Cybercriminals use fake GitHub Minecraft mods to target young players

What just happened? Hundreds of GitHub repositories offering Minecraft mods have become the latest battleground in a sophisticated malware campaign, targeting the game's vast and creative player community. At the heart of this operation is the Stargazers Ghost Network, an elaborate cybercriminal infrastructure uncovered by Check Point Research.

Unlike typical malware campaigns, Stargazers Ghost Network is a distribution-as-a-service operation that leverages thousands of fake GitHub accounts to spread malicious software disguised as legitimate mods and cheat tools. This operation uses GitHub's trusted platform to distribute malicious Java archives, evading detection while compromising over 1,500 devices since March 2025.

The attack begins when players install counterfeit mods, often in pursuit of gameplay advantages. These JAR files – designed as Minecraft Forge mods – activate only when the game launches, immediately deploying anti-analysis defenses. The loader checks for virtual machines, security tools like Wireshark, and network monitors, terminating itself if detected ...