Check Point Research uncovered a multi-stage malware campaign targeting Minecraft users via the Stargazers Ghost Network, distributed through malicious GitHub repositories impersonating popular cheats like Oringo and Taunahi. The malware chain involves Java-based loaders and a .NET stealer, developed by a Russian-speaking threat actor, that steals credentials and sensitive data from infected machines. #StargazersGhostNetwork #Oringo #Taunahi
Keypoints
- Check Point Research detected a multi-stage malware campaign targeting Minecraft users through the Stargazers Ghost Network on GitHub.
- The malware masquerades as Minecraft mods, including popular cheat tools Oringo and Taunahi, requiring Minecraft to be installed to execute.
- The attack chain includes a first-stage Java downloader, a second-stage Java stealer, and a third-stage .NET stealer with enhanced stealing capabilities.
- The malware uses anti-VM and anti-analysis techniques to evade detection and is undetected by antivirus and sandbox solutions due to missing dependencies.
- The threat actor is likely Russian-speaking, indicated by UTC+3 time zone commits and Russian language artifacts within the malware.
- The .NET stealer exfiltrates a wide array of data including browser credentials, cryptocurrency wallets, VPN details, gaming platforms, and messaging applications.
- The campaign exploits the popularity of Minecraft mods to distribute malware and steal sensitive user information through sophisticated multi-stage loaders.
MITRE Techniques
- [T1086] PowerShell – The .NET stealer executes commands to collect and exfiltrate data. (“method: runFile”)
- [T1140] Deobfuscate/Decode Files or Information – Use of base64 decoding to obtain secondary stage download URLs from Pastebin. (“base64 encoded content is decoded”)
- [T1059] Command and Scripting Interpreter – The Java loader downloads and executes additional malicious components in sequence. (“the malicious mod downloads the second-stage stealer”)
- [T1560] Archive Collected Data – Stolen data is zipped before exfiltration. (“Stolen data are zipped”)
- [T1027] Obfuscated Files or Information – Use of Skidfuscator to obfuscate some stealer samples. (“Some samples may be obfuscated with Skidfuscator”)
- [T1071] Application Layer Protocol – Exfiltration of data via POST requests to Pastebin and Discord webhooks. (“POST the stolen data in JSON format”)
- [T1566] Phishing – Distribution via fake Minecraft mods masquerading as popular cheats to lure victims. (“The repositories supposedly provided mods for Minecraft and appeared legitimate”)
- [T1083] File and Directory Discovery – The stealer searches for targeted files and folders related to Discord, Telegram, and various clients. (“Lists files in %APPDATA%/discord/Local Storage/leveldb”)
- [T1499] Endpoint Denial of Service – Anti-VM and anti-debugging techniques cause the malware to terminate in virtual environments. (“Loader implements simple anti-VM and anti-analysis techniques”)
Indicators of Compromise
- [SHA256 Hashes] Multiple stages of JAR files – 05b143fd7061bdd317bd42c373c5352bec351a44fa849ded58236013126d2963 (stage 1), 4c8a6ad89c4218507e27ad6ef4ddadb6b507020c74691d02b986a252fb5dc612 (stage 2), 7aefd6442b09e37aa287400825f81b2ff896b9733328814fb7233978b104127f (stage 3), and others.
- [URLs] Stage 2 download and upload URLs – hxxp://147.45.79.104/download, hxxp://негры[.]рф/MixinLoader-v2.4.jar, hxxp://185.95.159.125/upload
- [Domains] Hosting domain – негры[.]рф used for malware hosting and distribution.
- [GitHub Repositories] Malicious repo URLs – hxxps://github[.]com/A1phaD3v/Oringo-Client, hxxps://github[.]com/AlphaPigeonDev/Polar-Client, hxxps://github[.]com/P1geonD3v/Taunahi-V3 among others.
Read more: https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/