PLAY PODCASTS
Over 1,500 Minecraft Users Infected in Stargazers Ghost Malware Campaign
Episode 136

Over 1,500 Minecraft Users Infected in Stargazers Ghost Malware Campaign

Daily Security Review

June 20, 202555m 17s

Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

A malware distribution network hiding in plain sight — on GitHub.

This episode unpacks the Stargazers Ghost Network, a massive Distribution-as-a-Service (DaaS) infrastructure run by a threat actor known as Stargazer Goblin. Using over 3,000 GitHub accounts, this operation pushes dangerous information-stealing malware disguised as legitimate game mods and cracked software, particularly targeting communities like Minecraft players.

At the center of the campaign are well-known infostealers such as Atlantida, Rhadamanthys, RisePro, Lumma, and RedLine. The delivery mechanism? Sophisticated Java-based loaders, GitHub phishing repositories, and links embedded across platforms like Twitch, TikTok, YouTube, and Discord.

Key insights we explore:

🎯 Targeted deception: Modded Minecraft downloads hiding Java loaders that drop multiple stealers
 💸 Financial motivation: An estimated $100,000 earned by Stargazer Goblin through stolen data
🧠 Social engineering: Repository stars, forks, and watchers used to appear trustworthy
🧪 Anti-analysis: Malware designed to evade detection with anti-VM and anti-sandbox techniques
🔐 Data exfiltration: Passwords, cookies, crypto wallets, VPN credentials, Discord tokens, and more
🌍 Attribution: Russian-language artifacts and UTC+3 activity suggest a Russian-based operator


We also explore how GitHub’s platform was exploited, the use of password-protected archives to bypass scans, and the tiered account structure that allows malicious repositories to reappear even after bans.

With GitHub being abused at this scale — and over 1,500 Minecraft users already infected — this case is a wake-up call for both platforms and end users. The combination of malware-as-a-service (MaaS) and DaaS delivery is lowering the bar for cybercriminals and increasing the risk for everyone online.

#StargazersGhost #GitHubMalware #Infostealers #StargazerGoblin #MinecraftMalware #RedLine #Rhadamanthys #LummaStealer #AtlantidaStealer #JavaMalware #MalwareCampaign #CybersecurityPodcast #DaaS #MaaS #InfoSec #GamingCyberThreats #DiscordMalware

Topics

Stargazers Ghost NetworkStargazer GoblinGitHub malwareMinecraft malwareLumma StealerRedLine StealerRhadamanthysAtlantida StealerRisePro malwareinfostealer campaignDistribution as a ServiceDaaSmalware-as-a-serviceMaaSgame mod malwareJava loader malwareDiscord token theftcracked software malwarephishing repositoriesGitHub cyberattackRussian threat actorcybersecurity podcastmalware distribution networkTwitch malware linksTikTok malware linkscredential theftinformation stealergamer-targeted malwaresocial engineeringendpoint securityJava-based malwareC2 infrastructuremalware delivery pipelineonline gaming threatsGitHub abusecybersecurity threats to gamers
← All episodes of Daily Security Review