Minecraft is a popular video game with a massive global player base. With over 200 million monthly active players, making it one of the best-selling video games ever. Minecraft supports mods (user-created modifications), which enrich the user experience by improving gameplay, fixing bugs, enhancing graphics, and adding new content.

This popularity got noticed by cybercriminals, who create stealers in form of game mods and disguise them as game cheats, cracks, or macros. These stealers are then uploaded to file sharing platforms and links to them are distributed via various distribution platforms (instant messengers, social media, video sharing). When installed and executed by unsuspecting victims, these stealers collect a wide range of data from infected devices, causing loss of (not only) game accounts and their associated assets.

In this presentation, we examine the current landscape of Minecraft stealers and analyze the most common techniques employed by cybercriminals to deceive users. We will focus on a few prolific stealer families, dissecting their entire infection chains from initial engagement to the final payload delivery. Examples of Youtube videos advertising game cheats with misleading descriptions, repositories controlled by the Stargazers Github Network, mod sharing websites, and such similar will be presented. We will demonstrate our approach to analyzing (both statically and dynamically) these often multi-layered, obfuscated packages and extracting critical artifacts, such as campaign IDs and command-and-control (C&C) servers, from the samples.

Additionally, we will analyze several notable malware families observed in the wild, including:
a) Baikal Stealer - multi stage stealer with anti-analysis capabilities.
b) Maks RAT - multi stage stealer, with builder, loader, Discord spamming module, and main stealing module. Very popular among ratters (cybercriminals distributing malware), often rebranded, with regularly appearing new building servers.