The DOT Report: 1,500+ Minecraft Players Infected by Java Malware, US Seizes $7.74M in Cryptocurrency

The DOT Report is a monthly news series from DOT Security that covers the latest headlines and biggest stories in the cybersecurity field. These stories give us a chance to discuss technical inner workings as well as the very real-world impact of cybersecurity.

Subscribe to The DOT Report for monthly coverage on all the largest headlines in the cybersecurity space.

$7.74M in Crypto Seized from North Korean IT Workers

The U.S. Department of Justice has seized over $7.74 million in cryptocurrency, NFTs, and ENS domains linked to covert IT operatives working for the North Korean government.

These state-backed developers infiltrated legitimate global tech firms by using deepfake resumes, AI-generated credentials, and stolen IDs in order to funnel earnings into North Korea's sanctioned financial systems.

This takedown is part of a broader DOJ effort dubbed "DPRK RevGen," aimed at dismantling the regime's use of the freelance tech economy to fund its weapons programs. Investigators traced the illicit funds through blockchain forensics, revealing how operatives obscured transactions.

One U.S. influencer, Christian Chapman, was even caught running a laptop-farming scheme to help these operatives pass as U.S. contractors.

This case pulls back the curtain on how North Korea exploits crypto's anonymity for state revenue—and how law enforcement is catching up.

By embedding operatives within U.S. companies and obscuring funding routes via crypto and DeFi tools, North Korea is weaponizing tech decentralization itself. These operations aren’t just financial—they blur into cyber espionage.

As offensive cyber capabilities become state revenue streams, we may be facing a new chapter of economic warfare.

Malicious Minecraft Mods Infect Over 1,500 Players

Minecraft’s modding scene just got hit with a reality check. Over 1,500 players downloaded seemingly harmless cheat mods—like "Oringo" and "Taunahi"—only to discover they were infected with a stealthy, Java-based malware loader.

Researchers at Check Point found that the loader drops a .NET-based infostealer capable of exfiltrating credentials, system information, crypto wallets, and more. What made the attack so effective was its delivery:

The malware was distributed via GitHub through a network called Stargazers Ghost, which mass-produced fake repositories boosted with fake stars to appear trustworthy.

Security experts warn that this isn’t just a Minecraft issue—it’s a wider threat to developer trust and open-source hygiene. In the world of modding, popularity is no substitute for security.

The attack also exposes how easily user trust can be gamed through social validation signals—stars, forks, and download counts. In modding communities where enthusiasm often trumps caution, these kinds of malware campaigns can spread fast. Developers and platforms alike need stronger verification tools to safeguard the community ecosystem.

Anubis Ransomware Now Offers Data-Wiping Option

Anubis Ransomware-as-a-Service (RaaS) has entered a new, more destructive phase. Researchers at Trend Micro revealed that affiliates of Anubis now have the option to completely wipe a victim’s files in addition to—or instead of—encrypting them.

This new capability, which is toggled through a setting called "/WIPEMODE," signals a dangerous evolution. It transforms ransomware from a tool of extortion into a weapon of sabotage. File names remain intact, but the contents are irreversibly destroyed, making recovery impossible even from backups in some cases.

The shift underscores a growing trend among threat actors: if victims won’t pay, they’ll burn the evidence. For defenders, this raises the stakes. It’s no longer about data being held hostage—it’s about data being obliterated.

The move suggests that some ransomware groups are willing to forgo payment altogether in favor of inflicting lasting damage. This is a brutal escalation: one that transforms the calculus of incident response.

Backups, segmentation, and offline storage are now more important than ever, but even they won’t save you if attackers choose to execute a full wipe.

JSFireTruck Malware Hits Over 269,000 Websites

More than a quarter million websites have been quietly infected with a new strain of JavaScript malware called JSFireTruck, according to Unit 42 researchers at Palo Alto Networks.

This malware uses a bizarre obfuscation technique known as JSFuck, where the entire script is written in symbols like brackets and parentheses, to evade detection.

Once embedded, the script checks your browser’s referrer header and, if you’re coming from a search engine, redirects you to scam pages, fake update prompts, or malware download sites. The result? A massive silent infection campaign that exploits legitimate sites as unwitting delivery vehicles.

With nearly 270,000 compromised domains, this isn’t a small-scale operation—it’s a systemic threat to the trust model of the web. Developers are urged to audit third-party scripts and monitor for strange, symbol-heavy code. For end-users, caution is key: if something feels off after a Google click, it probably is.

The malware's modular structure also allows for payload swapping, enabling bad actors to rotate scams or deploy new malware without altering the core script. This kind of persistence makes detection harder and cleanup more complex.

For site owners, it's not just about finding the bad code—it's about tracking how and when it got there in the first place.

The DOT Report Signing Off

Each of these stories is a reminder that cyber threats are no longer isolated incidents—they’re part of a rapidly evolving ecosystem where attackers iterate, adapt, and scale faster than ever before.

Whether it’s a state-backed operation, a corrupted mod file, or a silent script injection, the lines between everyday technology and covert compromise continue to blur. Staying secure today means staying informed, alert, and prepared to act before threats escalate.

Stay in the loop with cybersecurity news every month by subscribing to The DOT Report.