Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2

A Minecraft malware loader known as LoaderClient is using Ethereum smart contracts and RSA-signed updates to keep its command-and-control infrastructure alive. The loader spreads through fake Minecraft Fabric mods and works as an entry point for the broader WeedHack malware-as-a-service campaign.

The campaign targets players who download unofficial mods, clients, and game utilities from YouTube links, fake mod portals, and search results. According to McAfee Labs, WeedHack has already affected more than 116,000 users and continues to generate thousands of new hits each day.

Newer LoaderClient variants raise the risk because they do not rely only on hardcoded web domains. Researchers at PolySwarm said the malware uses EtherHiding techniques and Ethereum smart contracts to retrieve active C2 infrastructure, while validating responses with RSA signatures.

What LoaderClient does after infection

LoaderClient first appears as a normal Minecraft Fabric mod. Once the player launches Minecraft with the infected mod installed, the loader can collect Minecraft session details, including the display name, account UUID, and access token.

That token theft matters because it can give attackers access to a player’s account session without needing the victim’s password. If the same device stores browser credentials, Discord tokens, cryptocurrency wallets, or other session data, the impact can spread beyond Minecraft.

The broader WeedHack ecosystem includes free and paid tiers. The premium version adds stronger remote-access features, including webcam access, keylogging, screen sharing, and file control, according to McAfee’s WeedHack report.

How RSA-signed smart contract C2 works

The most unusual part of LoaderClient is its command-and-control design. Instead of storing one fixed server address inside the malware, the loader can query an Ethereum smart contract to obtain the current C2 URL.

A technical analysis of WeedHack LoaderClient describes a newer version that adds an Ethereum RPC fallback, RSA-signed updates, and JNIC native obfuscation. This makes the loader harder to break by taking down a single domain.

The smart contract can act like a public dead drop. The attacker updates the C2 location through the blockchain, and the malware checks whether the returned data carries a valid RSA signature before trusting it.

Technique	Purpose	Impact on defenders
Ethereum smart contract lookup	Stores or retrieves the active C2 location	Domain takedowns become less effective
RSA signature validation	Checks that the C2 update came from the operator	Sinkholing becomes harder
JNIC native obfuscation	Moves key logic into native code	Java decompilation gives less visibility
In-memory payload loading	Runs later-stage code without a normal file drop	File-based detection becomes weaker

Why the malware is difficult to disrupt

Traditional malware takedowns often target domains, hosting accounts, or servers. LoaderClient’s blockchain fallback changes that model because the contract can remain visible even if several domains disappear.

The Cyber Security News report said LoaderClient retrieves a URL from an Ethereum smart contract and verifies it against a hardcoded 2048-bit RSA public key. Only the attacker’s private key can produce a valid update for the loader to accept.

This does not make the malware impossible to detect. It does mean defenders need to watch more than domains. Network teams should also monitor suspicious Ethereum RPC traffic, unusual DNS-over-HTTPS activity, and unexpected Java behavior on gaming or student devices.

How WeedHack spreads through Minecraft communities

The campaign relies heavily on social engineering. Attackers publish videos that appear to show useful Minecraft mods, cheats, or utilities, then place download links in descriptions or comments.

Researchers also observed fake portals that imitate trusted mod sites and use search engine poisoning to appear credible. This works because many players already expect mods to trigger warnings, so some ignore antivirus alerts and run the files anyway.

PolySwarm’s WeedHack analysis said researchers identified more than 3,820 malicious JAR files and more than 240 distribution URLs linked to the ecosystem. It also said operators claim subscriptions start at $5 per month.

What data can be stolen?

LoaderClient and the WeedHack payload chain focus on credentials, sessions, and remote access. The exact capabilities can vary by version and operator tier, but the campaign goes well beyond a simple game account stealer.

• Minecraft session data and account identifiers
• Microsoft OAuth access tokens used by the Minecraft session
• Browser credentials and cookies
• Discord tokens and gaming account data
• Cryptocurrency wallet data
• Screenshots and system information
• Remote access features in paid builds

For affected players, the fastest response is to remove the malicious mod, scan the device, reset passwords from a clean device, and review Microsoft account security. Minecraft’s official support page for compromised Microsoft accounts directs users to Microsoft’s account recovery process when they believe someone else gained access.

Defensive steps for players, parents, and schools

Players should avoid downloading mods from YouTube descriptions, Discord messages, random file hosts, or newly created clone sites. The safest path is to use well-known mod platforms and check project history, publisher reputation, comments, and update timing before installing anything.

Parents and schools should treat Minecraft mod malware as more than a gaming problem. A compromised home or classroom computer can expose passwords, browser sessions, camera access, and personal files.

1. Remove suspicious Minecraft mods and launchers immediately.
2. Run a full security scan from a trusted protection tool.
3. Change Microsoft, Discord, email, and gaming passwords from a clean device.
4. Review account recovery email addresses, phone numbers, and recent sign-in activity.
5. Revoke active sessions where possible, especially for work or school accounts.
6. Block suspicious Ethereum RPC and DNS-over-HTTPS traffic on managed networks.
7. Watch for unknown scheduled tasks, startup entries, and Defender exclusions.

Indicators defenders should monitor

Security teams should avoid relying on one indicator because LoaderClient can rotate infrastructure. The Ethereum contract address, suspicious Java package names, JNIC artifacts, unusual scheduled tasks, and unexpected RPC traffic may provide more durable signals.

The public WeedHack technical analysis lists package names, JNIC resource paths, YARA rules, and blockchain C2 behavior that defenders can use for hunting. These indicators can help identify infected Minecraft mod folders and later-stage payload activity.

Indicator type	Example to review	Why it matters
Ethereum contract	0x1280a841Fbc1F883365d3C83122260E0b2995B74	Used as a C2 resolution point in reported activity
Scheduled task	JMonitoringTask	Reported watchdog persistence task
Scheduled task	JavaSecurityUpdater	Reported login persistence task
JAR package	me/mclauncher/	Observed in LoaderClient stage-one samples
JNIC package	dev/jnic/lXpXvp	Linked to newer JNIC-obfuscated loader variants
File extension	.acdm	Reported custom configuration file extension

Why businesses should care about Minecraft malware

At first glance, a fake Minecraft mod may look like a consumer issue. In practice, the same infected laptop can hold browser sessions for work email, cloud dashboards, VPN portals, developer tools, or cryptocurrency accounts.

Organizations that allow unmanaged devices, student laptops, or bring-your-own-device access should include gaming malware in their endpoint risk planning. Blocking suspicious blockchain RPC activity on networks where Minecraft has no business purpose can reduce one path used by this campaign.

The latest LoaderClient findings show how gaming-focused malware now borrows techniques from more advanced threat operations. For users, the rule is simple: treat mod downloads like software installs, not like harmless game files.

Enterprise incident responders can also use Microsoft’s guidance to revoke user access in an emergency when a work or school account may have been exposed. For personal players, the Minecraft account recovery guidance remains the right starting point.

If a corporate Microsoft Entra account could be involved, administrators should disable the affected account, revoke sessions, reset credentials, and review recent sign-ins. Microsoft’s emergency access revocation guidance explains how Entra ID admins can cut off active sessions during an incident.

FAQ