Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware

Hackers are hiding dangerous malware inside what look like popular Minecraft mods and game clients, using YouTube videos and search engine tricks to pull unsuspecting players into their trap.

The campaign, known as WeedHack, has been quietly running since January 2026 and has already racked up over 116,000 victims worldwide.

What makes this campaign particularly alarming is how it packages itself as a legitimate service. WeedHack operates as a Malware-as-a-Service (MaaS) platform, meaning anyone can sign up, download a ready-made malicious payload, and start infecting others.

The free tier alone is capable of stealing passwords from 36 browsers, grabbing credentials from over 56 browser-based crypto wallets, and swiping Discord, Steam, and Telegram login details.

Analysts at McAfee Labs, who authored a report shared with Cyber Security News (CSN), uncovered the full scope of this campaign.

They found over 3,820 unique malicious JAR files and more than 240 URLs actively distributing the malware at a rate of roughly 2,000 to 3,000 new infections per day. The campaign is most active in the United States, Germany, India, and the United Kingdom.

Perhaps the most unsettling finding is who is actually using this malware. Researchers discovered that many WeedHack customers appear to be teenagers and young adults who are using the tool not just to steal accounts, but to harass and bully their victims.

They have been recording people through hijacked webcams and sharing those videos in Telegram channels as a form of cybercrime bragging.

If someone falls victim to this malware and is threatened by an attacker claiming to have hacked their system, researchers strongly recommend not following the attacker’s instructions.

Instead, victims should reach out to a trusted adult such as a parent or guardian and report the incident immediately, as complying with the attacker could lead to further harm.

Hackers Use YouTube and SEO Poisoning

WeedHack spreads in two primary ways: fake YouTube videos and SEO poisoning. Threat actors upload polished, well-edited videos showcasing Minecraft mods and clients, often including voiceovers to sound more authentic.

One such video had accumulated over 7,500 views and included a link to the malicious download site in its description.

The campaign actively targets Minecraft mods that do not have official websites, making it easier to dominate search results for those keywords.

These fake sites are built to look convincing, and some even include fake security warnings telling users to only download from their page and link to official Discord servers and GitHub pages to appear trustworthy.

Beyond videos, the campaign instructs its customers to participate in Discord and Reddit discussions to quietly promote their malicious sites without drawing suspicion.

The WeedHack dashboard even provides step-by-step tutorials on how to use both methods effectively, including tips on keyword targeting and avoiding common mistakes.

What sets WeedHack apart technically is its use of EtherHiding, a technique that hides the malware’s command-and-control server address on the Ethereum blockchain.

This makes it extremely difficult to take down the infrastructure because the C2 address is not stored in the malware itself but fetched live from a blockchain smart contract. Responses are also RSA-signed to prevent anyone from hijacking the campaign.

Once a victim runs the infected JAR file, the malware launches a four-stage infection chain. The first stage quietly fetches the C2 domain from the blockchain.

The second stage then loads an obfuscated payload directly into memory using a custom class loader. Stages three and four establish persistence on the system and deploy the remote access tools, including webcam access, keylogging, and reverse shell capabilities.

The malware also drops a script that adds dozens of exclusion paths to Windows Defender, effectively blinding the built-in antivirus. A watchdog task then runs every two minutes to restore any deleted components, making manual removal very difficult without specialized tools.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	F2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8	Glazed_Addon-1.0.0.jar (Stage 1)
SHA256	D3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076	paper-rig-mod-new.jar (Stage 1)
SHA256	B982fbafa954a8dcf7cfcffe31bcF75a86b052b1f01cf535ffcafd2c48a56b60	RadiumClient.jar (Stage 1)
SHA256	29546a03e07bfeb3025313b12671c758ced1c4921a4bc859a7ab40ec52584cdb	Radium-1.0.0 (1).jar (Stage 1)
SHA256	D81b98a69363d8d994ef553beEb5e15384ed32f0e343708b73c7e6b313b9aace	Bedrockfinder-1.0.0.jar (Stage 1)
SHA256	F790346bece8e448313f701586Cc7fd18291dfda721aae8d86ebfacf14055645	4e client 1.21.11.jar (Stage 1)
SHA256	5f7680feccc15814299df3c3c11e9b1c4f33069aac5a19c03b87e15f30c2312b	AutoRynek-1.21.4.jar (Stage 1)
SHA256	256b5b5d0524c442261028767B94f7188b0b81663b50c63300fca7733a04ea7d	donutsmp-duper-1.0.0.jar (Stage 1)
SHA256	E123d1f7cbea562237f7a5f50638d148fb58048c9ad095e0b0ad52e43bfedad0	GodMode-2.8.1.jar (Stage 1)
SHA256	D468983f98ff100ad8fd613315Af4c88d67bec76782b66b260c413c587987bf0	krypton-cracked-1.0.0.jar (Stage 1)
SHA256	Ef31bb219b84744e02f90947f31a25958b2b34524ed3795799ed6eff876e4bcd	krypton-cracked-1.0.01.jar (Stage 1)
SHA256	5d537a058ec19e6ceea593738F122b777d866042ea0bad194539757de13c46f4	Example-1.0.0.jar (Stage 1)
SHA256	697ee941abee202d8e84e5e3fEd8b9f34eea8772ee56dc867fce017507a5eeaf	Krypton-1.0.0.jar (Stage 1)
SHA256	F9a6911e8d9130c779db2e79f901d75d90f9e3ad08c36e7fb927959b7d988bae	Vapev4-1.21.11.jar (Stage 1)
SHA256	86f8c0a92eb9aba3c3416667361652a9e11b6ddc1119bb5b3564bc107b950ddb	Example-1.0.0.jar (Stage 1)
SHA256	790ff5cda1668e7aa390fbb1682a4d578195aa40542f64b7b6d56a6eccde12c9	Donutdupeworking-1.21.11.jar (Stage 1)
SHA256	Db533717da686f3b76b9de85eCd80d326a14572056a33d31f794bffbffd96c26	opticam-1.0.0.jar (Stage 1)
SHA256	8b53f53f72b8fef755666b6f239C06a69a9940e1b9f5d19e022150750035fa80	Nightsoulv2-1.21.11.jar (Stage 1)
SHA256	6b2218999ac27f6085cb02f693A3c99bd6abedfc20e00e22709e526015c89f4e	asdasd-1.21.111.jar (Stage 1)
SHA256	9682adf40a3621ffe5e1b426c5B90d0ed70e663738857bb4d18d37d93bbd4e6c	dupe_bypass_1.21.11-1.21.11.jar (Stage 1)
SHA256	3951533d56803cd5d708014b4Eed7e30349b4c4ba43f7d843133b3a5e2992ce6	elevator.jar (Stage 2)
SHA256	37bcec9ba357a2cb13a4f0f910E40f01e33973a5d637a3487c298105ae1ff22b	Module.jar (Stage 2)
SHA256	08a64523d7a05defb6cc5c87df340d76f9ef7ccc9623a0d33898 1be4cd9cd6c7	module.jar (Stage 2)
SHA256	Cf9bc0a3e01a7b466bc35dbf88563adf61c884ad5fb2b28afd1298a5f723f370	SecurityManager.jar (Stage 3)
SHA256	D28bc760f0b80905ea199809aD7ebfc73ab12aeab0ad3ee2dd11990657d2d9eb	SecurityManager.jar (Stage 3)
SHA256	7f69a67316872186fd440b4126a77c419f14b459542181c5e12feb49a223fd39	SecurityManager.jar (Stage 3)
SHA256	902cb8bfa3863df299ac804dc77e3e9366658b2b3c2ec5d3a1bdaf2e52520ce5	SecurityManager.jar (Stage 3)
SHA256	2a5baf86a3e982eb557dffffabb619c9e80581d41cdc4b85b06367b588647a7d	SecurityManager.jar (Stage 3)
SHA256	Ea595940815a11901bd99214b26d9528034f7182bd6c3bf2fe3179ac92e00afc	component.jar (Stage 4)
SHA256	Dba9908f63f5f32405f7a728f37979e743814532378cabc4f0e9f24c34197c60	component.jar (Stage 4)
SHA256	77dd1dd9b12699c64ab31c0140b28c70339014a0969f3bb7a79068f5b8f3f34a	component.jar (Stage 4)
SHA256	32e743d1e3957f35651a9d15a83bc128b82108c17b0fa64d63fa98b1d326fc9d	component.jar (Stage 4)
SHA256	A81ba29e550beae21fff69bfe0478249eb7078b173f9cf2040d74df299fc9d5b	component.jar (Stage 4)
SHA256	14118a6070f89baafd5f2aeaf2dF7535a8053f99944453584f0d1efeb6501ac3	Telemetry.exe
SHA256	B9f71ed4b08c93a7fc5468bee2…3660e3129e1cf9c84100d4d40ad70fb7c851fa	RuntimeBroker.exe
SHA256	88d8ac22ea323842cd760d645Daea54043739d45a0fa61fd72fe5a5c9acb5e69	elv.vbs
SHA256	Fdceafe4dcf9cf6d23b2033824275c08ec73d6b01adc644416e43ecca94c89c9	INF config
SHA256	226889380ca1695158cd42ba4B7d89352c4fa74010583669ac89ad69fdefd566	Updater.vbs
SHA256	1b5ca4d2b5eb23041da0f6effdC408d50768701d4140a21c9fbd244f9458d720	WinDefConfig.cmd
SHA256	C7691712d794d4ef582c591566bf5fda76a364b0bcdad315adbaaec8607ad0f3	chromedriver.dll
Ethereum Address	0x1280a841Fbc1F883365d3C83122260E0b2995B74	Ethereum smart contract address
Function Selector	0xce6d41de	Ethereum contract function selector
RSA Public Key	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmNzDf4737…	Embedded RSA public key for C2 verification
URL	hxxps://whpayment.ru	Weedhack Dashboard URL
URL	hxxp://whack.cy/	Weedhack Dashboard URL
URL	hxxps://weedhack.to/dashboard/auth/login	Weedhack Dashboard (current)
URL	hxxps://whtempdomain.com	Weedhack Dashboard URL
URL	hxxps://whreceiverrrrrrrrr.ru/dashboard/overview	Weedhack Dashboard URL
URL	hxxp://friendlydomain.ru/	Weedhack Dashboard URL
URL	hxxp://whrc.ru/	Weedhack Dashboard URL
URL	hxxps://whnewreceive.ru/	Weedhack Dashboard URL
URL	hxxp://weedhack.xyz	Weedhack Dashboard URL
URL	hxxp://92[.]119[.]164[.]235/	Related threat actor campaign
URL	hxxps://acabstealer[.]ru/	Related threat actor campaign
URL	hxxp://stealer[.]to/	Related threat actor campaign
URL	hxxp://1312services[.]ru/	Related threat actor campaign
URL	hxxps://1312stealer[.]ru/	Related threat actor campaign
URL	hxxp://dieserbenni[.]ru/	Related threat actor campaign
URL	hxxps://marsalek[.]cy/	Related threat actor campaign
URL	hxxp://stealer[.]cy/	Related threat actor campaign
URL	hxxps://newlumm[.]fun/	Related threat actor campaign
URL	hxxp://limbo100x[.]ru/	Related threat actor campaign
URL	hxxp://pentagon[.]cy/	Related threat actor campaign
URL	hxxps://aetherminecraft.lovable.app/game-mods	Malware distribution URL
URL	hxxps://donutdupe.xyz/DonutDupe-1.21.1.jar	Malware distribution URL
URL	hxxps://www.skytils.net/skytils-1.21.11.jar	Malware distribution URL
URL	hxxps://kryptonclient.gg/downloads/KryptonClient.jar	Malware distribution URL
URL	hxxps://xenonclient.com/downloads/XenonClient-1.21.jar	Malware distribution URL
URL	hxxps://odinclient.com/Odin-1.21.10-latest.jar	Malware distribution URL
URL	hxxps://nova-client.com/Nova-Client-1.21.11-latest.jar	Malware distribution URL
URL	hxxps://pixeldrain.com/api/file/o4jKp4Tx?download	Malware distribution URL
URL	hxxps://simplevoicechatmod.com/downloads/voicechat-fabric-1.21.11-2.6.11.jar	Malware distribution URL
URL	hxxps://gitlab.com/shlostval52/meteorclient-1.21.11/-/raw/main/AutoHarpTSM-1.21.11.jar	Malware distribution URL
URL	hxxps://t[.]me/+pw_g24ajDcQwMmYy	Weedhack Telegram channel
URL	hxxps://t[.]me/MetaMaskenMann	Weedhack owner’s Telegram account
URL	hxxp://chromium-Client.github.io/main/ChromiumClient-.jar	Malware distribution URL
YouTube Channel	https://www.youtube.com/@TheRix-u2t	YouTube channel advertising WeedHack
YouTube Channel	https://www.youtube.com/@HopzyPacks	YouTube channel advertising WeedHack
File Name	DonutDupe.jar	Stage 1 payload file name
File Name	elevator.jar	Stage 2 payload file name
File Name	SecurityManager.jar	Stage 3 payload file name
File Name	component.jar	Stage 4 payload file name
File Name	RuntimeBroker.exe	Remote access backdoor
File Name	Telemetry.exe	Infostealer payload
File Name	chromedriver.dll	Browser credential stealer
File Name	WinDefConfig.cmd	Windows Defender exclusion script
File Name	Updater.vbs	Persistence VBS script
File Name	elv.vbs	UAC bypass VBS script
Malware Signature	Trojan:Win/Weedhack.AA	McAfee detection signature
Malware Signature	Trojan:Win/Weedhack.AB	McAfee detection signature
Malware Signature	Trojan:Win/Weedhack.AC	McAfee detection signature
Malware Signature	Trojan:Win/Weedhack.AD	McAfee detection signature
Malware Signature	Trojan:Win/Weedhack.AE	McAfee detection signature
Malware Signature	Trojan:Script/Weedhack.AF	McAfee detection signature

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.