Verticals Targeted: Gaming, Cryptocurrency
Regions Targeted: US, Germany, India, UK, Italy, Vietnam, Canada, Norway, Sweden, Finland, Spain
Related Families: Weedhack
Executive Summary
Researchers have identified Weedhack, a Minecraft-focused Malware-as-a-Service (MaaS) operation active since at least January 2026 that distributes malware through YouTube promotion, SEO poisoning, and counterfeit Minecraft mod websites. The campaign combines credential theft, cryptocurrency wallet theft, Minecraft account hijacking, and premium remote-access capabilities including webcam surveillance, keylogging, screen sharing, and reverse shell access. Operators claim the platform has accumulated more than 116,000 hits and offers subscriptions starting at $5 USD per month, significantly lowering barriers to entry for aspiring cybercriminals and increasing risk to younger users within gaming communities.
Key Takeaways
- Researchers identified more than 3,820 malicious JAR files and over 240 distribution URLs associated with the Weedhack ecosystem.
- The malware uses EtherHiding techniques and Ethereum smart contracts to dynamically retrieve command-and-control (C2) infrastructure while validating responses with RSA signatures.
- Free-tier capabilities include credential theft, browser data theft, cryptocurrency wallet theft, Discord token theft, screenshot capture, and Minecraft session hijacking, while premium tiers add full remote-access functionality.
- The campaign provides extensive tutorials, malware builders, OPSEC guidance, and distribution instructions that may reduce technical barriers for inexperienced operators.
- Researchers observed multiple examples of customers using the malware for harassment, surveillance, and cyberbullying activities against victims.
Background
Weedhack represents a notable example of the continued commercialization of gaming-focused cybercrime. While malware targeting Minecraft players is not new, Weedhack distinguishes itself through a mature service model that includes subscription tiers, malware builders, operational tutorials, customer support functions, infrastructure resilience mechanisms, and victim management dashboards. McAfee reported on this activity.
The campaign's low subscription costs and extensive documentation may lower barriers to entry for inexperienced threat actors. Researchers observed evidence suggesting that many customers are teenagers or young adults primarily interested in stealing Minecraft accounts, obtaining unauthorized access to victims' systems, or conducting harassment activities. The operation's use of Ethereum blockchain infrastructure to distribute current C2 information demonstrates increasing adoption of decentralized technologies to improve malware resilience. By retrieving infrastructure information from smart contracts and validating responses with embedded cryptographic signatures, Weedhack reduces its reliance on static infrastructure and complicates traditional disruption efforts.
Current Activity
Researchers identified more than 3,820 unique malicious JAR files and over 240 URLs associated with Weedhack distribution. The campaign relies heavily on YouTube content, SEO poisoning, counterfeit software websites, and social media promotion to drive victims toward malware-laden Minecraft clients and modifications.
The operation specifically targets users seeking popular Minecraft modifications and clients including Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense. Operators reportedly create professional-looking websites that mimic legitimate software distribution platforms and attempt to dominate search engine rankings for niche Minecraft-related search terms.
Researchers also identified a customer-facing dashboard that provides access to victim information, stolen credentials, malware builders, tutorials, campaign statistics, and premium remote-access functionality. The dashboard reportedly displays more than 116,000 accumulated hits and maintains customer leaderboards based on infection volume.
Historical Context
Gaming ecosystems have long served as effective malware distribution channels due to the widespread use of third-party modifications, custom launchers, and community-developed software. Historically, many gaming-focused malware campaigns have concentrated on credential theft, cryptocurrency theft, cryptomining, or account hijacking.
Weedhack differs from many earlier gaming threats by adopting operational models commonly associated with commercial MaaS offerings. The campaign incorporates subscription pricing, customer support, feature voting systems, malware builders, and extensive operational guidance. Researchers specifically compare its business model to established MaaS offerings such as Lumma Stealer and X-Worm, although Weedhack's pricing is significantly lower than many competing malware services.
Technical Analysis
Initial Access and Stage 1 Execution
Victims are infected after downloading trojanized Minecraft mods or clients distributed as Java Archive (JAR) files. Upon execution, the malware relaunches itself through javaw.exe to conceal console windows and retrieves campaign-specific identifiers embedded within configuration files. The malware then decrypts Ethereum JSON-RPC endpoints, smart contract identifiers, and embedded RSA public keys. These components enable the malware to retrieve active C2 infrastructure from Ethereum-based resources while validating the authenticity of responses before execution. Researchers identified 32 Ethereum JSON-RPC endpoints embedded within samples analyzed during the investigation.
Stage 2 Activity
Subsequent payloads employ JNIC obfuscation, which converts Java bytecode into native code to complicate reverse engineering efforts. During execution, the malware performs system reconnaissance, establishes Windows Defender exclusions, captures screenshots, collects system information, and steals browser credentials, cookies, Discord tokens, and other sensitive data. The malware also downloads additional payloads, installs persistence mechanisms, and gathers hardware and operating system information before transmitting collected data to attacker-controlled infrastructure.
Stage 3 and Stage 4 Activity
Later-stage payloads establish persistence through registry modifications, scheduled tasks, and repeated execution mechanisms designed to restore removed components. Premium functionality includes remote desktop access, webcam monitoring, keylogging, reverse shell execution, file management, and screen-sharing capabilities. Researchers also observed the deployment of dedicated infostealer components focused on cryptocurrency wallet theft, Telegram credential theft, and additional credential harvesting activities.
Credential and Cryptocurrency Theft Capabilities
The free-tier version of Weedhack includes extensive credential theft functionality. According to researchers, the malware can steal passwords and cookies from 36 different browsers, target 56 browser-based cryptocurrency wallets and 12 desktop cryptocurrency wallets, harvest Discord, Steam, and Telegram credentials, capture screenshots, and search victim systems for files matching 24 predefined keywords. The malware also targets Minecraft session identifiers and supports theft from multiple Minecraft launchers, allowing attackers to hijack gaming accounts without necessarily obtaining full account credentials.
Cyberbullying and Abuse Concerns
Researchers observed multiple examples suggesting that Weedhack is being used for harassment and cyberbullying in addition to traditional cybercrime activities. Customers reportedly used remote-access functionality to monitor victims, access webcams, and intimidate targets. Researchers also observed instances where threat actors allegedly shared images and videos obtained from compromised systems within criminal communities. This activity highlights how low-cost remote-access malware can facilitate not only financial crime and credential theft but also privacy violations, intimidation, and psychological harm, particularly when victims and operators are members of the same online communities.
Infrastructure and Operational Support
Researchers identified ten domains associated with current Weedhack operations and eleven domains linked to similar historical MaaS campaigns believed to be operated by the same actor. The platform also provides customers with tutorials covering malware distribution, SEO poisoning, YouTube promotion, VPN usage, residential proxy services, operational security practices, credential exploitation, and campaign management. The malware builder component further enables customers to inject Weedhack functionality into otherwise legitimate Minecraft modifications, increasing the likelihood of successful infection and complicating detection efforts.
Analyst Commentary
Weedhack demonstrates how modern malware campaigns increasingly blend social engineering, gaming ecosystems, and commercialized cybercrime services to maximize victim acquisition. While the campaign's distribution methods rely heavily on YouTube promotion, SEO poisoning, and counterfeit Minecraft websites, its technical architecture is equally notable. The use of Ethereum-based infrastructure discovery, multi-stage Java payloads, JNIC obfuscation, Windows Defender exclusion abuse, and modular remote-access capabilities illustrates a level of operational maturity not typically associated with gaming-focused malware.
For defenders, Weedhack highlights the importance of analyzing seemingly benign gaming software and Java-based applications within controlled detonation environments. The campaign's reliance on staged payload delivery, blockchain-assisted infrastructure updates, and heavily obfuscated components creates challenges for traditional static analysis and signature-based detection approaches. Dynamic analysis, behavioral monitoring, and infrastructure correlation become critical for identifying the full infection chain and uncovering evolving campaign infrastructure.
PolySwarm's crowdsourced malware detection and sandbox analysis capabilities provide visibility into threats like Weedhack by enabling security teams to observe multi-stage execution behavior, identify payload relationships, analyze infrastructure overlap, and detect previously unseen variants distributed through rapidly changing URLs and trojanized Minecraft modifications. As low-cost MaaS platforms continue to lower barriers to entry for aspiring cybercriminals, defenders should expect similar campaigns to leverage popular online communities, trusted software ecosystems, and decentralized infrastructure to accelerate malware distribution and evade traditional defenses.
IOCs
PolySwarm has multiple samples associated with this activity.
f2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8
d3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076
b982fbafa954a8dcf7cfcffe31bcf75a86b052b1f01cf535ffcafd2c48a56b60
29546a03e07bfeb3025313b12671c758ced1c4921a4bc859a7ab40ec52584cdb
f790346bece8e448313f701586cc7fd18291dfda721aae8d86ebfacf14055645
5f7680feccc15814299df3c3c11e9b1c4f33069aac5a19c03b87e15f30c2312b
256b5b5d0524c442261028767b94f7188b0b81663b50c63300fca7733a04ea7d
e123d1f7cbea562237f7a5f50638d148fb58048c9ad095e0b0ad52e43bfedad0
d468983f98ff100ad8fd613315af4c88d67bec76782b66b260c413c587987bf0
ef31bb219b84744e02f90947f31a25958b2b34524ed3795799ed6eff876e4bcd
5d537a058ec19e6ceea593738f122b777d866042ea0bad194539757de13c46f4
697ee941abee202d8e84e5e3fed8b9f34eea8772ee56dc867fce017507a5eeaf
f9a6911e8d9130c779db2e79f901d75d90f9e3ad08c36e7fb927959b7d988bae
86f8c0a92eb9aba3c3416667361652a9e11b6ddc1119bb5b3564bc107b950ddb
790ff5cda1668e7aa390fbb1682a4d578195aa40542f64b7b6d56a6eccde12c9
db533717da686f3b76b9de85ecd80d326a14572056a33d31f794bffbffd96c26
8b53f53f72b8fef755666b6f239c06a69a9940e1b9f5d19e022150750035fa80
6b2218999ac27f6085cb02f693a3c99bd6abedfc20e00e22709e526015c89f4e
9682adf40a3621ffe5e1b426c5b90d0ed70e663738857bb4d18d37d93bbd4e6c
3951533d56803cd5d708014b4eed7e30349b4c4ba43f7d843133b3a5e2992ce6
37bcec9ba357a2cb13a4f0f910e40f01e33973a5d637a3487c298105ae1ff22b
08a64523d7a05defb6cc5c87df340d76f9ef7ccc9623a0d338981be4cd9cd6c7
36a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6d
d4918dbf7ada4883d89a01dcf5332413b7773b12d0e479f2cf502e3245c93720
cf9bc0a3e01a7b466bc35dbf88563adf61c884ad5fb2b28afd1298a5f723f370
d28bc760f0b80905ea199809ad7ebfc73ab12aeab0ad3ee2dd11990657d2d9eb
7f69a67316872186fd440b4126a77c419f14b459542181c5e12feb49a223fd39
902cb8bfa3863df299ac804dc77e3e9366658b2b3c2ec5d3a1bdaf2e52520ce5
2a5baf86a3e982eb557dffffabb619c9e80581d41cdc4b85b06367b588647a7d
ea595940815a11901bd99214b26d9528034f7182bd6c3bf2fe3179ac92e00afc
dba9908f63f5f32405f7a728f37979e743814532378cabc4f0e9f24c34197c60
77dd1dd9b12699c64ab31c0140b28c70339014a0969f3bb7a79068f5b8f3f34a
32e743d1e3957f35651a9d15a83bc128b82108c17b0fa64d63fa98b1d326fc9d
a81ba29e550beae21fff69bfe0478249eb7078b173f9cf2040d74df299fc9d5b
14118a6070f89baafd5f2aeaf2df7535a8053f99944453584f0d1efeb6501ac3
b9f71ed4b08c93a7fc5468bee23660e3129e1cf9c84100d4d40ad70fb7c851fa
88d8ac22ea323842cd760d645daea54043739d45a0fa61fd72fe5a5c9acb5e69
fdceafe4dcf9cf6d23b2033824275c08ec73d6b01adc644416e43ecca94c89c9
226889380ca1695158cd42ba4b7d89352c4fa74010583669ac89ad69fdefd566
1b5ca4d2b5eb23041da0f6effdc408d50768701d4140a21c9fbd244f9458d720
c7691712d794d4ef582c591566bf5fda76a364b0bcdad315adbaaec8607ad0f3
Click here to view all samples of Weedhack malware in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
