Information security specialists at F6 have recorded a targeted campaign against Russian Minecraft users. As F6 told TASS, the attackers are distributing malware disguised as mods and cheats for the game through a network of TikTok accounts aimed at a Russian-speaking audience. The installed software does add game features as promised, but at the same time deploys the WeedHack infostealer, designed to steal sensitive data.
The attack infrastructure was partially based on Russian resources: 14 command-and-control servers were hosted in the .ru domain zone and were promptly blocked after discovery. Additional servers are located in Cyprus, and blocking requests have been sent regarding them. WeedHack is capable of extracting credentials from 40 browsers, Minecraft and Discord tokens, as well as seed phrases of cryptocurrency wallets.
A particular danger for Russian users is posed by the Telegram session hijacking module: the malware gains access to the local folder containing the messenger's encrypted data, making it possible to bypass two-factor authentication and fully take over the account.
If a year ago similar campaigns targeted Android devices through Telegram bots, computers running Windows have now become the target.
The use of TikTok as a delivery channel and .ru domains indicates that the criminals have adapted to the Russian digital landscape. The target audience - young players who often neglect cyber hygiene - remains vulnerable even after some of the servers were blocked, since the malware can download modules from surviving foreign nodes.
Read more on the topic:
