptocurrency wallets. Yikes.
As reported by Bleeping Computer, security outfit Check Point Research has uncovered a large-scale malware campaign by the Stargazers Ghost Network that uses the Minecraft massive modding system to conduct so-called distribution-as-a-service (DaaS) attacks.
The tools and mods are reportedly distributed via legitimate-looking GitHub accounts. "Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader. Those repositories supposedly provided mods for Minecraft and appeared legitimate as multiple accounts starred those repositories," the CPR report says.
Apparently, the GitHub repositories contain malicious Java downloaders with file names that impersonate familiar Minecraft cheat and automation tools.
"This Java downloader is undetected by all antivirus engines across VirusTotal as it is highly targeted for Minecraft users, and the sandbox engines do not contain the required dependencies, which will let the malware run," CPR says.
So, what's the dreaded payload if the downloader is able to run? "After deobfuscation we can observe that it steals various credentials from browsers (Chromium, Edge, Firefox), files (Desktop, Documents, %USERPROFILE%/Source), cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), Steam, Discord, FileZilla, Telegram, as well as collects information about the infected machine, such as running processes, external IP, content of clipboard, and takes a screenshot," CPR has found. Horrors above.
CPR concludes that "the threat actor behind these campaigns is likely of Russian origin," and that "this case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content." Yep!
The biggest gaming news, reviews and hardware deals
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
As for what you can do to avoid falling victim to such attacks, it would be prudent to only download mods from known, trusted publishers. If you're prompted to download a mod from GitHub, be very wary indeed. Avoiding anything that lacks a long and detailed history is surely wise.
Jeremy has been writing about technology and PCs since the 90nm Netburst era (Google it!) and enjoys nothing more than a serious dissertation on the finer points of monitor input lag and overshoot followed by a forensic examination of advanced lithography. Or maybe he just likes machines that go “ping!” He also has a thing for tennis and cars.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
