EXECUTIVE SUMMARY
The WeedHack operation is run by a loosely organized cybercrime group that offers malware‑as‑a‑service through public Discord channels. It delivers a remote‑access trojan disguised as legitimate Minecraft clients and mods, targeting gamers and anyone who downloads unofficial game tools. Activity concentrates on the United States, Germany, India, the United Kingdom and several European markets. The primary objective is to steal credential data—including game session IDs, browser passwords and cryptocurrency wallet keys—while also providing inexpensive remote‑control capabilities for harassment or extortion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The WeedHack operation is run by a loosely organized cybercrime group that offers malware‑as‑a‑service through public Discord channels. It delivers a remote‑access trojan disguised as legitimate Minecraft clients and mods, targeting gamers and anyone who downloads unofficial game tools. Activity concentrates on the United States, Germany, India, the United Kingdom and several European markets. The primary objective is to steal credential data—including game session IDs, browser passwords and cryptocurrency wallet keys—while also providing inexpensive remote‑control capabilities for harassment or extortion.[emaillocker id="1283"]
Victims encounter the payload when they follow YouTube tutorials or SEO‑poisoned search results that link to malicious JAR files hosted on file‑sharing sites. The malicious JAR executes under javaw.exe, dropping a staged Java component that contacts an Ethereum‑based resolver to retrieve the current command‑and‑control domain. Once connected, the dropper installs an infostealer that harvests session tokens, browser cookies and crypto wallet files, then registers a scheduled task and custom firewall rules to maintain persistence. A second stage adds a remote‑desktop module, enabling the attacker to view screens, capture webcam video and issue arbitrary commands.
The campaign matters because it turns a popular entertainment platform into a distribution channel for credential theft and espionage, exposing both personal users and corporate networks that permit game traffic. Its use of legitimate Java processes, signed blockchain responses and frequent domain rotation makes detection by conventional antivirus solutions unreliable. Organizations should enforce strict application allow‑listing, block downloads of unsigned Minecraft clients, and monitor outbound connections to cryptocurrency‑related domains. Regular patching of Java runtimes, network‑level filtering of suspicious file‑hosting services, and maintaining offline backups of critical data complete a resilient defense posture.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1189 | Drive-by Compromise | — |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1562.004 | Impair Defenses | Disable or Modify System Firewall |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Collection | T1113 | Screen Capture | — |
| Collection | T1125 | Video Capture | — |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
REFERENCES:
The following reports contain further technical details:
https://www.helpnetsecurity.com/2026/06/03/weedhack-minecraft-malware-campaign/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/