Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: maas (3 articles)Clear

WeedHack malware-as-a-service infostealer infects 116,000+ Minecraft systems via YouTube and SEO-poisoned fake mods and cheat clients

McAfee has detailed WeedHack, a malware-as-a-service infostealer campaign that has infected more than 116,000 systems since January by targeting Minecraft players. The malware spreads through malicious Minecraft mods, clients, cheats, and utilities promoted via YouTube videos (some with voice-over narration and thousands of views) and SEO poisoning of keywords matching popular clients like Meteor, Wurst, LiquidBounce, and Impact. WeedHack averages 2,000-3,000 infections daily, mostly in the US, Germany, India, and the UK, across 240+ distribution URLs and 3,820 unique malicious JAR files. It offers customers a dashboard to view stolen credentials and victim data. Some fake sites even link to legitimate GitHub repos to fabricate credibility.

Check
Brief staff and family-device users that Minecraft mods, cheats, and clients from YouTube links or search results frequently carry infostealers. Hunt endpoints for the 3,820 known WeedHack JAR hashes.
Affected
Minecraft players (often younger users on shared/home devices) installing third-party mods, cheats, and clients. 116,000+ infected since January, mostly US, Germany, India, UK. MaaS dashboard tracks victims.
Fix
Source Minecraft tools only from official project pages. Apply McAfee WeedHack IoCs and block known distribution URLs. Rotate credentials on any system that ran an untrusted JAR.

REMUS infostealer profiled - 64-bit Lumma successor with EtherHiding C2 and Chromium ABE bypass

Flare published a deep profile of REMUS, the 64-bit infostealer that emerged in early 2026 after Lumma Stealer's core operators were doxxed in late 2025. Gen Threat Labs links REMUS directly to Lumma's codebase through 'Tenzor' transitional builds from September 2025, identical string obfuscation, anti-VM checks via cpuid leaf 0x40000000, and a refined Application-Bound Encryption bypass for Chromium browsers. The malware harvests browser passwords, cookies, autofill, crypto wallets, and clipboard data, and uses EtherHiding (blockchain-based C2 resolution) for resilience. Flare's 128-post analysis of REMUS forum activity from Feb 12 to May 8 shows the operation has moved from rapid feature expansion into platform stabilization, with active customer-facing MaaS development.

Check
Hunt for processes reading Chromium browser process memory to extract master keys, look for outbound traffic resolving C2 through Ethereum or other blockchain RPC endpoints (EtherHiding), and review browser cookie store access patterns.
Affected
Enterprises with users running Chromium-based browsers (Chrome, Edge, Brave) and saved passwords or session cookies. Crypto-holding individuals and finance, accounting, and developer roles with broad SaaS account access face elevated session-theft risk.
Fix
Roll out Application-Bound Encryption hardening on managed Chromium browsers, enforce conditional access with continuous access evaluation to invalidate stolen sessions, block known REMUS C2 indicators, and replace browser-stored passwords with an enterprise password manager.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.