Hackers are hiding dangerous malware inside what look like popular Minecraft mods and game clients, using YouTube videos and search engine tricks to pull unsuspecting players into their trap.
The campaign, known as WeedHack, has been quietly running since January 2026 and has already racked up over 116,000 victims worldwide.
What makes this campaign particularly alarming is how it packages itself as a legitimate service. WeedHack operates as a Malware-as-a-Service (MaaS) platform, meaning anyone can sign up, download a ready-made malicious payload, and start infecting others.
The free tier alone is capable of stealing passwords from 36 browsers, grabbing credentials from over 56 browser-based crypto wallets, and swiping Discord, Steam, and Telegram login details.
Analysts at McAfee Labs, who authored a report shared with Cyber Security News (CSN), uncovered the full scope of this campaign.
They found over 3,820 unique malicious JAR files and more than 240 URLs actively distributing the malware at a rate of roughly 2,000 to 3,000 new infections per day. The campaign is most active in the United States, Germany, India, and the United Kingdom.
Perhaps the most unsettling finding is who is actually using this malware. Researchers discovered that many WeedHack customers appear to be teenagers and young adults who are using the tool not just to steal accounts, but to harass and bully their victims.
They have been recording people through hijacked webcams and sharing those videos in Telegram channels as a form of cybercrime bragging.
If someone falls victim to this malware and is threatened by an attacker claiming to have hacked their system, researchers strongly recommend not following the attacker’s instructions.
Instead, victims should reach out to a trusted adult such as a parent or guardian and report the incident immediately, as complying with the attacker could lead to further harm.
Hackers Use YouTube and SEO Poisoning
WeedHack spreads in two primary ways: fake YouTube videos and SEO poisoning. Threat actors upload polished, well-edited videos showcasing Minecraft mods and clients, often including voiceovers to sound more authentic.
One such video had accumulated over 7,500 views and included a link to the malicious download site in its description.
YouTube video promoting malicious Minecraft Mods (Source – McAfee)
The campaign actively targets Minecraft mods that do not have official websites, making it easier to dominate search results for those keywords.
These fake sites are built to look convincing, and some even include fake security warnings telling users to only download from their page and link to official Discord servers and GitHub pages to appear trustworthy.
Malicious website hosting Weedhack, Example 3 (Source – McAfee)
Beyond videos, the campaign instructs its customers to participate in Discord and Reddit discussions to quietly promote their malicious sites without drawing suspicion.
The WeedHack dashboard even provides step-by-step tutorials on how to use both methods effectively, including tips on keyword targeting and avoiding common mistakes.
EtherHiding and Multi-Stage Payload Delivery
What sets WeedHack apart technically is its use of EtherHiding, a technique that hides the malware’s command-and-control server address on the Ethereum blockchain.
This makes it extremely difficult to take down the infrastructure because the C2 address is not stored in the malware itself but fetched live from a blockchain smart contract. Responses are also RSA-signed to prevent anyone from hijacking the campaign.
Once a victim runs the infected JAR file, the malware launches a four-stage infection chain. The first stage quietly fetches the C2 domain from the blockchain.
The second stage then loads an obfuscated payload directly into memory using a custom class loader. Stages three and four establish persistence on the system and deploy the remote access tools, including webcam access, keylogging, and reverse shell capabilities.
The malware also drops a script that adds dozens of exclusion paths to Windows Defender, effectively blinding the built-in antivirus. A watchdog task then runs every two minutes to restore any deleted components, making manual removal very difficult without specialized tools.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA256F2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8Glazed_Addon-1.0.0.jar (Stage 1)SHA256D3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076paper-rig-mod-new.jar (Stage 1)SHA256B982fbafa954a8dcf7cfcffe31bcF75a86b052b1f01cf535ffcafd2c48a56b60RadiumClient.jar (Stage 1)SHA25629546a03e07bfeb3025313b12671c758ced1c4921a4bc859a7ab40ec52584cdbRadium-1.0.0 (1).jar (Stage 1)SHA256D81b98a69363d8d994ef553beEb5e15384ed32f0e343708b73c7e6b313b9aaceBedrockfinder-1.0.0.jar (Stage 1)SHA256F790346bece8e448313f701586Cc7fd18291dfda721aae8d86ebfacf140556454e client 1.21.11.jar (Stage 1)SHA2565f7680feccc15814299df3c3c11e9b1c4f33069aac5a19c03b87e15f30c2312bAutoRynek-1.21.4.jar (Stage 1)SHA256256b5b5d0524c442261028767B94f7188b0b81663b50c63300fca7733a04ea7ddonutsmp-duper-1.0.0.jar (Stage 1)SHA256E123d1f7cbea562237f7a5f50638d148fb58048c9ad095e0b0ad52e43bfedad0GodMode-2.8.1.jar (Stage 1)SHA256D468983f98ff100ad8fd613315Af4c88d67bec76782b66b260c413c587987bf0krypton-cracked-1.0.0.jar (Stage 1)SHA256Ef31bb219b84744e02f90947f31a25958b2b34524ed3795799ed6eff876e4bcdkrypton-cracked-1.0.01.jar (Stage 1)SHA2565d537a058ec19e6ceea593738F122b777d866042ea0bad194539757de13c46f4Example-1.0.0.jar (Stage 1)SHA256697ee941abee202d8e84e5e3fEd8b9f34eea8772ee56dc867fce017507a5eeafKrypton-1.0.0.jar (Stage 1)SHA256F9a6911e8d9130c779db2e79f901d75d90f9e3ad08c36e7fb927959b7d988baeVapev4-1.21.11.jar (Stage 1)SHA25686f8c0a92eb9aba3c3416667361652a9e11b6ddc1119bb5b3564bc107b950ddbExample-1.0.0.jar (Stage 1)SHA256790ff5cda1668e7aa390fbb1682a4d578195aa40542f64b7b6d56a6eccde12c9Donutdupeworking-1.21.11.jar (Stage 1)SHA256Db533717da686f3b76b9de85eCd80d326a14572056a33d31f794bffbffd96c26opticam-1.0.0.jar (Stage 1)SHA2568b53f53f72b8fef755666b6f239C06a69a9940e1b9f5d19e022150750035fa80Nightsoulv2-1.21.11.jar (Stage 1)SHA2566b2218999ac27f6085cb02f693A3c99bd6abedfc20e00e22709e526015c89f4easdasd-1.21.111.jar (Stage 1)SHA2569682adf40a3621ffe5e1b426c5B90d0ed70e663738857bb4d18d37d93bbd4e6cdupe_bypass_1.21.11-1.21.11.jar (Stage 1)SHA2563951533d56803cd5d708014b4Eed7e30349b4c4ba43f7d843133b3a5e2992ce6elevator.jar (Stage 2)SHA25637bcec9ba357a2cb13a4f0f910E40f01e33973a5d637a3487c298105ae1ff22bModule.jar (Stage 2)SHA25608a64523d7a05defb6cc5c87df340d76f9ef7ccc9623a0d33898 1be4cd9cd6c7module.jar (Stage 2)SHA256Cf9bc0a3e01a7b466bc35dbf88563adf61c884ad5fb2b28afd1298a5f723f370SecurityManager.jar (Stage 3)SHA256D28bc760f0b80905ea199809aD7ebfc73ab12aeab0ad3ee2dd11990657d2d9ebSecurityManager.jar (Stage 3)SHA2567f69a67316872186fd440b4126a77c419f14b459542181c5e12feb49a223fd39SecurityManager.jar (Stage 3)SHA256902cb8bfa3863df299ac804dc77e3e9366658b2b3c2ec5d3a1bdaf2e52520ce5SecurityManager.jar (Stage 3)SHA2562a5baf86a3e982eb557dffffabb619c9e80581d41cdc4b85b06367b588647a7dSecurityManager.jar (Stage 3)SHA256Ea595940815a11901bd99214b26d9528034f7182bd6c3bf2fe3179ac92e00afccomponent.jar (Stage 4)SHA256Dba9908f63f5f32405f7a728f37979e743814532378cabc4f0e9f24c34197c60component.jar (Stage 4)SHA25677dd1dd9b12699c64ab31c0140b28c70339014a0969f3bb7a79068f5b8f3f34acomponent.jar (Stage 4)SHA25632e743d1e3957f35651a9d15a83bc128b82108c17b0fa64d63fa98b1d326fc9dcomponent.jar (Stage 4)SHA256A81ba29e550beae21fff69bfe0478249eb7078b173f9cf2040d74df299fc9d5bcomponent.jar (Stage 4)SHA25614118a6070f89baafd5f2aeaf2dF7535a8053f99944453584f0d1efeb6501ac3Telemetry.exeSHA256B9f71ed4b08c93a7fc5468bee2…3660e3129e1cf9c84100d4d40ad70fb7c851faRuntimeBroker.exeSHA25688d8ac22ea323842cd760d645Daea54043739d45a0fa61fd72fe5a5c9acb5e69elv.vbsSHA256Fdceafe4dcf9cf6d23b2033824275c08ec73d6b01adc644416e43ecca94c89c9INF configSHA256226889380ca1695158cd42ba4B7d89352c4fa74010583669ac89ad69fdefd566Updater.vbsSHA2561b5ca4d2b5eb23041da0f6effdC408d50768701d4140a21c9fbd244f9458d720WinDefConfig.cmdSHA256C7691712d794d4ef582c591566bf5fda76a364b0bcdad315adbaaec8607ad0f3chromedriver.dllEthereum Address0x1280a841Fbc1F883365d3C83122260E0b2995B74Ethereum smart contract addressFunction Selector0xce6d41deEthereum contract function selectorRSA Public KeyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmNzDf4737…Embedded RSA public key for C2 verificationURLhxxps://whpayment.ruWeedhack Dashboard URLURLhxxp://whack.cy/Weedhack Dashboard URLURLhxxps://weedhack.to/dashboard/auth/loginWeedhack Dashboard (current)URLhxxps://whtempdomain.comWeedhack Dashboard URLURLhxxps://whreceiverrrrrrrrr.ru/dashboard/overviewWeedhack Dashboard URLURLhxxp://friendlydomain.ru/Weedhack Dashboard URLURLhxxp://whrc.ru/Weedhack Dashboard URLURLhxxps://whnewreceive.ru/Weedhack Dashboard URLURLhxxp://weedhack.xyzWeedhack Dashboard URLURLhxxp://92[.]119[.]164[.]235/Related threat actor campaignURLhxxps://acabstealer[.]ru/Related threat actor campaignURLhxxp://stealer[.]to/Related threat actor campaignURLhxxp://1312services[.]ru/Related threat actor campaignURLhxxps://1312stealer[.]ru/Related threat actor campaignURLhxxp://dieserbenni[.]ru/Related threat actor campaignURLhxxps://marsalek[.]cy/Related threat actor campaignURLhxxp://stealer[.]cy/Related threat actor campaignURLhxxps://newlumm[.]fun/Related threat actor campaignURLhxxp://limbo100x[.]ru/Related threat actor campaignURLhxxp://pentagon[.]cy/Related threat actor campaignURLhxxps://aetherminecraft.lovable.app/game-modsMalware distribution URLURLhxxps://donutdupe.xyz/DonutDupe-1.21.1.jarMalware distribution URLURLhxxps://www.skytils.net/skytils-1.21.11.jarMalware distribution URLURLhxxps://kryptonclient.gg/downloads/KryptonClient.jarMalware distribution URLURLhxxps://xenonclient.com/downloads/XenonClient-1.21.jarMalware distribution URLURLhxxps://odinclient.com/Odin-1.21.10-latest.jarMalware distribution URLURLhxxps://nova-client.com/Nova-Client-1.21.11-latest.jarMalware distribution URLURLhxxps://pixeldrain.com/api/file/o4jKp4Tx?downloadMalware distribution URLURLhxxps://simplevoicechatmod.com/downloads/voicechat-fabric-1.21.11-2.6.11.jarMalware distribution URLURLhxxps://gitlab.com/shlostval52/meteorclient-1.21.11/-/raw/main/AutoHarpTSM-1.21.11.jarMalware distribution URLURLhxxps://t[.]me/+pw_g24ajDcQwMmYyWeedhack Telegram channelURLhxxps://t[.]me/MetaMaskenMannWeedhack owner’s Telegram accountURLhxxp://chromium-Client.github.io/main/ChromiumClient-.jarMalware distribution URLYouTube Channel channel advertising WeedHackYouTube Channel channel advertising WeedHackFile NameDonutDupe.jarStage 1 payload file nameFile Nameelevator.jarStage 2 payload file nameFile NameSecurityManager.jarStage 3 payload file nameFile Namecomponent.jarStage 4 payload file nameFile NameRuntimeBroker.exeRemote access backdoorFile NameTelemetry.exeInfostealer payloadFile Namechromedriver.dllBrowser credential stealerFile NameWinDefConfig.cmdWindows Defender exclusion scriptFile NameUpdater.vbsPersistence VBS scriptFile Nameelv.vbsUAC bypass VBS scriptMalware SignatureTrojan:Win/Weedhack.AAMcAfee detection signatureMalware SignatureTrojan:Win/Weedhack.ABMcAfee detection signatureMalware SignatureTrojan:Win/Weedhack.ACMcAfee detection signatureMalware SignatureTrojan:Win/Weedhack.ADMcAfee detection signatureMalware SignatureTrojan:Win/Weedhack.AEMcAfee detection signatureMalware SignatureTrojan:Script/Weedhack.AFMcAfee detection signature
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware appeared first on Cyber Security News.
