The new multi -stage malicious program is aimed at Minecraft users with malicious Java -based software, which uses distribution as a service (DAAS) called Network Ghost Stargazers Ghost.
“The company – Note In a report that shared with Hacker News.
“The malicious software pretended to be oering and housing, which are” macros scripts “(aka cheats). Both the first and the second stages are designed on Java and can only be performed if Minecraft is installed by the Hosta car.”
The ultimate goal of the attack is to cheat players in Minecraft MOD downloads with GitHub and deliver .Net Information Cteeler with comprehensive data theft. The company was first discovered by cybersecurity company in March 2025.
What makes the activity of the suitable, this use of an illegal offer called The Stargazers Ghost Network, which uses thousands of GITHUB accounts to create spoiled repository, which is masked as hacked software and read the games.
These malicious shelters, masking as Minecraft, serve as a popular video game with a Java loader (for example, “Oringo-11.9.jar”), which goes unnoticed by all antiviral engines as of writing.
Archive Java (Jar) files implement simple vM methods and anti -nausalization for detection efforts. Their main goal is to download and start another Jar file, theft of the second stage that receives and performs.
The second-degree component is derived from the IP address (“147.45.79.104”), which is stored in a format coded on the basis of 64, putting, essentially turning the Posts to Dead Drop.
“To add mods to the Minecraft game, the user must copy the malicious cape to the Minecraft Mods folder. After starting the game, the Minecraft process loads all the fashion folders, including malicious mods that will download and perform the second stage,” the researchers said.
In addition to downloading .Net theft, the second degree of theft is equipped for theft of discord and Minecraft tokens, as well as telegram data. On the other hand, theft .Net is able to prepare accounts from different web browsers and file collection, as well as information from cryptocurrencies and other applications such as Steam, and File.
It can also take screenshots and collect information related to launch processes, external IP system and the contents of the clipboard. The captured information is ultimately complete and transmitted by the attacker through Webhook’s disorder.
It is suspected that the company is the work of a Russian-speaking actor threatening because of the presence of several artifacts written in Russian, and a temporary belt of the attacker (UTC+03: 00). It is estimated that more than 1500 devices may have become the prey of this scheme.
“In this case, it is emphasized how popular game communities can be used as effective vectors to distribute malware, emphasizing the importance of caution when loading the contents of the third party,” the researchers said.
“The Ghost Shargazers network actively distributes this malicious software, focusing on Minecraft players who seek mods to improve their gameplay. What seemed harmless downloads, were, in fact, Java’s forklifts that unfolded two additional thefts.”
Revealed new options theft kimjongrat
Development comes when block 42 Palo Alto Networks described in detail two new options for Kodanamena’s Kimjongrat Information Theme Probably connected In addition, North Korean actor threatens behind Babysitter and Stolen pencil. Kimjongrat was discovered in the wild in May 2013, which was put as a secondary useful load in babysitting.
“One of the new options uses a portable executable file (PE) and the other uses PowerShell implementation,” Dominic’s security researcher – Note. “The PE and PowerShell options are initiated by clicking the Windows Fast Access File (LNK), which downloads the dropper file from the substitution account (CDN).
While the PE -Board dropper launches a loader belonging to PDF and text file, a dropper in the PowerShell version unfolds the PDF -adjusts along with the ZIP archive. The forklift, in turn, loads the auxiliary loads, including the theft for Kimjongrat.
The Zip archive, set by the PowerShell dropper, contains scripts that embed the theft based on Kimjongrat PowerShell and Keylogger components.
Both new incarnations are able to collect and transmit information about the sacrifice, files that meet certain extensions and browser data, such as credentials and details from expanding cryptocurrencies. The PE Kimjongrat option is also designed to collect FTP information and email.
“The development and deployment of Kimjongrat, which presents changes such as the use of the legitimate CDN server for dissemination, demonstrates an accurate and constant threat,” said Block 42. “This adaptation not only demonstrates a sustainable threat to such malicious software, but also emphasizes the development of the developers.”
