A sophisticated malware campaign has been uncovered, targeting Minecraft players through a deceptive mod named LoaderClient. This malicious software employs blockchain technology to maintain a resilient command-and-control (C2) infrastructure, making it particularly challenging to disrupt.
Disguised as a legitimate Minecraft Fabric mod, LoaderClient infiltrates systems by harvesting sensitive player data, including display names, account UUIDs, and Microsoft OAuth access tokens. The theft of these tokens is especially concerning, as they enable attackers to hijack accounts without needing passwords or bypassing two-factor authentication.
Security researchers have identified LoaderClient as the initial payload in a broader operation known as WeedHack, a Malware-as-a-Service platform. Since its inception in January 2026, WeedHack has generated over 3,820 unique malicious files, leading to more than 116,000 system compromises. The campaign continues to expand, with daily infections ranging between 2,000 and 3,000.
The distribution methods for this malware are notably deceptive. Operators create polished YouTube videos showcasing popular mods, embedding malicious download links within the descriptions. Additionally, they establish counterfeit websites that mimic legitimate mod portals, leveraging search engine optimization (SEO) techniques to rank highly in search results. This strategy exploits the trust of players, many of whom disable antivirus warnings, dismissing them as false positives, and inadvertently install the malware.
LoaderClient’s command-and-control mechanism is particularly innovative. Instead of hardcoding server addresses, the malware queries an Ethereum smart contract to retrieve the active C2 URL, a technique referred to as EtherHiding. This approach renders traditional disruption methods, such as domain seizures, ineffective.
The smart contract provides a URL accompanied by an RSA digital signature. LoaderClient verifies this signature against a hardcoded 2048-bit RSA public key, ensuring the authenticity of the C2 address. Only the operator’s private key can generate a valid signature, preventing tampering and rendering sinkholing attacks futile.
Upon verification, LoaderClient downloads the secondary payload directly into memory, avoiding disk writes and thereby evading many detection mechanisms. This payload, compiled using JNIC v3.7.0, conceals its operations within encrypted native Windows DLLs. It independently resolves the C2 address through the same Ethereum contract and utilizes DNS-over-HTTPS to bypass network monitoring tools.
The WeedHack platform has attracted a community of over 850 registered operators on Telegram, many of whom are teenagers using the tools for personal vendettas, such as harassment, unauthorized webcam access, and social media account takeovers. This trend highlights the increasing accessibility of sophisticated malware for non-financially motivated attacks.
The integration of blockchain technology in malware operations signifies a significant evolution in cyber threats. By leveraging decentralized platforms like Ethereum for C2 communication, attackers achieve a level of resilience and anonymity that challenges traditional cybersecurity defenses. This development underscores the necessity for continuous adaptation and innovation in security strategies to counteract such advanced threats.
