The new multi-stage malware campaign targets Minecraft users using Java-based malware that employs distribution as a service (DAAS) offerings called Stargazers Ghost Network.
“The campaign has created a multi-stage attack chain that specifically targets Minecraft users,” Checkpoint researchers Jaromírhochejší and Antonis Terefos said in a report shared with Hacker News.
“Malware was spoofing Oringo and Taunahi, the ‘Scripts and Macro Tools’ (also known as cheats).’ The first and second stages are developed in Java and can only be run if the Minecraft runtime is installed on the host machine. ”
The ultimate goal of the attack is to trick players into downloading Minecraft mods from Github and delivering a .NET information steeler with comprehensive data theft. The campaign was first detected by a cybersecurity company in March 2025.
What makes the activity stand out is the use of an illegal product called Stargazers Ghost Network. It uses thousands of Github accounts to set up contaminated repositories pose as cracked software and gaming cheats.
These malicious repositories, pretending to be Minecraft mods, act as conduits that infect popular video game users with Java loaders (for example, “Oringo-1.8.9.jar”).
Java Archives (JAR) files are implemented to avoid simple anti-VM and anti-analytic techniques to detect them. Their main purpose is to download and run another JAR file, a two-stage steeler that gets and runs a .NET steeler as the final payload when the game is started by the victim.
The second stage component is taken from the IP address (“147.45.79.104”) stored in the Paste Pebin in Base64 encoding format, and essentially converts the Paste Tool to a Dead Drop Resolver.
“To add mods to a Minecraft game, users will need to copy the malicious JAR archive to the Minecraft Mods folder. When you start the game, the Minecraft process will load all the mods from the folder containing the malicious mods that you want to download and run the second stage,” the researchers said.
In addition to downloading .NET Steelers, the second stage steelers are equipped to steal discord and Minecraft tokens as well as Telegram-related data. Meanwhile, .NET Steelers can collect various web browsers and files, as well as information from cryptocurrency wallets and other apps such as Steam and Filezilla.
You can also take screenshots and accumulate information related to the execution process, the external IP address of the system, and the contents of the clipboard. The captured information is eventually bundled and sent to the attacker via a Discord webhook.
The campaign is suspected to be the job of a threat actor who speaks Russian, due to the presence of several artifacts written in Russian and the time zone of attacker commits (UTC+03:00). It is estimated that more than 1,500 devices may have fallen prey to this scheme.
“This case highlights how popular gaming communities can be used as vectors that are effective in the distribution of malware, and highlights the importance of attention when downloading third-party content,” the researchers said.
“Stargazers Ghost Network is actively distributing this malware and targeting Minecraft players for mods to enhance gameplay. In fact, what appeared to be a harmless download was actually a Java-based loader that deployed two additional stolen items that ruled out credentials and other sensitive data.”
A new variation of Kim Jong Jurat Steeler has been detected
The development comes when Palo Alto Networks Unit 42 details two new variants of information stolen goods called the codename Kimjongrat, which is likely to be linked to the same North Korean threat actor behind Babyshark and the stolen pencil. Kim Jong Rats were detected in the wild by May 2013 and provided as a secondary payload in Babyshark attacks.
“One new variation uses portable executable (PE) files, while the other uses a PowerShell implementation,” said security researcher Dominik Reichel. “The PE and PowerShell variants are both started by clicking on the Windows Shortcut (LNK) file that downloads the Dropper file from an Attacker Controlled Content Delivery Network (CDN) account.”
The PE variant Dropper extracts loaders, decoy PDFs, and text files, while the PowerShell variant Dropper extracts decoy PDF files along with the ZIP archive. The loader downloads an auxiliary payload containing the steeler component of Kim Jong Rat.
The ZIP archive delivered by PowerShell Variant’s Dropper includes scripts that embed Kimjongrat Powershell-based steeler and keylogger components.
Both new incarnations can collect and transfer browser data such as victim information, files matching a particular extension, and credentials and details from the Cryptocurrency Wallet extension. Kimjongrat’s PE variant is designed to harvest FTP and send client information via email.
“Kim Jong Rat’s continued development and deployment features changing techniques such as using legitimate CDN servers to hide its distribution, indicating a clear and continuous threat,” Unit 42 said. “This adaptability not only shows the persistent threat posed by such malware, it also highlights the developer’s commitment to updating and expanding its functionality.”
Source link
