Minecraft players are under attack — but not in the usual way. A new report warns players are at risk with some real-world consequences if they’re caught out. This is one of the most popular games in the world — the threat is serious.

“With approximately 65% of Minecraft’s player base under the age of 21,” Check Point says, “the platform presents an attractive target for cyber criminals looking to exploit a large, engaged, and often less-protected audience.”

That last point is critical. Minecraft is hugely popular amongst kids, which is one of the least cyber aware groups around. Casual downloads from a wide array of websites haunts parents the world over. And attackers know this all too well.

ForbesDo Not Install These Apps On Your iPhone Or Android Phone

BBC News says “the game seems able absorb the attention of children for up to hours at a time – no mean feat in our distraction-filled age. Some parents fear their children’s interest in Minecraft can border on obsession, or even addiction, as they struggle to tear them away from the computer screen.”

Set against the backdrop of the game, the movie and even the Happy Meal, Check Point now warns it has “uncovered a multistage malware campaign in which the malware itself was embedded within fake Minecraft mods, shared on GitHub to specifically target active players.” And that includes all those young players.

The attack is built around “a Java downloader, a second-stage stealer, and a final advanced stealer that harvests passwords, crypto wallets, and other sensitive data.” And while many of the players may not have much in the way of crypto and high-value passwords themselves, often the shared devices they’re using will do.

Check Point says more than a million Minecraft players “actively mod Minecraft.” It has become part of the landscape, opening the door to random installs and downloads. “Part of its appeal comes from the ability to customize and enhance the game through mods, user-created tools that improve gameplay, fix bugs, and add new content.”

Check Point says this is “likely” Russian villainy at work. “Russian-language comments and behavior aligned with the UTC+3 time zone suggest the malware was developed by a Russian-speaking attacker.”

Check Point detected a campaign against players using the Stargazers Ghost Network, which it says “operates under a distribution-as-a-service (DaaS) model, leveraging multiple GitHub accounts to spread malicious links and malware at scale.”

Masquerading as cheat tools like Oringo and Taunahi, the files “look legitimate, targeting players seeking new tools and enhancements. In reality, they contain a Java-based downloader, a small piece of malware designed to quietly install additional malicious software on the victim’s device.”

The mod is coded to check whether it’s operating in a virtual environment — which might mean a security analyst’s machine — to avoid detection. “If no virtual environment or analysis tools are detected, it proceeds to the next phase.”

This second-stage is the download of a malware payload “designed to steal sensitive information. This is followed by a third and final component: a more advanced spyware tool capable of harvesting credentials from web browsers, cryptocurrency wallets, and applications such as Discord, Steam, and Telegram.”

ForbesDo Not Use These Networks On Your Smartphone, Warns GoogleBy Zak Doffman

The malware can even capture screenshots from a user’s device and transmit this to its handlers. “Stolen data is discreetly bundled and exfiltrated via Discord, a tactic that allows the activity to blend in with legitimate traffic.”

Minecraft is the perfect “playground for cyber criminals,” given its install base, the ease of pushing out downloads, and the cyber naivety of many users. “Because files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk.”

The researchers warn users to do the following: