Weedhack MaaS Operation Targets Minecraft Players with Sophisticated Malware
Since at least January 2026, Weedhack a Malware-as-a-Service (MaaS) operation has been actively targeting Minecraft players with a low-cost, subscription-based toolkit designed for credential theft, cryptocurrency wallet extraction, and account hijacking. Marketed through SEO poisoning, YouTube promotions, and fake mod websites, the service lowers the barrier for novice threat actors, increasing risks for gaming communities, particularly younger users.
The malware primarily spreads via trojanized Java Archive (JAR) files disguised as popular Minecraft clients and mods, including Meteor Client, Aristois, LiquidBounce, and Impact Client. Upon execution, it hides under javaw.exe, decrypts Ethereum JSON-RPC endpoints, and uses smart contracts to dynamically retrieve command-and-control (C2) servers, complicating takedown efforts. Researchers identified 32 distinct JSON-RPC endpoints, over 3,820 malicious JAR samples, and 240+ distribution URLs linked to the campaign.
Weedhack employs multi-stage attacks, using JNIC obfuscation to evade reverse engineering. Initial reconnaissance gathers system metadata, installed software, and attempts to bypass Windows Defender. Subsequent payloads steal browser credentials, Discord tokens, Steam and Telegram logins, and Minecraft session data, enabling account takeovers without password disclosure.
The service offers tiered subscriptions, with a free version supporting credential theft, wallet targeting, and screenshot capture. Premium tiers (starting at ~$5/month) add remote-access features like keylogging, screen sharing, file management, reverse shells, and webcam monitoring. A customer dashboard provides malware builders, tutorials, and leaderboards, gamifying infections reportedly amassing over 116,000 hits.
Researchers found evidence of misuse for harassment and cyberbullying, including the sharing of webcam footage in criminal forums. Many customers appear to be teenagers or young adults, exacerbating risks in youth-centered gaming communities. The operation’s professional-looking distribution sites and decentralized infrastructure further amplify its reach.
Defenders are advised to treat Java-based gaming software as high-risk vectors, as Weedhack’s obfuscation and blockchain-driven C2 evade traditional signature-based detection. Mitigation strategies include sandboxing mod files, enforcing least-privilege Java policies, and blocking known malicious domains and JSON-RPC endpoints.
Source: https://gbhackers.com/weedhack-maas-targets-minecraft-players/
Mojang Studios cybersecurity rating report: https://www.rankiteo.com/company/mojangstudios
ImpactAlpha cybersecurity rating report: https://www.rankiteo.com/company/impactalpha
"id": "MOJIMP1780993515",
"linkid": "mojangstudios, impactalpha",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 116,000 hits reported',
'industry': 'Gaming',
'location': 'Global',
'name': 'Minecraft players',
'type': 'Individual users'}],
'attack_vector': ['SEO poisoning',
'YouTube promotions',
'Fake mod websites',
'Trojanized Java Archive (JAR) files'],
'data_breach': {'data_encryption': 'Malware uses JNIC obfuscation to evade '
'detection',
'data_exfiltration': 'Yes',
'file_types_exposed': ['JAR files'],
'personally_identifiable_information': 'Yes (Discord tokens, '
'Telegram logins, '
'Minecraft session '
'data)',
'sensitivity_of_data': 'High (personally identifiable '
'information, financial data)',
'type_of_data_compromised': ['Browser credentials',
'Discord tokens',
'Steam logins',
'Telegram logins',
'Minecraft session data',
'Cryptocurrency wallet data']},
'date_detected': '2026-01-01',
'description': 'Since at least January 2026, Weedhack, a Malware-as-a-Service '
'(MaaS) operation, has been actively targeting Minecraft '
'players with a low-cost, subscription-based toolkit designed '
'for credential theft, cryptocurrency wallet extraction, and '
'account hijacking. Marketed through SEO poisoning, YouTube '
'promotions, and fake mod websites, the service lowers the '
'barrier for novice threat actors, increasing risks for gaming '
'communities, particularly younger users.',
'impact': {'brand_reputation_impact': 'Increased risk for gaming communities, '
'particularly younger users',
'data_compromised': ['Browser credentials',
'Discord tokens',
'Steam logins',
'Telegram logins',
'Minecraft session data',
'Cryptocurrency wallet data'],
'identity_theft_risk': 'High',
'operational_impact': 'Account takeovers, unauthorized access to '
'sensitive data',
'payment_information_risk': 'High (cryptocurrency wallets)',
'systems_affected': ['Windows systems with Java installed']},
'initial_access_broker': {'entry_point': 'Trojanized JAR files'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Java-based gaming software should be treated as high-risk '
'vectors due to Weedhack’s obfuscation and '
'blockchain-driven C2 evasion techniques.',
'motivation': ['Credential theft',
'Cryptocurrency wallet extraction',
'Account hijacking',
'Harassment',
'Cyberbullying'],
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
'Java applications',
'User education on risks of '
'third-party mods',
'Collaboration with gaming '
'platforms to detect '
'malicious mods'],
'root_causes': ['Lack of scrutiny on Java-based '
'gaming mods',
'Decentralized C2 infrastructure '
'using blockchain',
'Low-cost subscription model '
'attracting novice threat actors']},
'recommendations': ['Sandbox mod files',
'Enforce least-privilege Java policies',
'Block known malicious domains and JSON-RPC endpoints'],
'references': [{'source': 'Cybersecurity research report'}],
'response': {'containment_measures': ['Sandboxing mod files',
'Enforcing least-privilege Java '
'policies',
'Blocking known malicious domains and '
'JSON-RPC endpoints']},
'threat_actor': 'Weedhack',
'title': 'Weedhack MaaS Operation Targets Minecraft Players with '
'Sophisticated Malware',
'type': 'Malware-as-a-Service (MaaS)'}