Weedhack Minecraft MaaS Campaign: Detection and Defense Against Malicious Mod Injections

Introduction

Active since January 2026, the "Weedhack" campaign represents a sophisticated Malicious Software-as-a-Service (MaaS) operation targeting Minecraft players through fraudulent YouTube videos distributing weaponized game clients and mods. McAfee Labs has tracked this campaign delivering remote access capabilities to threat actors, with the broader ecosystem including the CountLoader payload affecting approximately 86,000 victims. Security teams must act immediately to identify infections, as the attack vector leverages the trusted relationship players have with community content, making traditional filtering less effective. This is not a theoretical threat—it is actively harvesting credentials and establishing persistence on endpoints globally.

Technical Analysis

Affected Products and Platforms:

Minecraft Java Edition (all versions)
Third-party Minecraft mod loaders and "hack clients"
Windows endpoints (primary infection target)

Attack Chain Breakdown:

Initial Access Vector: YouTube videos advertising "free premium," "hacked," or modded Minecraft clients with download links in descriptions or pinned comments. These videos impersonate legitimate modding community content.
Delivery Mechanism: Victims download executable installers (.exe) or weaponized .jar files that appear to be legitimate Minecraft modifications. The files are often hosted on file-sharing domains masquerading as legitimate mod repositories.
Execution: Upon execution, the malicious payload spawns a Java process that loads additional components, including CountLoader or similar remote access trojans (RATs).
Persistence: Malware establishes persistence through scheduled tasks, registry run keys, or by masquerading as legitimate Java update processes.
Command and Control: The beaconing activity connects to attacker-controlled infrastructure, enabling remote system control, credential theft, and potential lateral movement.

Exploitation Status:

Confirmed Active Exploitation: January 2026 to present
Attack Vector: Social engineering via YouTube (no CVE required—relies on user-initiated execution)
Scope: 86,000+ confirmed CountLoader infections; additional Weedhack infections ongoing

Detection & Response

SIGMA Rules

YAML

---
title: Suspicious Java Process Execution from Non-Standard Paths
id: 8d4f2a1c-7e3b-4c9d-9f1a-2b3c4d5e6f7a
status: experimental
description: Detects Java processes executing from directories outside standard Minecraft/AppData paths, indicative of Weedhack or similar malware delivery.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1059.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\javaw.exe'
      - '\java.exe'
  filter_standard:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\AppData\Roaming\.minecraft\'
  filter_legitimate:
    ParentImage|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not 1 of filter*
falsepositives:
  - Legitimate Java applications installed in non-standard directories
  - Development environments
level: high
---
title: Minecraft Client Download from Suspicious TLDs
id: 3b7c1d9e-4f5a-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects download of executable or JAR files from recently registered or suspicious domains often used in Weedhack distribution.
references:
  - https://attack.mitre.org/techniques/T1102/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.command_and_control
  - attack.t1102.002
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 80
      - 443
    Initiated: true
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
  filter_legitimate:
    DestinationHostname|contains:
      - 'minecraft.net'
      - 'curseforge.com'
      - 'modrinth.com'
      - 'github.com'
      - 'microsoft.com'
  filter_internal:
    DestinationHostname|endswith:
      - '.local'
      - '.internal'
  condition: selection and not 1 of filter*
falsepositives:
  - Downloads from legitimate file-hosting services
  - Development downloads
level: medium
---
title: CountLoader Persistence via Scheduled Task
id: 5e8f2a3b-1c4d-5e6f-7a8b-9c0d1e2f3a4b
status: experimental
description: Detects creation of scheduled tasks with names or commands associated with CountLoader malware delivery from Weedhack campaign.
references:
  - https://attack.mitre.org/techniques/T1053/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.persistence
  - attack.t1053.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains:
      - '/create'
      - '/sc'
  filter_countloader:
    CommandLine|contains:
      - 'JavaUpdate'
      - 'MinecraftLoader'
      - 'McUpdate'
      - '.jar'
  condition: selection and filter_countloader
falsepositives:
  - Legitimate software update tasks
  - Authorized Java applications
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious Java execution patterns associated with Weedhack
let SuspiciousJavaPaths = dynamic(["\\Downloads\\", "\\Desktop\\", "\\Temp\\", "\\Public\\"]);
let KnownGoodJavaPaths = dynamic(["Program Files\\Java", "Program Files (x86)\\Java", "AppData\\Roaming\\.minecraft"]);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("java.exe", "javaw.exe")
| where FolderPath has_any (SuspiciousJavaPaths) 
   or not(FolderPath has_any (KnownGoodJavaPaths))
| extend ProcessDetails = strcat(ProcessCommandLine, " | ", InitiatingProcessFileName)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc
;

// Network connections to suspicious domains from Java processes
let MinecraftLegitimateDomains = dynamic(["minecraft.net", "mojang.com", "curseforge.com", "modrinth.com", "github.com"]);
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
| where RemoteUrl !has_any (MinecraftLegitimateDomains)
| where RemotePort in (80, 443, 8080)
| extend IsRecentlyRegistered = iff(RiskScore > 50, "High Risk", "Normal")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemotePort, IsRecentlyRegistered
| order by Timestamp desc
;

// File creation events for suspicious JAR and EXE downloads
DeviceFileEvents
| where Timestamp >= ago(7d)
| where FileName endswith ".jar" or FileName endswith ".exe"
| where FolderPath has "Downloads" or FolderPath has "Desktop"
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "brave.exe")
| where SHA256 != ""
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, SHA256, IsRiskLevelHigh
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for suspicious Java processes running from non-standard locations
SELECT Pid, Name, Exe, CommandLine, Username, CreateTime
FROM pslist()
WHERE Name =~ "java"
   AND NOT Exe =~ "Program Files"
   AND NOT Exe =~ "AppData.*Roaming.*\.minecraft"
   AND NOT Exe =~ "Windows"
;

-- Find suspicious JAR files in user directories
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*/*/Downloads/*.jar")
WHERE Mtime > now() - 30*24*3600
   OR Size > 10485760
UNION SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*/*/Desktop/*.jar")
WHERE Mtime > now() - 30*24*3600
;

-- Detect scheduled tasks with suspicious Java-related commands
SELECT TaskName, Action, Author, Enabled, LastRunTime
FROM schedtasks()
WHERE Action =~ ".jar"
   OR Action =~ "java"
   OR TaskName =~ "(?i)(update|loader|mc|minecraft)"
;

-- Network connections from Java processes to non-standard ports
SELECT RemoteAddr, RemotePort, Pid, Family, State
FROM netstat()
WHERE Pid IN (
    SELECT Pid FROM pslist() WHERE Name =~ "java"
)
AND RemotePort NOT IN (80, 443, 25565)
AND RemoteAddr NOT =~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"
;

Remediation Script (PowerShell)

PowerShell

# Weedhack and CountLoader Detection and Remediation Script
# Run as Administrator

# Define suspicious paths and patterns
$suspiciousPaths = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Desktop", 
    "$env:PUBLIC\Downloads",
    "$env:PUBLIC\Desktop"
)

$suspiciousFilePatterns = @(
    "*hack*.jar",
    "*crack*.jar", 
    "*cheat*.jar",
    "*inject*.jar",
    "*wurst*.jar",
    "*horion*.jar",
    "*meteor*.jar",
    "*liquid*.jar",
    "*aristois*.jar",
    "*weave*.jar"
)

# Check for suspicious JAR files
Write-Host "[+] Scanning for suspicious Minecraft-related JAR files..." -ForegroundColor Yellow
$foundSuspicious = @()

foreach ($path in $suspiciousPaths) {
    if (Test-Path $path) {
        foreach ($pattern in $suspiciousFilePatterns) {
            $files = Get-ChildItem -Path $path -Filter $pattern -File -ErrorAction SilentlyContinue
            if ($files) {
                foreach ($file in $files) {
                    $fileHash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                    $foundSuspicious += [PSCustomObject]@{
                        Path = $file.FullName
                        Size = $file.Length
                        Created = $file.CreationTime
                        Modified = $file.LastWriteTime
                        SHA256 = $fileHash
                    }
                    Write-Host "    FOUND: $($file.FullName)" -ForegroundColor Red
                }
            }
        }
    }
}

# Check for suspicious scheduled tasks
Write-Host "`n[+] Scanning for suspicious scheduled tasks..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "(?i)(java|update|loader|mc|minecraft)" -and 
    $_.Actions.Execute -match "java" -and 
    $_.Actions.Arguments -match "\.jar"
}

if ($suspiciousTasks) {
    foreach ($task in $suspiciousTasks) {
        Write-Host "    SUSPICIOUS TASK: $($task.TaskName)" -ForegroundColor Red
        Write-Host "      Command: $($task.Actions.Execute) $($task.Actions.Arguments)" -ForegroundColor Gray
    }
} else {
    Write-Host "    No suspicious tasks found." -ForegroundColor Green
}

# Check for suspicious running Java processes
Write-Host "`n[+] Scanning for suspicious Java processes..." -ForegroundColor Yellow
$javaProcesses = Get-WmiObject Win32_Process | Where-Object { 
    $_.Name -match "java.*\.exe" -and 
    $_.ExecutablePath -notmatch "Program Files" -and 
    $_.ExecutablePath -notmatch "AppData.*Roaming.*\.minecraft"
}

if ($javaProcesses) {
    foreach ($proc in $javaProcesses) {
        Write-Host "    SUSPICIOUS PROCESS: PID $($proc.HandleId)" -ForegroundColor Red
        Write-Host "      Path: $($proc.ExecutablePath)" -ForegroundColor Gray
        Write-Host "      Command: $($proc.CommandLine)" -ForegroundColor Gray
    }
} else {
    Write-Host "    No suspicious Java processes found." -ForegroundColor Green
}

# Generate Report
if ($foundSuspicious.Count -gt 0 -or $suspiciousTasks -or $javaProcesses) {
    $reportPath = "$env:USERPROFILE\Desktop\WeedhackScanReport_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
    $foundSuspicious | Out-File -FilePath $reportPath -Append
    $suspiciousTasks | Select-Object TaskName, Actions | Out-File -FilePath $reportPath -Append
    $javaProcesses | Select-Object HandleId, ExecutablePath, CommandLine | Out-File -FilePath $reportPath -Append
    Write-Host "`n[!] THREAT INDICATORS FOUND. Report saved to: $reportPath" -ForegroundColor Red
    Write-Host "[!] Manual investigation and remediation required." -ForegroundColor Red
    Write-Host "[!] Consider isolating affected endpoints and escalating to IR team." -ForegroundColor Red
} else {
    Write-Host "`n[+] No immediate Weedhack indicators detected." -ForegroundColor Green
}

Write-Host "`n[+] Scan complete." -ForegroundColor Cyan

Remediation

Immediate Actions for Security Teams:

Block Known Malicious Domains: Implement DNS sinkholing or web proxy blocks for domains identified as part of the Weedhack distribution network. Cross-reference with threat intelligence feeds for CountLoader C2 infrastructure.
User Education Campaign: Immediately alert all users—especially those with known gaming interests—about the risks of downloading Minecraft modifications from unverified sources, particularly via YouTube links.
Scan and Quarantine: Deploy the PowerShell script above across the fleet to identify potentially infected endpoints. Isolate machines with confirmed indicators pending forensic analysis.
Remove Suspicious Artifacts:
- Delete any JAR files matching the suspicious patterns identified in the script
- Remove scheduled tasks created with suspicious Java execution parameters
- Terminate Java processes running from non-standard paths
Restrict Java Execution: Consider implementing application whitelisting (AppLocker or WDAC) to restrict Java execution to approved directories and signed applications only.
Network Monitoring: Enable enhanced logging for DNS requests and outbound connections from Java processes. Set up alerts for connections to recently registered domains or high-risk TLDs.

Long-Term Defenses:

Implement allowlists for approved Minecraft mod repositories (CurseForge, Modrinth)
Deploy endpoint detection rules for CountLoader and related RAT families
Establish a security awareness program specifically addressing gaming-related social engineering
Regular audits of software installed on endpoints, particularly in consumer-owned device environments

Vendor Advisory References:

McAfee Labs Advisory: Weedhack Campaign (January 2026)
Microsoft Security Guidance: Managing Java Application Restrictions

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub