CyberSecurity news
FlagThis - #github
|
info@thehackernews.com (The@The Hacker News
//
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.
The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload. The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign.
Share:
References :
Classification:
@www.trendmicro.com
//
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.
The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems. To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.
Share:
References :
Classification: |