CyberSecurity news

FlagThis - #github

info@thehackernews.com (The@The Hacker News //

Fake Minecraft Mods Steal Gamers' Data - A multi-stage malware campaign targeting Minecraft players via fake mods on GitHub steals gamers' data, including passwords and crypto wallets.
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.

The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload.

The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign.

Recommended read:
References :
  • blog.checkpoint.com: Minecraft Players Targeted in Sophisticated Malware Campaign
  • Check Point Research: Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data
  • securityaffairs.com: Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers
  • securityonline.info: Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
  • The Hacker News: 1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
  • Security Risk Advisors: 🚩 Stargazers Ghost Network Distributes Java Malware Through Fake Minecraft Mods Targeting Gaming Community
  • Check Point Blog: Minecraft Players Targeted in Sophisticated Malware Campaign
  • www.scworld.com: Counterfeit Minecraft mods deliver malware
  • www.techradar.com: Minecraft players watch out - these fake mods are hiding password-stealing malware
@www.trendmicro.com //

Water Curse APT Weaponizes GitHub Repositories - The Water Curse APT uses weaponized GitHub repositories to deliver multi-stage malware by injecting malicious code into project files, exfiltrating data, and gaining remote access.
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.
securebulletin.com@Secure Bulletin //

Sophos Exposes GitHub Malware Targeting Cybercriminals, Gamers - Sophos researchers uncovered a GitHub campaign distributing backdoored malware, targeting hackers, gamers, and cybersecurity researchers with infostealer/RAT infections.
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.

The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness.

Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.

Recommended read:
References :
  • Secure Bulletin: Sophos exposes massive GitHub campaign distributing backdoored malware
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
  • Sophos X-Ops: We’ve previously looked into the niche world of threat actors targeting each other, so we investigated further, and found 133 backdoored repos, most linked to the same threat actor via an email address. Some repos claimed to be malware, others gaming cheats. The threat actor appears to have gone to some lengths to make their backdoored repos seem legitimate – including multiple accounts and contributors, and automated commits.
  • Sophos X-Ops: To avoid falling victim to these kinds of attacks, be wary of downloading/running code from unverified/untrusted repos, and where possible inspect code for anything unusual.
  • Sophos X-Ops: When we analyzed the backdoors, we ended up down a rabbithole of multiple variants, obfuscation, convoluted infection chains, and identifiers. The upshot is that a threat actor seems to be creating backdoored repos at scale, and may have been doing so for some time.
  • The Register - Security: More than a hundred backdoored malware repos traced to single GitHub user. Someone went to great lengths to prey on the next generation of cybercrooks
  • Sophos News: A simple customer query leads to a rabbit hole of backdoored malware and game cheats
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
  • gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
@gbhackers.com //

CrazyHunter Ransomware Exploits GitHub Open Source Tools - CrazyHunter, a new ransomware group, targets organizations in Taiwan's healthcare, education, and industrial sectors, leveraging open-source tools and BYOVD techniques to bypass security measures.
CrazyHunter, a new ransomware group, has emerged as a significant cyber threat, specifically targeting organizations in Taiwan. Their victims predominantly include those in the healthcare, education, and industrial sectors, indicating a focus on organizations with valuable data and sensitive operations. Since January, CrazyHunter's operations have shown a clear pattern of specifically targeting Taiwanese organizations. The group made their introduction with a data leak site posting ten victims, all located in Taiwan, demonstrating a strategic, regionally focused campaign.

CrazyHunter's toolkit heavily relies on open-source tools sourced from GitHub, with approximately 80% of their arsenal being open-source. The group broadens its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities. This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations. They have also been seen to modify existing open source tools as their capabilities grow.

The ransomware deployment process includes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security measures. A customized process killer derived from the open-source project ZammoCide exploits the zam64.sys driver to neutralize defenses, specifically targeting antivirus and endpoint detection and response (EDR) systems. The ransomware itself, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension. This demonstrates a sophisticated and targeted approach to ransomware deployment.

Recommended read:
References :
  • gbhackers.com: Analysis of the CrazyHunter group highlights its sophisticated methodology in exploiting accessible open-source tools and targeting various sectors within Taiwan.
  • www.trendmicro.com: Trend Micro details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services.
  • cyberpress.org: CyberPress - CrazyHunter Hackers Leverage GitHub Open-Source Tools to Launch Attacks on Organizations
  • securityonline.info: The group's reliance on readily available GitHub resources underscores a trend of attackers leveraging public repositories for their operations.

Posts

Blogs

Research Tools