Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2
A malware loader disguised as a fake Minecraft Fabric mod has compromised over 116,000 systems since January 2026, using Ethereum smart contracts and RSA signatures for resilient command-and-control.
A new and highly sophisticated malware loader has been found hiding inside what appears to be a harmless Minecraft mod. Researchers have uncovered a campaign that blends blockchain technology and social engineering to steal player credentials and deliver additional malicious payloads. The damage is already significant, with over 116,000 unique systems compromised since the campaign began in January 2026.
The malware, known as LoaderClient, spreads as a fake Minecraft Fabric mod. Once installed, it immediately harvests the player's session data, including display name, account UUID, and live Microsoft OAuth access token. That stolen token is especially dangerous because it can take over a victim's account without needing a password or bypassing two-factor authentication.
Analysts at DarkAtlas identified and detailed the malware in a report shared with Cyber Security News. Their findings reveal LoaderClient is the stage-one payload of a broader campaign called WeedHack, a Malware-as-a-Service platform available free or for five dollars a month. By June 2026, the operation had produced over 3,820 unique malicious files and was logging between 2,000 and 3,000 new infections daily.
What makes this threat alarming is how it spreads. Operators upload polished YouTube videos showcasing popular mods and bury malicious download links in the descriptions. They also run fake portals that impersonate legitimate mod sites and rank highly through SEO poisoning. Because players are conditioned to dismiss antivirus warnings as false positives, many disable their defenses and run the malware unknowingly.
The campaign has grown a community of over 850 registered operators on Telegram, many of them teenagers using the tools for peer harassment, webcam access, and social media hijacking. This shift reflects how low-cost malware is increasingly weaponized for personal disputes rather than purely financial crime.
What sets LoaderClient apart is its command-and-control architecture. Instead of embedding a server address in the code, the malware queries an Ethereum smart contract to retrieve its active C2 URL using a technique called EtherHiding. This makes the infrastructure nearly impossible to disrupt through domain seizures or hosting provider action. The smart contract responds with a URL paired with an RSA digital signature. The malware then verifies that signature against a hardcoded 2048-bit RSA public key before trusting the address. Only the operator's private key can produce a valid signature, so even tampering with the contract would be rejected, making sinkholing attacks useless.
Once the C2 URL is verified, LoaderClient downloads the stage-two payload entirely in memory, never writing a file to disk. That payload is compiled using JNIC v3.7.0, hiding all logic inside encrypted native Windows DLLs. It independently re-resolves C2 through the same Ethereum contract and uses DNS-over-HTTPS to evade corporate network monitoring. The Ethereum contract address is the most durable indicator of this campaign, living permanently on the blockchain.
LoaderClient layers multiple evasion techniques to avoid detection at every stage. All sensitive strings are encrypted using a custom cipher called decS, producing non-standard Unicode characters that defeat signature-based tools. The JAR also contains a 442-megabyte zip bomb compressed to roughly 665 kilobytes, designed to crash automated scanners and bypass upload size limits. The stage-two module escalates privileges through a CMSTP UAC bypass, silently approving elevation prompts without any input from the victim. A scheduled task called JMonitoringTask runs every two minutes as a watchdog, while another named JavaSecurityUpdater activates at login with the highest system privileges. Windows Defender is manipulated to add exclusion paths that prevent scanning of the dropped files.
Defenders are advised to block Ethereum RPC traffic on gaming and educational networks, since no legitimate Minecraft activity requires blockchain calls. Organizations should monitor the Ethereum contract on Etherscan for URL rotation history, which leaves a permanent public record of operator activity. Deploying the published YARA detection rules and rotating affected credentials immediately after any suspected infection are both essential steps to limit further damage.