Introduction

Putting aside the edgy name, WeedHack has been a prevalent multi-staged .jar Malware-as-Service (MaaS) campaign in the last few months, and it has no signs of slowing - quite the opposite. This campaign is especially interesting due to the combination of modern techniques that we are seeing actors implement. From SEO Poisoning to YouTube channel hijacking, to the use of Discord as C2 as well as the use of EtherHiding - using the Ethereum network to store configuration and C2 details through smart contracts.

These techniques, alongside the affordability element in the fact that they offer a free tier - infostealer, all up to a very low cost entry subscription based service for the full suite - RAT, make this campaign particularly of interest.

This post will be a mixture of a thought-piece as to how we are seeing actors’ tactics shift, as well as covering some of the technical details at a high level. A full technical writeup of a sample is WIP.

History

Now WeedHack itself isn’t something that has spawned out of thin air. It formed its roots under the name of Majanito, an invite-only, similarly made multi-stage payload credential stealer back in 2025.

It’s only of 2026 where it was rebranded into what it is today. A MaaS that is cheaper than your Netflix subscription, from info-stealing to a full Remote Access Trojan (RAT) suite.

It is interesting, from the samples, it is obvious that this is still being developed and improved. We can see changes and yet similarities between the multiple stages over time. I refer to this WeedHack V1 & V2, and it’s interesting how different “mods” or “clients” have a combination of elements of both versions. As previously mentioned, a full reverse engineering of a set of samples is a WIP.

Delivery Mechanism

For context, WeedHack masquerades itself as Minecraft cheats, mods, launchers, etc. As we know, Minecraft, the best selling video game in the world, still has an incredibly large playerbase despite its launch in 2011 - one of those being myself.

For those that have played Minecraft throughout the years, we know the extensive “modding” community, not to mention the expansive multiplayer element. These factors, with a what can be considered “young” target audience, leads naturally for the want of ways to cheat or modify the game in some form, especially in multiplayer settings. This sets the background for why WeedHack is so prevalent.

Now, it’s no surprise to anyone the natural market that exists for the want of gaming cheats. Name any game - this is a natural ecosystem, and a story that has been told many times before - someone looking for cheats gets hacked…No surprise there.

YouTube/Social Media (TikTok) Hijacking

A rather unique - but effective - vessel for this campaign is using social media, particularly, YouTube and TikTok to spread this campaign. The usual method is hijacking these accounts, either via phishing (i.e. pretending to be a brand/sponsor) or credential re-use.

You can find examples of this where accounts with completely unrelated content suddenly start posting AI-generated videos and slick thumbnails advertising BEST FREE HACKS for $gamehere. Safe to say, it’s been taken over. yt1

Of which, there are copious links within the description and pinned comments advertising random AI-generated bullshit.

c1 Funnily enough, the “online count” is entirely fabricated, and the detection text is hardcoded. Hahaha.

const e=(t,l)=>t+Math.floor(Math.random()*(l-t+1)),a=Array.from(document.querySelectorAll(".srow-online")),o=a.map(()=>e(60,1500)),c=document.getElementById("st-online"),r=document.getElementById("st-builds");let s=e(800,1600);function d(){let t=0;a.forEach((l,n)=>{o[n]=Math.max(8,o[n]+e(-7,7))

SEO Poisoning

It is no wonder, when we look at Google Trends, the amount of searches relating to Minecraft:

  • “hacks”
  • “client”
  • “mods”
  • “launcher”

gtrends

Why SEO poisoning is such an effective vehicle to deliver malware of this kind. SEO poisoning usually involves faking official websites and using SEO keywords, or even advertising, to rank higher than the official website. Now this is not groundbreaking news in the world of Malware, but it’s how effective it is for WeedHack that is worthy of note.

One such example is faking LunarClient, a popular launcher for Minecraft. You can just look at the player count to judge the scale. A typo-squatted domain, or a domain with the same name but a different TLD, with a 1:1 copy, just pointing to their stage1, has been an effective mechanism for this campaign.

lclient

We have even seen these actors using AI to create functional “Launchers”. As the victim, you’re none the wiser. It all looks and functions legitimate. Now, you don’t need me to be condescending in telling you how people are using AI to generate websites and applications like never before. Unsurprisingly, malware actors are doing the exact same.

No longer is it just a random CMD/terminal that pops up, but we are seeing actual functional applications executing their tricks in the background - with almost 0 effort required.

Now, we talk about Minecraft here specifically, but it’s prevalent across $insertgame. The same slop, the same tricks.

mc1 (Credit to Eric Parker)

A Very Brief Analysis

Please note, a full technical writeup for both v1 & v2 of a set of WeedHack samples is a WIP. This section is just a “highlight” cursory look at the samples.

The examples below are for V1 of the sample, which is a lot less protected than “fresh off the press” samples, which include JNIC obfuscation + XOR’ing for function name obfuscation.

Stage 1

So, what’s important to note is that in this specific example, for all intents and purposes, it appears as a legitimate Minecraft Mod. fabric.mod.json with both a LoaderClient.java & Memory Classloader.

MC Session Steal

Immediately after the mod is initialised, the authentication token for the Minecraft client to Microsoft’s servers is immediately stolen.

MinecraftClient mc = MinecraftClient.getInstance();
Session session = mc.getSession();
String token = session.getAccessToken()
String username = session.getUsername();
String uuid = session.getUuid();

A background thread is spawned to download stage2.

new Thread(() -> {
 StagingHelper.stageWithContext(contextJson);
}).start();

Stage 2 (Info Stealer)

Stage 2 is the information stealer. The classes for this stage are stored in memory via HashMap, where the classloader will then initialise:

Method init = main.getMethod("initializeWeedhack", JsonObject.class);
init.invoke(null, context);

And will search the system for all sorts of juicy credentials via the extracted DLL within .dat of the stage2 JAR:

  • Browser Cookies, Password vaults: Chrome, Firefox, Edge, (you name it)
  • Crypto Wallet extensions: MetaMask, Coinbase, Exodus, etc
  • Crypto Wallet apps: Exodus, Atomic, Electrum, Jaxx, etc
  • Discord: tokens, browser tokens, and authenticated API sessions
  • System information, “backup” key terms, Telegram data folder

Stage 3 (RAT)

WIP.

EtherHiding

EtherHiding is a technique where actors store malicious payloads or C2 instructions on a public blockchain (originally Ethereum, now mostly BNB Smart Chain) instead of on servers they rent.

The key differentiator from previous techniques is that rather than having a list of domains or IPs to reach, the malware instead reaches out to the contract on the blockchain to list the contents. Actors benefit from the decentralisation of these technologies, where, rather than submitting a take-down request to a domain provider and killing the malware, the blockchain is immutable and distributed, so it would require takedowns to 100s if not 1000s of nodes.

Moreover, reading from the blockchain is free - it’s only writing that requires a fee (gas). Attackers use the contents of smart contracts, or even fields within cryptocurrency wallets to point their malware to.

We have seen this abuse from skids to nation state actors (UNC5142 & DPRK).

AI Slop

I could chew your ear off about the implications of generative AI and the enormous uptick we see in more sophisticated malware campaigns. Sophisticated is doing a lot of heavy lifting…what I mean is, it’s lowered the barrier to entry significantly.

However, the artefacts are there, and for us, it’s always funny to see OPSEC fails because they don’t know what’s happening, how it works, or what to check. A lovely highlight in this example is the full symbols table and build cfg packaged in a zip.

	</dllmap>
	<dllmap dll="gdiplus" target="/Users/bokken/build/output/Unity-Technologies/mono/external/buildscripts/add_to_build_results/monodistribution/lib/libgdiplus.dylib" os="!windows"/>
	<dllmap dll="gdiplus.dll" target="/Users/bokken/build/output/Unity-Technologies/mono/external/buildscripts/add_to_build_results/monodistribution/lib/libgdiplus.dylib"  os="!windows"/>
	<dllmap dll="gdi32" target="/Users/bokken/build/output/Unity-Technologies/mono/external/buildscripts/add_to_build_results/monodistribution/lib/libgdiplus.dylib" os="!windows"/>
	<dllmap dll="gdi32.dll" target="/Users/bokken/build/output/Unity-Technologies/mono/external/buildscripts/add_to_build_results/monodistribution/lib/libgdiplus.dylib" os="!windows"/

Bokken, if you’re reading this, hello :)

The uptick of the use of Unity to build clients/apps like this deserves its own separate post.

Final Remarks

If you go looking for hacks or cheats, and you get burned? Boo hoo. Git Gud.

Now on a serious note, WeedHack is just an example of an entire family of similar MaaS that has had an incredible uptick with the availability of generative AI. The barrier to entry, to make much more functional apps/launchers/websites, is lower than it ever has been before. These campaigns stick out like a sore thumb, but it’s a sign of the times that it’s no longer just “I downloaded something and a weird terminal popped up for 2 seconds”.

We are actively seeing generative-AI built launchers, that, if one is none the wiser, function as it has been advertised. The reason why WeedHack stands out to me - in the sense of - making time to write a post about it, is the combination of modern techniques that we are seeing threat actors shift towards. Untraditional (for now) means of preventing sinkholing or takedowns by techniques such as EtherHiding.

The fact that now a rather substantial RAT is a cheaper subscription than Netflix or Amazon Prime is absolutely bonkers.