{"id":13888,"date":"2026-06-26T10:03:58","date_gmt":"2026-06-26T10:03:58","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/26\/minecraft-malware-loader-uses-rsa-signed-smart-contract-updates-for-persistent-c2\/"},"modified":"2026-06-26T10:03:58","modified_gmt":"2026-06-26T10:03:58","slug":"minecraft-malware-loader-uses-rsa-signed-smart-contract-updates-for-persistent-c2","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/26\/minecraft-malware-loader-uses-rsa-signed-smart-contract-updates-for-persistent-c2\/","title":{"rendered":"Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2"},"content":{"rendered":"<p>    Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A new and highly sophisticated malware loader has been found hiding inside what appears to be a harmless Minecraft mod. <\/p>\n<p class=\"wp-block-paragraph\">Researchers have uncovered a campaign that blends blockchain technology and social engineering to steal player credentials and deliver additional malicious payloads. <\/p>\n<p class=\"wp-block-paragraph\">The damage is already significant, with over 116,000 unique systems compromised since the campaign began in January 2026.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/fake-minecraft-mods-allow-attackers-to-control-your-system\/\" id=\"111715\" target=\"_blank\" rel=\"noreferrer noopener\">The malware, known as LoaderClient, spreads as a fake Minecraft Fabric mod<\/a>. Once installed, it immediately harvests the player\u2019s session data, including display name, account UUID, and live Microsoft OAuth access token. <\/p>\n<p class=\"wp-block-paragraph\">That stolen token is especially dangerous because it can take over a victim\u2019s account without needing a password or bypassing two-factor authentication.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/darkatlas.io\/blog\/loaderclient-malware-analysis-how-weedhack-uses-ethereum-smart-contracts-for-resilient-c2-infrastructure\" id=\"https:\/\/darkatlas.io\/blog\/loaderclient-malware-analysis-how-weedhack-uses-ethereum-smart-contracts-for-resilient-c2-infrastructure\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at\u00a0DarkAtlas\u00a0identified and detailed the malware in a report<\/a> shared with Cyber Security News (CSN). <\/p>\n<p class=\"wp-block-paragraph\">Their findings reveal LoaderClient is the stage-one payload of a broader campaign called WeedHack, a Malware-as-a-Service platform available free or for five dollars a month. <\/p>\n<p class=\"wp-block-paragraph\">By June 2026, the operation had produced over 3,820 unique malicious files and was logging between 2,000 and 3,000 new infections daily.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKKnSf_1TPZ_3c4-xT2985rFz2z80eMd-v0DxAWuLqCh-ALVTicsMeEh8_Tl8C9ROpuCRYmwgEOTanMA04x1kktydVFJPBLqh_SqlidPgvGZ_p1YeX7-p5w3pyoHIXBoFLPQrsAI3bRHMzMNx8kbE0buPlMnraqBQnkHVanwHeCnwxR5TR1RfwZlQk_zM\/s16000\/Flixible%2520plans%2520%28Source%2520-%2520DarkAtlas%29.webp?ssl=1\" alt=\"Flixible plans (Source - DarkAtlas)\"><figcaption class=\"wp-element-caption\">Flixible plans (Source \u2013 DarkAtlas)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">What makes this threat alarming is how it spreads. Operators upload polished YouTube videos showcasing popular mods and bury malicious download links in the descriptions. <\/p>\n<p class=\"wp-block-paragraph\">They also run <a href=\"https:\/\/cybersecuritynews.com\/sidewinder-hacker-group-hosting-fake-outlook-portals\/\" id=\"128807\" target=\"_blank\" rel=\"noreferrer noopener\">fake portals that impersonate legitimate mod sites<\/a> and rank highly through SEO poisoning. Because players are conditioned to dismiss antivirus warnings as false positives, many disable their defenses and run the malware unknowingly.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign has grown a community of over 850 registered operators on Telegram, many of them teenagers using the tools for peer harassment, webcam access, and social media hijacking. <\/p>\n<p class=\"wp-block-paragraph\">This shift reflects how low-cost malware is increasingly weaponized for personal disputes rather than purely financial crime.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-minecraft-malware-loader-uses-rsa-signed-smart-contract-updates\" class=\"wp-block-heading\"><strong>Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">What sets LoaderClient apart is its command-and-control architecture. Instead of embedding a server address in the code, the malware queries an Ethereum smart contract to retrieve its active C2 URL using a technique called EtherHiding. <\/p>\n<p class=\"wp-block-paragraph\">This makes the infrastructure nearly impossible to disrupt through domain seizures or hosting provider action.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgsKTvc6rU8SNFAo8f952_YKYTk69-2u5iM8ZW4k4ge7Qm5FO9qucKE_ut6-Jef1EboFJJ3C0z6VjK4oLhPrE6TyLHLx_UGJZTKQpUtsqUembislUaPCBZOkKyITP4ZgWFLoTitZDtsAk_jyrCL0pSdGNx3NppNW_35HQsPxJNTszxRCGyqiTZG7-sdpj0\/s16000\/Video%2520tutorials%2520and%2520guides%2520%28Source%2520-%2520DarkAtlas%29.webp?ssl=1\" alt=\"Video tutorials and guides (Source - DarkAtlas)\"><figcaption class=\"wp-element-caption\">Video tutorials and guides (Source \u2013 DarkAtlas)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The smart contract responds with a URL paired with an RSA digital signature. The malware then verifies that signature against a hardcoded 2048-bit RSA public key before trusting the address. <\/p>\n<p class=\"wp-block-paragraph\">Only the operator\u2019s private key can produce a valid signature, so even tampering with the contract would be rejected, making sinkholing attacks useless.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Once the C2 URL is verified, LoaderClient downloads the stage-two payload entirely in memory, never writing a file to disk. That payload is compiled using JNIC v3.7.0, hiding all logic inside encrypted native Windows DLLs. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/malicious-npm-packages-attacking-ethereum-wallets\/\" id=\"109567\" target=\"_blank\" rel=\"noreferrer noopener\">It independently re-resolves C2 through the same Ethereum contract<\/a> and uses DNS-over-HTTPS to evade corporate network monitoring. The Ethereum contract address is the most durable indicator of this campaign, living permanently on the blockchain.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-detection-evasion-and-defense-recommendations\" class=\"wp-block-heading\"><strong>Detection Evasion and Defense Recommendations<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">LoaderClient layers multiple evasion techniques to avoid detection at every stage. All sensitive strings are encrypted using a custom cipher called decS, producing non-standard Unicode characters that defeat signature-based tools. <\/p>\n<p class=\"wp-block-paragraph\">The JAR also contains a 442-megabyte zip bomb compressed to roughly 665 kilobytes, designed to crash automated scanners and bypass upload size limits.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The stage-two module escalates privileges through a CMSTP UAC bypass, silently approving elevation prompts without any input from the victim. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgnkSZv98Uy7CfHxzDny4N9niyfwtEA7_MwPA_TeK_iLZc8ovXdeBE-KTMprFyr2T6WhD1TnEFQRGW_HZugZSVKXdRjGujkAhPhx4EbMymdYd3iBoyJsU5YoF4cqT7i5B20Td0m2U0iN1jovmf_sjeL_u6PYE4OFdD730q9cTCg5fCsisUTqtWOHNZ5h1E\/s16000\/Weedhack%2520Chat%2520%28Source%2520-%2520DarkAtlas%29.webp?ssl=1\" alt=\"Weedhack Chat (Source - DarkAtlas)\"><figcaption class=\"wp-element-caption\">Weedhack Chat (Source \u2013 DarkAtlas)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">A scheduled task called JMonitoringTask runs every two minutes as a watchdog, while another named JavaSecurityUpdater activates at login with the highest system privileges. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/windows-defender\/\" id=\"104429\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Defender is manipulated to add exclusion paths<\/a> that prevent scanning of the dropped files. <a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>Defenders are advised to block Ethereum RPC traffic on gaming and educational networks, since no legitimate Minecraft activity requires blockchain calls. <\/p>\n<p class=\"wp-block-paragraph\">Organizations should monitor the Ethereum contract on Etherscan for URL rotation history, which leaves a permanent public record of operator activity. <\/p>\n<p class=\"wp-block-paragraph\">Deploying the published YARA detection rules and rotating affected credentials immediately after any suspected infection are both essential steps to limit further damage.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e2df183a-e6c8-4a70-89a0-cc9521884a9b\/Minecraft-Malware-Loader-Uses-RSA-Signed-Smart-Contract-Updates-for-Persistent-C2.pdf?AWSAccessKeyId=ASIA2F3EMEYEUR2V4VZW&amp;Signature=xm0kHjY6v%2B7VGrUO3HKScHGwAjM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQD0blUL1EDyuVv2X%2FoT7ed4pADZA7uILjsVGbCaUS6v6wIgf0uR51%2BL9kMyc6WOmE8TEYzYbhtGJgBt%2FoYCowxNauQq8wQIYBABGgw2OTk3NTMzMDk3MDUiDPdat6SMXlZs1JSqqCrQBAtu85LAxl6lmAGR1cfdLNldrL1cbOIXCJ%2Bv%2FPzpusEE6Hilk8QVup%2B%2B%2FEFea4Ck8rtVCZpG7HOA4%2FzTgF9tmPCNo1bvVx0qwtApM1JxWbM6cI1FyaYZLcI%2BqMUKlqVLnslmWxmbfe31B%2BosUGGOByYpSq0vFMlsCKmatoJcoyBdq5cmUyG%2BRbCukCVsOH5W4pNhehRfcvEVG95rqmSKZLaBUCebTs%2BmSRc1Osuf4182XjC%2FhFXqXtyvu1cakrVhWn9z0JS3XYt0PV5M%2FDoxXrRyoeC9SptkFVfyZytbe6MHMAEhWCOjmUTwpaR8AbG12aXdIiqx4H0EU7EDFrR8EjdeLnGLicL5972wc2vaImFcfqP%2FbVoG%2FcVhk%2Fiyfhe8Hc49qngvkOMiPxEuGwoU648zbrlS2no9S8lqPWArYaEPWXgl5FZ8mjxb5bCqfUBlT3hVkvzE5eZGZeX3yNjjEYpuQHhbpWCdLNyeF8AGhA7uNH8lFWjAdo5VTibL03yBGmsiIrjag6yuUW8WEInl9Vq1eI6MUKxbXwb%2FaCkfW%2Brf5y7vCff6x69EawN24HY4YbWsZBXGwL%2BRJ6FS3gNDcLY4DoPTXQ3Y%2Fgg21MFXwThmvX%2FUJRMBQzRq8rYpGUwdHfGIFRLU7QKKu7WBqbV7wu13hwvknIwtSaSV%2FkfVBLoFjT3gBw4AXuPKtlC5xBkdoJkjvX2p%2BtwtC022%2BWIDOAAcAr3uZG06wlCAGmnQyZ4LZSQiRzz4HH09E4aONfMaMdacWrkZAqBJ5yISW1MMlAUwudD40QY6mAEeWKdP%2BdRxvSdSGEmMpzzs8wWS4ZULizNM5lu2FCt6W8CiEHI%2B%2Fhw33T4b94Ril4VeB%2BNcggt5H25bF7P6bouVDhGpmGiIRH1Q3YCBz4ylnDr%2BNuYdCu%2BtZMrTxFh2bt%2BMud4VdGV%2FtO8G2oCjL1db2a%2FrKfkBxtUy1Hsz%2BAm5s2fxeFhC2z4f7AhEPYrzVmXVGtUcyNaJwQ%3D%3D&amp;Expires=1782461964\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA256<\/td>\n<td>F91714F89616002C6C1411233470F58E74FAD7CB5A7DA6F77AA6082F5D2E8771<\/td>\n<td>Stage-1 LoaderClient JAR file hash<\/td>\n<\/tr>\n<tr>\n<td>SHA1<\/td>\n<td>F7911F5BE3D08DA95DCDA8AFB1BEB8E462376F9D<\/td>\n<td>Stage-1 LoaderClient JAR file hash<\/td>\n<\/tr>\n<tr>\n<td>MD5<\/td>\n<td>D991A7C9E2C3B269975404405A79ADBC<\/td>\n<td>Stage-1 LoaderClient JAR file hash<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>E7D1346153B49CE403687BBD0DDBF1DB63DE6808D64EA2812EA48EF0CFE7CF2A<\/td>\n<td>Stage-2 Module.jar file hash<\/td>\n<\/tr>\n<tr>\n<td>Ethereum Contract<\/td>\n<td>0x1280a841Fbc1F883365d3C83122260E0b2995B74<\/td>\n<td>Ethereum smart contract used for C2 URL resolution (EtherHiding)<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>fucktermedfir[.]st<\/td>\n<td>Current active C2 domain resolved from smart contract<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>whnewreceive[.]ru<\/td>\n<td>Previous C2 domain (active March 2026)<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/fucktermedfir[.]st\/files\/jar\/module<\/td>\n<td>Stage-2 payload download URL<\/td>\n<\/tr>\n<tr>\n<td>WebSocket<\/td>\n<td>wss:\/\/remotev2.whpayment[.]ru\/ws\/client<\/td>\n<td>Primary WebSocket C2 endpoint for premium RAT<\/td>\n<\/tr>\n<tr>\n<td>WebSocket<\/td>\n<td>wss:\/\/remotev2.whreceive[.]ru\/ws\/client<\/td>\n<td>Backup WebSocket C2 endpoint for premium RAT<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>telemetrydata[.]to<\/td>\n<td>Data exfiltration endpoint<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>45.141.119.34 (Port 50169)<\/td>\n<td>Network indicator associated with campaign<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td>%APPDATA%RoamingRuntimeBroker.exe<\/td>\n<td>Dropped backdoor location on infected host<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td>%APPDATA%RoamingMicrosoftTlmtryTelemetry.exe<\/td>\n<td>Dropped stealer location on infected host<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td>%APPDATA%RoamingWindowsRunetimeBroker.exe<\/td>\n<td>Backup payload location on infected host<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td>%TEMP%lib*.dll<\/td>\n<td>Native DLL dropped by JNIC loader<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td>%TEMP%*.acdm<\/td>\n<td>Configuration file dropped on infected host<\/td>\n<\/tr>\n<tr>\n<td>Registry Key<\/td>\n<td>HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/td>\n<td>Persistence registry key used by malware<\/td>\n<\/tr>\n<tr>\n<td>Scheduled Task<\/td>\n<td>JMonitoringTask<\/td>\n<td>Watchdog task running every 2 minutes<\/td>\n<\/tr>\n<tr>\n<td>Scheduled Task<\/td>\n<td>JavaSecurityUpdater<\/td>\n<td>Persistence task running at LOGON with HIGHEST privilege<\/td>\n<\/tr>\n<tr>\n<td>JAR Resource<\/td>\n<td>META-INF\/README.txt<\/td>\n<td>Zip bomb entry inside malicious JAR<\/td>\n<\/tr>\n<tr>\n<td>JAR Resource<\/td>\n<td>cfg.json<\/td>\n<td>Embedded config file containing campaign UUID<\/td>\n<\/tr>\n<tr>\n<td>File Extension<\/td>\n<td>.acdm<\/td>\n<td>Custom file extension used for dropped config files<\/td>\n<\/tr>\n<tr>\n<td>Campaign UUID<\/td>\n<td>6fb0a044-eb0c-4d1f-b497-827b715590a7<\/td>\n<td>Operator-assigned campaign identifier embedded in stage-1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/minecraft-malware-loader-uses-rsa-signed\/\">Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/minecraft-malware-loader-uses-rsa-signed\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2 A new and highly sophisticated malware loader has been found hiding inside what appears to be a harmless Minecraft mod. Researchers have uncovered a campaign that blends blockchain technology and social engineering to steal player credentials and deliver additional malicious payloads. The damage is [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13888","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13888"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13888"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13888\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}