Fake Minecraft Mods on GitHub Found Stealing Player Data

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular Minecraft cheat mods, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s blog post, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and crypto wallets. It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was previously seen in July 2024 distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as the most malware-infected game after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

• Stick to mods from well-known and verified platforms.
• Make sure your antivirus and security updates are current.
• Avoid any mod claiming to offer hacks, cheats or automation.
• Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.