While some might see a grim irony in cheaters being targeted, the scale of the attack is alarming. Check Point Research suggests that Minecraft players are at risk, with some 1,500 cheats having been caught in a complex malware operation.
Minecraft players are very often young kids, with estimates that as many as 65% of the player base are under 21.
The three-month research, which has been published, shows how the Stargazers Ghost Network was used to distribute Java-coded and obscured malware that pretended to be the cheat macros Origno and Taunahi.
The drama shows how the beloved world of gaming can be exploited by cybercriminals. It reveals the escalating dangers in the modding community. It shows how easily malware can be spread through trusted platforms, putting children who play popular games at particular risk.
The technical execution of this attack was a multi-stage process designed to evade detection. The malicious files, disguised as .jar file game mods on GitHub, wouldn’t run on their own. They were written in Java and required the Minecraft game environment to be active, a clever trick that meant they would not trigger alarms in typical sandbox analysis environments that don’t have Minecraft installed. This specificity was key to the malware remaining undetected by all antivirus engines on VirusTotal at the time of the research.
Once a player downloaded and ran the fake cheat mod, the infection chain began. The initial mod acted as a “loader,” first checking to see if it was running in a virtual machine (a standard analysis technique) and terminating itself if it detected one. If it deemed the environment to be a real user’s machine, it would then reach out to Pastebin to retrieve a link. This link downloaded the second stage of the malware, which in turn installed the final payload: a powerful .NET “stealer.”
This final payload was designed to be devastatingly effective, targeting the sensitive information that gamers store on their computers. It systematically searched for and exfiltrated account credentials from web browsers, cryptocurrency wallet data, and session tokens for platforms like Discord, Steam, and Telegram. The stolen data was then bundled into a JSON file and sent back to the attackers via a Discord webhook. The use of a Russian-speaking threat actor and comments in the Russian language within the code point to the likely origin of this sophisticated campaign.
Via Check Point.
