A new and highly sophisticated malware loader has been found hiding inside what appears to be a harmless Minecraft mod.
Researchers have uncovered a campaign that blends blockchain technology and social engineering to steal player credentials and deliver additional malicious payloads.
The damage is already significant, with over 116,000 unique systems compromised since the campaign began in January 2026.
The malware, known as LoaderClient, spreads as a fake Minecraft Fabric mod. Once installed, it immediately harvests the player’s session data, including display name, account UUID, and live Microsoft OAuth access token.
That stolen token is especially dangerous because it can take over a victim’s account without needing a password or bypassing two-factor authentication.
Analysts at DarkAtlas identified and detailed the malware in a report shared with Cyber Security News (CSN).
Their findings reveal LoaderClient is the stage-one payload of a broader campaign called WeedHack, a Malware-as-a-Service platform available free or for five dollars a month.
By June 2026, the operation had produced over 3,820 unique malicious files and was logging between 2,000 and 3,000 new infections daily.
What makes this threat alarming is how it spreads. Operators upload polished YouTube videos showcasing popular mods and bury malicious download links in the descriptions.
They also run fake portals that impersonate legitimate mod sites and rank highly through SEO poisoning. Because players are conditioned to dismiss antivirus warnings as false positives, many disable their defenses and run the malware unknowingly.
The campaign has grown a community of over 850 registered operators on Telegram, many of them teenagers using the tools for peer harassment, webcam access, and social media hijacking.
This shift reflects how low-cost malware is increasingly weaponized for personal disputes rather than purely financial crime.
Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates
What sets LoaderClient apart is its command-and-control architecture. Instead of embedding a server address in the code, the malware queries an Ethereum smart contract to retrieve its active C2 URL using a technique called EtherHiding.
This makes the infrastructure nearly impossible to disrupt through domain seizures or hosting provider action.
The smart contract responds with a URL paired with an RSA digital signature. The malware then verifies that signature against a hardcoded 2048-bit RSA public key before trusting the address.
Only the operator’s private key can produce a valid signature, so even tampering with the contract would be rejected, making sinkholing attacks useless.
Once the C2 URL is verified, LoaderClient downloads the stage-two payload entirely in memory, never writing a file to disk. That payload is compiled using JNIC v3.7.0, hiding all logic inside encrypted native Windows DLLs.
It independently re-resolves C2 through the same Ethereum contract and uses DNS-over-HTTPS to evade corporate network monitoring. The Ethereum contract address is the most durable indicator of this campaign, living permanently on the blockchain.
Detection Evasion and Defense Recommendations
LoaderClient layers multiple evasion techniques to avoid detection at every stage. All sensitive strings are encrypted using a custom cipher called decS, producing non-standard Unicode characters that defeat signature-based tools.
The JAR also contains a 442-megabyte zip bomb compressed to roughly 665 kilobytes, designed to crash automated scanners and bypass upload size limits.
The stage-two module escalates privileges through a CMSTP UAC bypass, silently approving elevation prompts without any input from the victim.
A scheduled task called JMonitoringTask runs every two minutes as a watchdog, while another named JavaSecurityUpdater activates at login with the highest system privileges.
Windows Defender is manipulated to add exclusion paths that prevent scanning of the dropped files. Defenders are advised to block Ethereum RPC traffic on gaming and educational networks, since no legitimate Minecraft activity requires blockchain calls.
Organizations should monitor the Ethereum contract on Etherscan for URL rotation history, which leaves a permanent public record of operator activity.
Deploying the published YARA detection rules and rotating affected credentials immediately after any suspected infection are both essential steps to limit further damage.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | F91714F89616002C6C1411233470F58E74FAD7CB5A7DA6F77AA6082F5D2E8771 | Stage-1 LoaderClient JAR file hash |
| SHA1 | F7911F5BE3D08DA95DCDA8AFB1BEB8E462376F9D | Stage-1 LoaderClient JAR file hash |
| MD5 | D991A7C9E2C3B269975404405A79ADBC | Stage-1 LoaderClient JAR file hash |
| SHA256 | E7D1346153B49CE403687BBD0DDBF1DB63DE6808D64EA2812EA48EF0CFE7CF2A | Stage-2 Module.jar file hash |
| Ethereum Contract | 0x1280a841Fbc1F883365d3C83122260E0b2995B74 | Ethereum smart contract used for C2 URL resolution (EtherHiding) |
| Domain | fucktermedfir[.]st | Current active C2 domain resolved from smart contract |
| Domain | whnewreceive[.]ru | Previous C2 domain (active March 2026) |
| URL | https://fucktermedfir[.]st/files/jar/module | Stage-2 payload download URL |
| WebSocket | wss://remotev2.whpayment[.]ru/ws/client | Primary WebSocket C2 endpoint for premium RAT |
| WebSocket | wss://remotev2.whreceive[.]ru/ws/client | Backup WebSocket C2 endpoint for premium RAT |
| Domain | telemetrydata[.]to | Data exfiltration endpoint |
| IPv4 | 45.141.119.34 (Port 50169) | Network indicator associated with campaign |
| File Path | %APPDATA%\Roaming\RuntimeBroker.exe | Dropped backdoor location on infected host |
| File Path | %APPDATA%\Roaming\Microsoft\Tlmtry\Telemetry.exe | Dropped stealer location on infected host |
| File Path | %APPDATA%\Roaming\WindowsRunetimeBroker.exe | Backup payload location on infected host |
| File Path | %TEMP%\lib*.dll | Native DLL dropped by JNIC loader |
| File Path | %TEMP%*.acdm | Configuration file dropped on infected host |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Persistence registry key used by malware |
| Scheduled Task | JMonitoringTask | Watchdog task running every 2 minutes |
| Scheduled Task | JavaSecurityUpdater | Persistence task running at LOGON with HIGHEST privilege |
| JAR Resource | META-INF/README.txt | Zip bomb entry inside malicious JAR |
| JAR Resource | cfg.json | Embedded config file containing campaign UUID |
| File Extension | .acdm | Custom file extension used for dropped config files |
| Campaign UUID | 6fb0a044-eb0c-4d1f-b497-827b715590a7 | Operator-assigned campaign identifier embedded in stage-1 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
