Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2

HomeCyber Security News Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2 By Tushar Subhra Dutta June 26, 2026 A new and highly sophisticated malware loader has been found hiding inside what appears to be a harmless Minecraft mod. Researchers have uncovered a campaign that blends blockchain technology and social engineering to steal player credentials and deliver additional malicious payloads. The damage is already significant, with over 116,000 unique systems compromised since the campaign began in January 2026. The malware, known as LoaderClient, spreads as a fake Minecraft Fabric mod. Once installed, it immediately harvests the player’s session data, including display name, account UUID, and live Microsoft OAuth access token. That stolen token is especially dangerous because it can take over a victim’s account without needing a password or bypassing two-factor authentication. Analysts at DarkAtlas identified and detailed the malware in a report shared with Cyber Security News (CSN). Their findings reveal LoaderClient is the stage-one payload of a broader campaign called WeedHack, a Malware-as-a-Service platform available free or for five dollars a month. By June 2026, the operation had produced over 3,820 unique malicious files and was logging between 2,000 and 3,000 new infections daily. Flixible plans (Source – DarkAtlas) What makes this threat alarming is how it spreads. Operators upload polished YouTube videos showcasing popular mods and bury malicious download links in the descriptions. They also run fake portals that impersonate legitimate mod sites and rank highly through SEO poisoning. Because players are conditioned to dismiss antivirus warnings as false positives, many disable their defenses and run the malware unknowingly. The campaign has grown a community of over 850 registered operators on Telegram, many of them teenagers using the tools for peer harassment, webcam access, and social media hijacking. This shift reflects how low-cost malware is increasingly weaponized for personal disputes rather than purely financial crime. Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates What sets LoaderClient apart is its command-and-control architecture. Instead of embedding a server address in the code, the malware queries an Ethereum smart contract to retrieve its active C2 URL using a technique called EtherHiding. This makes the infrastructure nearly impossible to disrupt through domain seizures or hosting provider action. Video tutorials and guides (Source – DarkAtlas) The smart contract responds with a URL paired with an RSA digital signature. The malware then verifies that signature against a hardcoded 2048-bit RSA public key before trusting the address. Only the operator’s private key can produce a valid signature, so even tampering with the contract would be rejected, making sinkholing attacks useless. Once the C2 URL is verified, LoaderClient downloads the stage-two payload entirely in memory, never writing a file to disk. That payload is compiled using JNIC v3.7.0, hiding all logic inside encrypted native Windows DLLs. It independently re-resolves C2 through the same Ethereum contract and uses DNS-over-HTTPS to evade corporate network monitoring. The Ethereum contract address is the most durable indicator of this campaign, living permanently on the blockchain. Detection Evasion and Defense Recommendations LoaderClient layers multiple evasion techniques to avoid detection at every stage. All sensitive strings are encrypted using a custom cipher called decS, producing non-standard Unicode characters that defeat signature-based tools. The JAR also contains a 442-megabyte zip bomb compressed to roughly 665 kilobytes, designed to crash automated scanners and bypass upload size limits. The stage-two module escalates privileges through a CMSTP UAC bypass, silently approving elevation prompts without any input from the victim. Weedhack Chat (Source – DarkAtlas) A scheduled task called JMonitoringTask runs every two minutes as a watchdog, while another named JavaSecurityUpdater activates at login with the highest system privileges. Windows Defender is manipulated to add exclusion paths that prevent scanning of the dropped files. Defenders are advised to block Ethereum RPC traffic on gaming and educational networks, since no legitimate Minecraft activity requires blockchain calls. Organizations should monitor the Ethereum contract on Etherscan for URL rotation history, which leaves a permanent public record of operator activity. Deploying the published YARA detection rules and rotating affected credentials immediately after any suspected infection are both essential steps to limit further damage. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 F91714F89616002C6C1411233470F58E74FAD7CB5A7DA6F77AA6082F5D2E8771 Stage-1 LoaderClient JAR file hash SHA1 F7911F5BE3D08DA95DCDA8AFB1BEB8E462376F9D Stage-1 LoaderClient JAR file hash MD5 D991A7C9E2C3B269975404405A79ADBC Stage-1 LoaderClient JAR file hash SHA256 E7D1346153B49CE403687BBD0DDBF1DB63DE6808D64EA2812EA48EF0CFE7CF2A Stage-2 Module.jar file hash Ethereum Contract 0x1280a841Fbc1F883365d3C83122260E0b2995B74 Ethereum smart contract used for C2 URL resolution (EtherHiding) Domain fucktermedfir[.]st Current active C2 domain resolved from smart contract Domain whnewreceive[.]ru Previous C2 domain (active March 2026) URL https://fucktermedfir[.]st/files/jar/module Stage-2 payload download URL WebSocket wss://remotev2.whpayment[.]ru/ws/client Primary WebSocket C2 endpoint for premium RAT WebSocket wss://remotev2.whreceive[.]ru/ws/client Backup WebSocket C2 endpoint for premium RAT Domain telemetrydata[.]to Data exfiltration endpoint IPv4 45.141.119.34 (Port 50169) Network indicator associated with campaign File Path %APPDATA%\Roaming\RuntimeBroker.exe Dropped backdoor location on infected host File Path %APPDATA%\Roaming\Microsoft\Tlmtry\Telemetry.exe Dropped stealer location on infected host File Path %APPDATA%\Roaming\WindowsRunetimeBroker.exe Backup payload location on infected host File Path %TEMP%\lib*.dll Native DLL dropped by JNIC loader File Path %TEMP%*.acdm Configuration file dropped on infected host Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run Persistence registry key used by malware Scheduled Task JMonitoringTask Watchdog task running every 2 minutes Scheduled Task JavaSecurityUpdater Persistence task running at LOGON with HIGHEST privilege JAR Resource META-INF/README.txt Zip bomb entry inside malicious JAR JAR Resource cfg.json Embedded config file containing campaign UUID File Extension .acdm Custom file extension used for dropped config files Campaign UUID 6fb0a044-eb0c-4d1f-b497-827b715590a7 Operator-assigned campaign identifier embedded in stage-1 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News OpenClaw Skill Marketplace Exposes AI Agents to Supply Chain Malware and Financial Fraud How Attackers Exploit Privileged Access and How to Lock Them Out  Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Latest News Cyber Security News Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Cyber Security CISA Warns of Cisco Unified CM Vulnerability Exploited in Attacks Cyber Security Microsoft Extends Windows 10 Security Updates for Users Up to October 2027 Cyber Security OpenAI Reportedly Delays ChatGPT 5.6 Release Following Trump Administration Request Cyber Security Russia Used Cellebrite Tool to Hack Activist’s iPhone Despite Contract Cancellation