Full Report
Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820
Analysis Summary
# Tool/Technique: Weedhack
## Overview
Weedhack is a sophisticated Minecraft-focused Malware-as-a-Service (MaaS) campaign active since early 2026. It leverages social engineering through YouTube and SEO poisoning to distribute Java-based malware. The campaign primarily targets Minecraft players by impersonating mods and clients to deploy an infostealer and Remote Access Trojan (RAT). It follows a tiered subscription model, offering both free and premium versions with varying levels of surveillance and control capabilities.
## Technical Details
- **Type:** Malware-as-a-Service (MaaS) / Infostealer / RAT
- **Platform:** Windows (primarily), Java Runtime Environment (JRE)
- **Capabilities:** Credential harvesting, cryptocurrency theft, remote surveillance, persistent access, and Minecraft session hijacking.
- **First Seen:** January 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (SEO Poisoning)
- [T1204.002 - User Execution: Malicious File]
- **[TA0002 - Execution]**
- [T1204.002 - Malicious File: JAR]
- **[TA0003 - Persistence]**
- [T1547.001 - Registry Run Keys / Startup Folder] (via SecurityManager.jar)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Configures Microsoft Defender exclusions)
- [T1140 - Deobfuscate/Decode Files or Information] (EtherHiding technique)
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1125 - Video Capture]
- [T1056.001 - Keylogging]
- **[TA0011 - Command and Control]**
- [T1102.001 - Web Service: Dead Drop Resolver] (Ethereum Blockchain)
- [T1219 - Remote Access Software]
## Functionality
### Core Capabilities (Free Tier)
- **Minecraft Specific:** Steals Minecraft Session IDs and targets four different Minecraft launchers.
- **Credential Theft:** Harvests passwords and cookies from 36 web browsers.
- **Crypto Theft:** Targets 56 browser-based wallets and 12 desktop cryptocurrency applications.
- **App Data:** Steals credentials for Discord, Steam, and Telegram.
- **System Recon:** Captures screenshots and general system information.
### Advanced Features (Premium Tier)
- **Persistent RAT:** Full remote control via reverse shell.
- **Surveillance:** Live webcam access and screen sharing with mouse/keyboard control.
- **File Management:** Capability to upload and download files to/from the host.
- **Keylogging:** Captures real-time keystrokes.
- **Mod Injection:** Ability to inject malicious code into legitimate Minecraft JAR mods.
## Indicators of Compromise
- **File Hashes:**
- (Specific SHA256 hashes not provided in text, but 3,820 unique JARs identified)
- **File Names:**
- `DonutDupe.jar` (Initial stager)
- `Elevator.jar` (Environment prep/System info)
- `SecurityManager.jar` (Persistence)
- `Component.jar` (Final RAT component)
- **Registry Keys:** Modifies Microsoft Defender exclusion lists.
- **Network Indicators:**
- `weedhack[.]to` (Dashboard/C2)
- Ethereum Blockchain (Dead Drop Resolver for EtherHiding)
- Telegram (Channel for updates/support)
- **Behavioral Indicators:** Java-based processes creating outbound connections to known C2 domains; modifications to antivirus exclusion paths.
## Associated Threat Actors
- Unknown; operated as a MaaS where various "customers" (often teenagers or young adults) deploy the tool for financial gain or cyberbullying.
## Detection Methods
- **Signature-based:** Detection of `DonutDupe.jar` and associated multi-stage JAR files.
- **Behavioral:** Monitoring `javaw.exe` or `java.exe` for unexpected modifications to Windows Defender settings or high-volume data exfiltration to non-standard domains.
- **Blockchain Monitoring:** Tracking specific Ethereum smart contracts used for EtherHiding.
## Mitigation Strategies
- **User Training:** Educate users on the risks of downloading "cracked" clients or mods from YouTube descriptions.
- **Execution Control:** Restrict the execution of unsigned JAR files or limit Java execution to known-good applications.
- **Endpoint Security:** Ensure Windows Defender or third-party EDRs are configured to alert on manual exclusion modifications.
- **Network Filtering:** Block known malicious domains and monitor for C2 patterns associated with the Weedhack dashboard.
## Related Tools/Techniques
- **EtherHiding:** A technique also used by North Korean actors to hide C2 instructions in the blockchain.
- **CountLoader:** Frequently distributed via similar cracked software distribution sites.
- **SEO Poisoning:** Standard delivery mechanism for modern MaaS campaigns.