Main Menu

Over 1,500 Minecraft Users Infected in Stargazers Ghost Malware Campaign

Follow Us on Your Favorite Podcast Platform

A malware distribution network hiding in plain sight — on GitHub.

This episode unpacks the Stargazers Ghost Network, a massive Distribution-as-a-Service (DaaS) infrastructure run by a threat actor known as Stargazer Goblin. Using over 3,000 GitHub accounts, this operation pushes dangerous information-stealing malware disguised as legitimate game mods and cracked software, particularly targeting communities like Minecraft players.

At the center of the campaign are well-known infostealers such as Atlantida, Rhadamanthys, RisePro, Lumma, and RedLine. The delivery mechanism? Sophisticated Java-based loaders, GitHub phishing repositories, and links embedded across platforms like Twitch, TikTok, YouTube, and Discord.

Key insights we explore:

🎯 Targeted deception: Modded Minecraft downloads hiding Java loaders that drop multiple stealers
 💸 Financial motivation: An estimated $100,000 earned by Stargazer Goblin through stolen data
🧠 Social engineering: Repository stars, forks, and watchers used to appear trustworthy
🧪 Anti-analysis: Malware designed to evade detection with anti-VM and anti-sandbox techniques
🔐 Data exfiltration: Passwords, cookies, crypto wallets, VPN credentials, Discord tokens, and more
🌍 Attribution: Russian-language artifacts and UTC+3 activity suggest a Russian-based operator

We also explore how GitHub’s platform was exploited, the use of password-protected archives to bypass scans, and the tiered account structure that allows malicious repositories to reappear even after bans.

With GitHub being abused at this scale — and over 1,500 Minecraft users already infected — this case is a wake-up call for both platforms and end users. The combination of malware-as-a-service (MaaS) and DaaS delivery is lowering the bar for cybercriminals and increasing the risk for everyone online.

#StargazersGhost #GitHubMalware #Infostealers #StargazerGoblin #MinecraftMalware #RedLine #Rhadamanthys #LummaStealer #AtlantidaStealer #JavaMalware #MalwareCampaign #CybersecurityPodcast #DaaS #MaaS #InfoSec #GamingCyberThreats #DiscordMalware

Trending
Citrix NetScaler Flaws Expose Enterprise Networks: CVE-2025-5349 & CVE-2025-5777
GerriScary: How CVE-2025-1568 Threatened Google’s Open-Source Supply Chain
Cisco & Atlassian Under Fire: High-Severity Flaws and What’s at Risk
Ryuk Ransomware Operator Extradited to the U.S. After FBI-Led Global Investigation
Episource Data Breach Exposes Health Information of 5.4 Million U.S. Patients
New Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
BeyondTrust Patches Critical Pre-Auth RCE Flaw in Remote Support Software
Double Extortion, Biometric Data, and Donuts: How Play Ransomware Hit Krispy Kreme
Viasat Confirms Salt Typhoon Espionage Hack in 2024 U.S. Telecom Cyber Campaign
Freedman Healthcare Hit by World Leaks Ransomware, Impacts 27 U.S. State Public Health Agencies

Daily Briefing Newsletter

Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Related Posts

Oxford City Council Breach Exposes 21 Years of Data

Weaponized GitHub Repositories: How Banana Squad and Water Curse Are Hitting Devs

Chain IQ Breach Exposes UBS & Pictet Employee Data: A Supply Chain Failure

Citrix NetScaler Flaws Expose Enterprise Networks: CVE-2025-5349 & CVE-2025-5777

GerriScary: How CVE-2025-1568 Threatened Google’s Open-Source Supply Chain

Cisco & Atlassian Under Fire: High-Severity Flaws and What’s at Risk