New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts

A new and dangerous threat has emerged in the gaming world, one that turns a beloved pastime into a gateway for cybercrime.

Weedhack, a Minecraft-focused Malware-as-a-Service (MaaS) operation, has been actively targeting players since at least January 2026, exploiting their interest in game modifications to steal credentials, drain cryptocurrency wallets, and hijack accounts.

The campaign spreads through YouTube videos, search engine manipulation, and fake Minecraft mod websites designed to look completely legitimate.

Unsuspecting players searching for popular game modifications are lured into downloading infected files, setting off a chain of events that can result in severe data loss and account compromise.

The operation reportedly claims to have crossed 116,000 hits, with subscriptions starting as low as $5 per month.

Researchers at PolySwarm identified Weedhack as a fully structured MaaS platform with a business model that mirrors legitimate software services.

The platform comes equipped with subscription tiers, operational tutorials, a malware builder, customer support, and victim management dashboards, making it accessible even to those with little technical experience.

The low cost and detailed documentation provided by the platform have made it especially attractive to teenagers and young adults.

Researchers noted that many observed customers were primarily interested in stealing Minecraft accounts or gaining unauthorized access to other players’ systems.

According to Polyswarm report shared with Cyber Security News (CSN) this combination of easy access and a ready pool of young, trusting users within gaming communities creates a troubling environment for abuse.

What makes Weedhack stand out beyond its price tag is its technical maturity. The operation uses Ethereum blockchain infrastructure to deliver command-and-control instructions, making it far harder for defenders to disrupt.

By decentralizing its own backbone, Weedhack reduces exposure to traditional takedown methods and complicates efforts to track its operators.

New Weedhack Malware-as-a-Service Targets Minecraft Players

Victims are infected after downloading trojanized Minecraft mods or clients distributed as Java Archive (JAR) files.

Once executed, the malware relaunches itself through javaw.exe to hide console activity, then decrypts embedded Ethereum endpoints and RSA public keys to retrieve active infrastructure details from smart contracts.

In the next stage, the malware uses JNIC obfuscation, which converts Java bytecode into native code to make analysis much harder for researchers.

It then performs system reconnaissance, disables Windows Defender, captures screenshots, and begins harvesting browser credentials, cookies, and Discord tokens.

Additional payloads are downloaded, persistence mechanisms are installed, and collected data is transmitted to attacker-controlled servers.

The free tier alone is alarmingly capable, giving attackers access to passwords and cookies from 36 browsers, 56 browser-based and 12 desktop cryptocurrency wallets, and credentials from Discord, Steam, and Telegram.

Premium tiers go even further, adding webcam access, keylogging, reverse shell execution, remote desktop control, and screen-sharing capabilities that turn a victim’s device into a full surveillance tool.

Researchers identified more than 3,820 malicious JAR files and over 240 distribution URLs tied to the Weedhack ecosystem.

The operation specifically targets users looking for well-known Minecraft clients including Meteor Client, Radium Client, Wurst Client, and LiquidBounce, among others.

Cyberbullying, Abuse, and the Broader Threat

Beyond financial theft, researchers found disturbing evidence that Weedhack is being actively used for harassment and cyberbullying.

Customers reportedly used the remote-access features to monitor victims through their webcams, intimidate them, and in some cases share compromising images and videos within criminal communities online.

This highlights a dimension of harm that goes beyond stolen data or drained wallets.

When the attacker and victim are members of the same gaming community, the psychological damage from surveillance and intimidation can be severe. The malware effectively turns a shared social space into a hunting ground for abuse.

Defenders are advised to treat any downloaded Minecraft mod or Java-based client as a potential threat until verified through trusted sources.

Security teams should rely on dynamic behavioral analysis and infrastructure correlation rather than static signatures alone, as the campaign’s use of blockchain infrastructure and staged payloads makes traditional detection significantly less effective.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.