Researchers Uncover Sophisticated Attack Chain with Far-Reaching Consequences

A recent malware campaign has infected over 1,500 Minecraft players by masquerading as game mods on GitHub. The attack, which was first detected by cybersecurity company Check Point in March 2025, employs a multi-stage malware distribution strategy that leverages a distribution-as-service (DaaS) offering called Stargazers Ghost Network.

According to researchers Jaromír Hořejší and Antonis Terefos, the campaign targets Minecraft users specifically, tricking them into downloading a Minecraft mod from GitHub that delivers a .NET information stealer with comprehensive data theft capabilities. The malware, which is developed in Java, uses simple anti-VM and anti-analysis techniques to evade detection by antivirus engines.

The malicious repositories, masquerading as Minecraft mods, serve as a conduit for infecting users with a Java loader that remains undetected by all antivirus engines. The loader’s main objective is to download and run another JAR file, a second-stage stealer that fetches and executes a .NET stealer as the final payload when the game is started by the victim.

The second-stage component is retrieved from an IP address stored in Base64-encoded format Pastebin, essentially turning the paste tool into a dead drop resolver. The captured information is eventually bundled and transmitted back to the attacker via a Discord webhook.

What makes this campaign notable is its use of the Stargazers Ghost Network, which makes use of thousands of GitHub accounts to set up tainted repositories that masquerade as cracked software and game cheats. The researchers flagged approximately 500 GitHub repositories, including those that are forked or copied, and saw 700 stars produced by approximately 70 accounts.

The campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several artifacts written in the Russian language and the timezone of the attacker’s commits (UTC+03:00). The researchers emphasized the importance of caution when downloading third-party content, highlighting how popular gaming communities can be exploited as effective vectors for malware distribution.

Meanwhile, Palo Alto Networks Unit 42 has detailed two new variants of an information stealer codenamed KimJongRAT, which is likely connected to the same North Korean threat actor behind BabyShark and Stolen Pencil. The new variants use a Portable Executable (PE) file and a PowerShell implementation, respectively, and are capable of gathering and transferring victim information, files matching specific extensions, and browser data.

The continued development and deployment of KimJongRAT demonstrate a clear and ongoing threat, showcasing the persistent threat posed by such malware and underscoring its developers’ commitment to updating and expanding its capabilities.