A player base of over 200 million monthly active Minecrafters is a lucrative target for hackers. Now, they’ve developed even more dangerous faux mods that infect computers with advanced spyware, stealing crypto, accounts, and other data.
Check Point Research (CPR) discovered 1,500 devices compromised with suspected Russian-origin malware.
Since March 2025, it has been disseminated through malicious GitHub repositories, disguised as Minecraft mods, cheats, or popular automation tools used within the Minecraft community. This makes it hard for players to distinguish malicious add-ons to their games from legitimate mods.
Hackers rely on illicit services provided by other criminals to distribute malware. The threat actor in this campaign has been observed using Stargazers Ghost Network, a distribution-as-a-service operating multiple fraudulent GitHub accounts.
“The network delivered a multistage attack designed to quietly infect users’ machines, masquerading as popular mods like Oringo and Taunahi, both commonly known as cheat tools within the community,” Check Point said in a report.
The malware unfolds in three stages. The first is a Java loader that requires Minecraft to be present on the device. According to VirusTotal data, no antivirus engines will detect this Java downloader. Hackers frequently adjust their codebase.
Once the game is launched, before proceeding, the malicious mod checks the system to see if it’s in a test environment, such as a virtual machine used by security experts. If not, it downloads a second-stage payload already capable of stealing sensitive information.
The second stage is already capable of stealing Discord tokens and the Telegram data folder. However, its main job is to download and run a much more capable .NET stealer in the third stage.
The researchers call it an advanced spyware tool capable of harvesting credentials from web browsers, cryptocurrency wallets, and applications such as Discord, Steam, and Telegram.
“It can also capture screenshots and collect detailed information about the infected system. The stolen data is discreetly bundled and exfiltrated via Discord, a tactic that allows the activity to blend in with legitimate traffic.”
The malware code is littered with Russian-language comments. The threat actor’s behavior is aligned with the UTC+3 time zone, which hints that the malware was developed by a Russian-speaking attacker.
Over one million players actively use Minecraft mods. The researchers warn them to be skeptical of tools that promise automation, hacks, or cheats, and only download mods from trusted, verified sources.
Your email address will not be published. Required fields are markedmarked