A new and dangerous threat has emerged in the gaming world, one that turns a beloved pastime into a gateway for cybercrime.
Weedhack, a Minecraft-focused Malware-as-a-Service (MaaS) operation, has been actively targeting players since at least January 2026, exploiting their interest in game modifications to steal credentials, drain cryptocurrency wallets, and hijack accounts.
The campaign spreads through YouTube videos, search engine manipulation, and fake Minecraft mod websites designed to look completely legitimate.
Unsuspecting players searching for popular game modifications are lured into downloading infected files, setting off a chain of events that can result in severe data loss and account compromise.
The operation reportedly claims to have crossed 116,000 hits, with subscriptions starting as low as $5 per month.
Researchers at PolySwarm identified Weedhack as a fully structured MaaS platform with a business model that mirrors legitimate software services.
The platform comes equipped with subscription tiers, operational tutorials, a malware builder, customer support, and victim management dashboards, making it accessible even to those with little technical experience.
The low cost and detailed documentation provided by the platform have made it especially attractive to teenagers and young adults.
Researchers noted that many observed customers were primarily interested in stealing Minecraft accounts or gaining unauthorized access to other players’ systems.
According to Polyswarm report shared with Cyber Security News (CSN) this combination of easy access and a ready pool of young, trusting users within gaming communities creates a troubling environment for abuse.
What makes Weedhack stand out beyond its price tag is its technical maturity. The operation uses Ethereum blockchain infrastructure to deliver command-and-control instructions, making it far harder for defenders to disrupt.
By decentralizing its own backbone, Weedhack reduces exposure to traditional takedown methods and complicates efforts to track its operators.
New Weedhack Malware-as-a-Service Targets Minecraft Players
Victims are infected after downloading trojanized Minecraft mods or clients distributed as Java Archive (JAR) files.
Once executed, the malware relaunches itself through javaw.exe to hide console activity, then decrypts embedded Ethereum endpoints and RSA public keys to retrieve active infrastructure details from smart contracts.
In the next stage, the malware uses JNIC obfuscation, which converts Java bytecode into native code to make analysis much harder for researchers.
It then performs system reconnaissance, disables Windows Defender, captures screenshots, and begins harvesting browser credentials, cookies, and Discord tokens.
Additional payloads are downloaded, persistence mechanisms are installed, and collected data is transmitted to attacker-controlled servers.
The free tier alone is alarmingly capable, giving attackers access to passwords and cookies from 36 browsers, 56 browser-based and 12 desktop cryptocurrency wallets, and credentials from Discord, Steam, and Telegram.
Premium tiers go even further, adding webcam access, keylogging, reverse shell execution, remote desktop control, and screen-sharing capabilities that turn a victim’s device into a full surveillance tool.
Researchers identified more than 3,820 malicious JAR files and over 240 distribution URLs tied to the Weedhack ecosystem.
The operation specifically targets users looking for well-known Minecraft clients including Meteor Client, Radium Client, Wurst Client, and LiquidBounce, among others.
Cyberbullying, Abuse, and the Broader Threat
Beyond financial theft, researchers found disturbing evidence that Weedhack is being actively used for harassment and cyberbullying.
Customers reportedly used the remote-access features to monitor victims through their webcams, intimidate them, and in some cases share compromising images and videos within criminal communities online.
This highlights a dimension of harm that goes beyond stolen data or drained wallets.
When the attacker and victim are members of the same gaming community, the psychological damage from surveillance and intimidation can be severe. The malware effectively turns a shared social space into a hunting ground for abuse.
Defenders are advised to treat any downloaded Minecraft mod or Java-based client as a potential threat until verified through trusted sources.
Security teams should rely on dynamic behavioral analysis and infrastructure correlation rather than static signatures alone, as the campaign’s use of blockchain infrastructure and staged payloads makes traditional detection significantly less effective.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA-256f2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8Weedhack malicious JAR sampleSHA-256d3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076Weedhack malicious JAR sampleSHA-256b982fbafa954a8dcf7cfcffe31bcf75a86b052b1f01cf535ffcafd2c48a56b60Weedhack malicious JAR sampleSHA-25629546a03e07bfeb3025313b12671c758ced1c4921a4bc859a7ab40ec52584cdbWeedhack malicious JAR sampleSHA-256f790346bece8e448313f701586cc7fd18291dfda721aae8d86ebfacf14055645Weedhack malicious JAR sampleSHA-2565f7680feccc15814299df3c3c11e9b1c4f33069aac5a19c03b87e15f30c2312bWeedhack malicious JAR sampleSHA-256256b5b5d0524c442261028767b94f7188b0b81663b50c63300fca7733a04ea7dWeedhack malicious JAR sampleSHA-256e123d1f7cbea562237f7a5f50638d148fb58048c9ad095e0b0ad52e43bfedad0Weedhack malicious JAR sampleSHA-256d468983f98ff100ad8fd613315af4c88d67bec76782b66b260c413c587987bf0Weedhack malicious JAR sampleSHA-256ef31bb219b84744e02f90947f31a25958b2b34524ed3795799ed6eff876e4bcdWeedhack malicious JAR sampleSHA-2565d537a058ec19e6ceea593738f122b777d866042ea0bad194539757de13c46f4Weedhack malicious JAR sampleSHA-256697ee941abee202d8e84e5e3fed8b9f34eea8772ee56dc867fce017507a5eeafWeedhack malicious JAR sampleSHA-256f9a6911e8d9130c779db2e79f901d75d90f9e3ad08c36e7fb927959b7d988baeWeedhack malicious JAR sampleSHA-25686f8c0a92eb9aba3c3416667361652a9e11b6ddc1119bb5b3564bc107b950ddbWeedhack malicious JAR sampleSHA-256790ff5cda1668e7aa390fbb1682a4d578195aa40542f64b7b6d56a6eccde12c9Weedhack malicious JAR sampleSHA-256db533717da686f3b76b9de85ecd80d326a14572056a33d31f794bffbffd96c26Weedhack malicious JAR sampleSHA-2568b53f53f72b8fef755666b6f239c06a69a9940e1b9f5d19e022150750035fa80Weedhack malicious JAR sampleSHA-2566b2218999ac27f6085cb02f693a3c99bd6abedfc20e00e22709e526015c89f4eWeedhack malicious JAR sampleSHA-2569682adf40a3621ffe5e1b426c5b90d0ed70e663738857bb4d18d37d93bbd4e6cWeedhack malicious JAR sampleSHA-2563951533d56803cd5d708014b4eed7e30349b4c4ba43f7d843133b3a5e2992ce6Weedhack malicious JAR sampleSHA-25637bcec9ba357a2cb13a4f0f910e40f01e33973a5d637a3487c298105ae1ff22bWeedhack malicious JAR sampleSHA-25608a64523d7a05defb6cc5c87df340d76f9ef7ccc9623a0d338981be4cd9cd6c7Weedhack malicious JAR sampleSHA-25636a89f65fe2d693a094b51495f3a84d0f4f2ae7276649952d6f78c85282e6f6dWeedhack malicious JAR sampleSHA-256d4918dbf7ada4883d89a01dcf5332413b7773b12d0e479f2cf502e3245c93720Weedhack malicious JAR sampleSHA-256cf9bc0a3e01a7b466bc35dbf88563adf61c884ad5fb2b28afd1298a5f723f370Weedhack malicious JAR sampleSHA-256d28bc760f0b80905ea199809ad7ebfc73ab12aeab0ad3ee2dd11990657d2d9ebWeedhack malicious JAR sampleSHA-2567f69a67316872186fd440b4126a77c419f14b459542181c5e12feb49a223fd39Weedhack malicious JAR sampleSHA-256902cb8bfa3863df299ac804dc77e3e9366658b2b3c2ec5d3a1bdaf2e52520ce5Weedhack malicious JAR sampleSHA-2562a5baf86a3e982eb557dffffabb619c9e80581d41cdc4b85b06367b588647a7dWeedhack malicious JAR sampleSHA-256ea595940815a11901bd99214b26d9528034f7182bd6c3bf2fe3179ac92e00afcWeedhack malicious JAR sampleSHA-256dba9908f63f5f32405f7a728f37979e743814532378cabc4f0e9f24c34197c60Weedhack malicious JAR sampleSHA-25677dd1dd9b12699c64ab31c0140b28c70339014a0969f3bb7a79068f5b8f3f34aWeedhack malicious JAR sampleSHA-25632e743d1e3957f35651a9d15a83bc128b82108c17b0fa64d63fa98b1d326fc9dWeedhack malicious JAR sampleSHA-256a81ba29e550beae21fff69bfe0478249eb7078b173f9cf2040d74df299fc9d5bWeedhack malicious JAR sampleSHA-25614118a6070f89baafd5f2aeaf2df7535a8053f99944453584f0d1efeb6501ac3Weedhack malicious JAR sampleSHA-256b9f71ed4b08c93a7fc5468bee23660e3129e1cf9c84100d4d40ad70fb7c851faWeedhack malicious JAR sampleSHA-25688d8ac22ea323842cd760d645daea54043739d45a0fa61fd72fe5a5c9acb5e69Weedhack malicious JAR sampleSHA-256fdceafe4dcf9cf6d23b2033824275c08ec73d6b01adc644416e43ecca94c89c9Weedhack malicious JAR sampleSHA-256226889380ca1695158cd42ba4b7d89352c4fa74010583669ac89ad69fdefd566Weedhack malicious JAR sampleSHA-2561b5ca4d2b5eb23041da0f6effdc408d50768701d4140a21c9fbd244f9458d720Weedhack malicious JAR sampleSHA-256c7691712d794d4ef582c591566bf5fda76a364b0bcdad315adbaaec8607ad0f3Weedhack malicious JAR sample
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts appeared first on Cyber Security News.
