Hackers Spread WeedHack Minecraft Malware via YouTube
Threat actors are actively distributing WeedHack Minecraft malware, embedding it within seemingly legitimate game mods and clients. They leverage YouTube videos and search engine optimization (SEO)...
Threat actors are actively distributing WeedHack Minecraft malware, embedding it within seemingly legitimate game mods and clients. They leverage YouTube videos and search engine optimization (SEO) poisoning to ensnare unsuspecting players.
The campaign, known as WeedHack, has been quietly running since January 2026 and has already racked up over 116,000 victims worldwide.
What makes this campaign particularly alarming is how it packages itself as a legitimate service. WeedHack operates as a Malware-as-a-Service (MaaS) platform, meaning anyone can sign up, download a ready-made malicious payload, and start infecting others.
The free tier alone is capable of stealing passwords from 36 browsers, grabbing credentials from over 56 browser-based crypto wallets, and swiping Discord, Steam, and Telegram login details.
Analysts at McAfee Labs, who authored a report shared with Cyber Security News (CSN), uncovered the full scope of this campaign.
They found over 3,820 unique malicious JAR files and more than 240 URLs actively distributing the malware at a rate of roughly 2,000 to 3,000 new infections per day. The campaign is most active in the United States, Germany, India, and the United Kingdom.
Perhaps the most unsettling finding is who is actually using this malware. Researchers discovered that many WeedHack customers appear to be teenagers and young adults who are using the tool not just to steal accounts, but to harass and bully their victims.
They have been recording people through hijacked webcams and sharing those videos in Telegram channels as a form of cybercrime bragging.
If someone falls victim to this malware and is threatened by an attacker claiming to have hacked their system, researchers strongly recommend not following the attacker’s instructions.
Instead, victims should reach out to a trusted adult such as a parent or guardian and report the incident immediately, as complying with the attacker could lead to further harm.
Hackers Use YouTube and SEO Poisoning
WeedHack spreads in two primary ways: fake YouTube videos and SEO poisoning. Threat actors upload polished, well-edited videos showcasing Minecraft mods and clients, often including voiceovers to sound more authentic.
One such video had accumulated over 7,500 views and included a link to the malicious download site in its description.
The campaign actively targets Minecraft mods that do not have official websites, making it easier to dominate search results for those keywords.
These fake sites are built to look convincing, and some even include fake security warnings telling users to only download from their page and link to official Discord servers and GitHub pages to appear trustworthy.
Beyond videos, the campaign instructs its customers to participate in Discord and Reddit discussions to quietly promote their malicious sites without drawing suspicion.
The WeedHack dashboard even provides step-by-step tutorials on how to use both methods effectively, including tips on keyword targeting and avoiding common mistakes.
EtherHiding and Multi-Stage Payload Delivery
What sets WeedHack apart technically is its use of EtherHiding, a technique that hides the malware’s command-and-control server address on the Ethereum blockchain.
This makes it extremely difficult to take down the infrastructure because the C2 address is not stored in the malware itself but fetched live from a blockchain smart contract. Responses are also RSA-signed to prevent anyone from hijacking the campaign.
Once a victim runs the infected JAR file, the malware launches a four-stage infection chain. The first stage quietly fetches the C2 domain from the blockchain.
The second stage then loads an obfuscated payload directly into memory using a custom class loader. Stages three and four establish persistence on the system and deploy the remote access tools, including webcam access, keylogging, and reverse shell capabilities.
The malware also drops a script that adds dozens of exclusion paths to Windows Defender, effectively blinding the built-in antivirus. A watchdog task then runs every two minutes to restore any deleted components, making manual removal very difficult without specialized tools.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | F2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8 | Glazed_Addon-1.0.0.jar (Stage 1) |
| SHA256 | D3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076 | paper-rig-mod-new.jar (Stage 1) |
| SHA256 | B982fbafa954a8dcf7cfcffe31bcF75a86b052b1f01cf535ffcafd2c48a56b60 | RadiumClient.jar (Stage 1) |
| SHA256 | 29546a03e07bfeb3025313b12671c758ced1c4921a4bc859a7ab40ec52584cdb | Radium-1.0.0 (1).jar (Stage 1) |
| SHA256 | D81b98a69363d8d994ef553beEb5e15384ed32f0e343708b73c7e6b313b9aace | Bedrockfinder-1.0.0.jar (Stage 1) |
| SHA256 | F790346bece8e448313f701586Cc7fd18291dfda721aae8d86ebfacf14055645 | 4e client 1.21.11.jar (Stage 1) |
| SHA256 | 5f7680feccc15814299df3c3c11e9b1c4f33069aac5a19c03b87e15f30c2312b | AutoRynek-1.21.4.jar (Stage 1) |
| SHA256 | 256b5b5d0524c442261028767B94f7188b0b81663b50c63300fca7733a04ea7d | donutsmp-duper-1.0.0.jar (Stage 1) |
| SHA256 | E123d1f7cbea562237f7a5f50638d148fb58048c9ad095e0b0ad52e43bfedad0 | GodMode-2.8.1.jar (Stage 1) |
| SHA256 | D468983f98ff100ad8fd613315Af4c88d67bec76782b66b260c413c587987bf0 | krypton-cracked-1.0.0.jar (Stage 1) |
| SHA256 | Ef31bb219b84744e02f90947f31a25958b2b34524ed3795799ed6eff876e4bcd | krypton-cracked-1.0.01.jar (Stage 1) |
| SHA256 | 5d537a058ec19e6ceea593738F122b777d866042ea0bad194539757de13c46f4 | Example-1.0.0.jar (Stage 1) |
| SHA256 | 697ee941abee202d8e84e5e3fEd8b9f34eea8772ee56dc867fce017507a5eeaf | Krypton-1.0.0.jar (Stage 1) |
| SHA256 | F9a6911e8d9130c779db2e79f901d75d90f9e3ad08c36e7fb927959b7d988bae | Vapev4-1.21.11.jar (Stage 1) |
| SHA256 | 86f8c0a92eb9aba3c3416667361652a9e11b6ddc1119bb5b3564bc107b950ddb | Example-1.0.0.jar (Stage 1) |
| SHA256 | 790ff5cda1668e7aa390fbb1682a4d578195aa40542f64b7b6d56a6eccde12c9 | Donutdupeworking-1.21.11.jar (Stage 1) |
| SHA256 | Db533717da686f3b76b9de85eCd80d326a14572056a33d31f794bffbffd96c26 | opticam-1.0.0.jar (Stage 1) |
| SHA256 | 8b53f53f72b8fef755666b6f239C06a69a9940e1b9f5d19e022150750035fa80 | Nightsoulv2-1.21.11.jar (Stage 1) |
| SHA256 | 6b2218999ac27f6085cb02f693A3c99bd6abedfc20e00e22709e526015c89f4e | asdasd-1.21.111.jar (Stage 1) |
| SHA256 | 9682adf40a3621ffe5e1b426c5B90d0ed70e663738857bb4d18d37d93bbd4e6c | dupe_bypass_1.21.11-1.21.11.jar (Stage 1) |
| SHA256 | 3951533d56803cd5d708014b4Eed7e30349b4c4ba43f7d843133b3a5e2992ce6 | elevator.jar (Stage 2) |
| SHA256 | 37bcec9ba357a2cb13a4f0f910E40f01e33973a5d637a3487c298105ae1ff22b | Module.jar (Stage 2) |
| SHA256 | 08a64523d7a05defb6cc5c87df340d76f9ef7ccc9623a0d33898 1be4cd9cd6c7 | module.jar (Stage 2) |
| SHA256 | Cf9bc0a3e01a7b466bc35dbf88563adf61c884ad5fb2b28afd1298a5f723f370 | SecurityManager.jar (Stage 3) |
| SHA256 | D28bc760f0b80905ea199809aD7ebfc73ab12aeab0ad3ee2dd11990657d2d9eb | SecurityManager.jar (Stage 3) |
| SHA256 | 7f69a67316872186fd440b4126a77c419f14b459542181c5e12feb49a223fd39 | SecurityManager.jar (Stage 3) |
| SHA256 | 902cb8bfa3863df299ac804dc77e3e9366658b2b3c2ec5d3a1bdaf2e52520ce5 | SecurityManager.jar (Stage 3) |
| SHA256 | 2a5baf86a3e982eb557dffffabb619c9e80581d41cdc4b85b06367b588647a7d | SecurityManager.jar (Stage 3) |
| SHA256 | Ea595940815a11901bd99214b26d9528034f7182bd6c3bf2fe3179ac92e00afc | component.jar (Stage 4) |
| SHA256 | Dba9908f63f5f32405f7a728f37979e743814532378cabc4f0e9f24c34197c60 | component.jar (Stage 4) |
| SHA256 | 77dd1dd9b12699c64ab31c0140b28c70339014a0969f3bb7a79068f5b8f3f34a | component.jar (Stage 4) |
| SHA256 | 32e743d1e3957f35651a9d15a83bc128b82108c17b0fa64d63fa98b1d326fc9d | component.jar (Stage 4) |
| SHA256 | A81ba29e550beae21fff69bfe0478249eb7078b173f9cf2040d74df299fc9d5b | component.jar (Stage 4) |
| SHA256 | 14118a6070f89baafd5f2aeaf2dF7535a8053f99944453584f0d1efeb6501ac3 | Telemetry.exe |
| SHA256 | B9f71ed4b08c93a7fc5468bee2…3660e3129e1cf9c84100d4d40ad70fb7c851fa | RuntimeBroker.exe |
| SHA256 | 88d8ac22ea323842cd760d645Daea54043739d45a0fa61fd72fe5a5c9acb5e69 | elv.vbs |
| SHA256 | Fdceafe4dcf9cf6d23b2033824275c08ec73d6b01adc644416e43ecca94c89c9 | INF config |
| SHA256 | 226889380ca1695158cd42ba4B7d89352c4fa74010583669ac89ad69fdefd566 | Updater.vbs |
| SHA256 | 1b5ca4d2b5eb23041da0f6effdC408d50768701d4140a21c9fbd244f9458d720 | WinDefConfig.cmd |
| SHA256 | C7691712d794d4ef582c591566bf5fda76a364b0bcdad315adbaaec8607ad0f3 | chromedriver.dll |
| Ethereum Address | 0x1280a841Fbc1F883365d3C83122260E0b2995B74 | Ethereum smart contract address |
| Function Selector | 0xce6d41de | Ethereum contract function selector |
| RSA Public Key | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmNzDf4737… | Embedded RSA public key for C2 verification |
| URL | hxxps://whpayment.ru | Weedhack Dashboard URL |
| URL | hxxp://whack.cy/ | Weedhack Dashboard URL |
| URL | hxxps://weedhack.to/dashboard/auth/login | Weedhack Dashboard (current) |
| URL | hxxps://whtempdomain.com | Weedhack Dashboard URL |
| URL | hxxps://whreceiverrrrrrrrr.ru/dashboard/overview | Weedhack Dashboard URL |
| URL | hxxp://friendlydomain.ru/ | Weedhack Dashboard URL |
| URL | hxxp://whrc.ru/ | Weedhack Dashboard URL |
| URL | hxxps://whnewreceive.ru/ | Weedhack Dashboard URL |
| URL | hxxp://weedhack.xyz | Weedhack Dashboard URL |
| URL | hxxp://92[.]119[.]164[.]235/ | Related threat actor campaign |
| URL | hxxps://acabstealer[.]ru/ | Related threat actor campaign |
| URL | hxxp://stealer[.]to/ | Related threat actor campaign |
| URL | hxxp://1312services[.]ru/ | Related threat actor campaign |
| URL | hxxps://1312stealer[.]ru/ | Related threat actor campaign |
| URL | hxxp://dieserbenni[.]ru/ | Related threat actor campaign |
| URL | hxxps://marsalek[.]cy/ | Related threat actor campaign |
| URL | hxxp://stealer[.]cy/ | Related threat actor campaign |
| URL | hxxps://newlumm[.]fun/ | Related threat actor campaign |
| URL | hxxp://limbo100x[.]ru/ | Related threat actor campaign |
| URL | hxxp://pentagon[.]cy/ | Related threat actor campaign |
| URL | hxxps://aetherminecraft.lovable.app/game-mods | Malware distribution URL |
| URL | hxxps://donutdupe.xyz/DonutDupe-1.21.1.jar | Malware distribution URL |
| URL | hxxps://www.skytils.net/skytils-1.21.11.jar | Malware distribution URL |
| URL | hxxps://kryptonclient.gg/downloads/KryptonClient.jar | Malware distribution URL |
| URL | hxxps://xenonclient.com/downloads/XenonClient-1.21.jar | Malware distribution URL |
| URL | hxxps://odinclient.com/Odin-1.21.10-latest.jar | Malware distribution URL |
| URL | hxxps://nova-client.com/Nova-Client-1.21.11-latest.jar | Malware distribution URL |
| URL | hxxps://pixeldrain.com/api/file/o4jKp4Tx?download | Malware distribution URL |
| URL | hxxps://simplevoicechatmod.com/downloads/voicechat-fabric-1.21.11-2.6.11.jar | Malware distribution URL |
| URL | hxxps://gitlab.com/shlostval52/meteorclient-1.21.11/-/raw/main/AutoHarpTSM-1.21.11.jar | Malware distribution URL |
| URL | hxxps://t[.]me/+pw_g24ajDcQwMmYy | Weedhack Telegram channel |
| URL | hxxps://t[.]me/MetaMaskenMann | Weedhack owner’s Telegram account |
| URL | hxxp://chromium-Client.github.io/main/ChromiumClient-.jar | Malware distribution URL |
| YouTube Channel | https://www.youtube.com/@TheRix-u2t | YouTube channel advertising WeedHack |
| YouTube Channel | https://www.youtube.com/@HopzyPacks | YouTube channel advertising WeedHack |
| File Name | DonutDupe.jar | Stage 1 payload file name |
| File Name | elevator.jar | Stage 2 payload file name |
| File Name | SecurityManager.jar | Stage 3 payload file name |
| File Name | component.jar | Stage 4 payload file name |
| File Name | RuntimeBroker.exe | Remote access backdoor |
| File Name | Telemetry.exe | Infostealer payload |
| File Name | chromedriver.dll | Browser credential stealer |
| File Name | WinDefConfig.cmd | Windows Defender exclusion script |
| File Name | Updater.vbs | Persistence VBS script |
| File Name | elv.vbs | UAC bypass VBS script |
| Malware Signature | Trojan:Win/Weedhack.AA | McAfee detection signature |
| Malware Signature | Trojan:Win/Weedhack.AB | McAfee detection signature |
| Malware Signature | Trojan:Win/Weedhack.AC | McAfee detection signature |
| Malware Signature | Trojan:Win/Weedhack.AD | McAfee detection signature |
| Malware Signature | Trojan:Win/Weedhack.AE | McAfee detection signature |
| Malware Signature | Trojan:Script/Weedhack.AF | McAfee detection signature |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.