Fake Minecraft mods that steal all your personal data including crypto wallets are being distributed via GitHub accounts
Word to the Minecraft massif. Be very careful about the mods and tools (definitely no cheats...) you choose to install. They may come with an unwanted payload of malware that will steal your Minecraft login, all your browser credentials, and even your Steam profile and cryptocurrency wallets. Yikes.
As reported by Bleeping Computer, security outfit Check Point Research has uncovered a large-scale malware campaign by the Stargazers Ghost Network that uses the Minecraft massive modding system to conduct so-called distribution-as-a-service (DaaS) attacks.
The tools and mods are reportedly distributed via legitimate-looking GitHub accounts. "Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader. Those repositories supposedly provided mods for Minecraft and appeared legitimate as multiple accounts starred those repositories," the CPR report says.
Apparently, the GitHub repositories contain malicious Java downloaders with file names that impersonate familiar Minecraft cheat and automation tools.
"This Java downloader is undetected by all antivirus engines across VirusTotal as it is highly targeted for Minecraft users, and the sandbox engines do not contain the required dependencies, which will let the malware run," CPR says.
So, what's the dreaded payload if the downloader is able to run? "After deobfuscation we can observe that it steals various credentials from browsers (Chromium, Edge, Firefox), files (Desktop, Documents, %USERPROFILE%/Source), cryptocurrency wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx), VPNs (ProtonVPN, OpenVPN, NordVPN), Steam, Discord, FileZilla, Telegram, as well as collects information about the infected machine, such as running processes, external IP, content of clipboard, and takes a screenshot," CPR has found. Horrors above.
CPR concludes that "the threat actor behind these campaigns is likely of Russian origin," and that "this case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content." Yep!
As for what you can do to avoid falling victim to such attacks, it would be prudent to only download mods from known, trusted publishers. If you're prompted to download a mod from GitHub, be very wary indeed. Avoiding anything that lacks a long and detailed history is surely wise.