Overview

• The Stargazers Ghost Network operates as a distribution-as-a-service outfit, using roughly 500 repositories and about 70 accounts to attract 700 stars for malicious Minecraft mods and cheats.
• The multi-stage attack begins with a Java loader that uses anti-analysis checks to evade sandbox environments and installs a .NET stealer dubbed 44 CALIBER.
• Victims’ Windows systems are compromised to harvest Minecraft tokens, authentication data, cryptocurrency wallets, browser credentials and information from apps like Discord and Steam.
• File metadata and UTC+3 commit timestamps indicate the operators are likely Russian, and the malware remains undetected by all antivirus engines on VirusTotal.
• Security experts advise players to download mods only from verified sources, scrutinize GitHub activity for fake stars and forks, and test new mods on secondary accounts.