-
The WeedHack malware campaign has infected over 116,000 systems since January 2026, and researchers say that the number of new infections on a daily basis is between 2,000 and 3,000.
-
The malware enters into systems through fake Minecraft mods, clients, plus the cheats, & utilities that developers promote using YouTube videos & websites filled with malicious SEO tactics acting like the real projects.
-
WeedHack uses the Malware-as-a-Service (MaaS) model that gives users options of free & paid tiers, thereby helping the attackers steal visitors credentials, the data of their cryptocurrency wallet, their Discord tokens, and even allow them to control computers remotely after infecting them.
A massive malware campaign that targets players of the popular Minecraft game has corrupted over 116,000 systems all over the world since January 2026. This information came from the research which McAfee Labs carried out.
The operation, which the threat actors call WeedHack, disguises malicious software to appear like the popular Minecraft mods, its hacked clients, the cheats, & utilities players often use.
The bad actors behind WeedHack distribute these malicious resources through YouTube videos & fraudulent websites which they control.
According to the McAfee Labs researchers, the campaign has now turned into a full-fledged Malware-as-a-Service platform that has made committing cybercrime easier for everyone.
This is because the platform offers interested hackers free access to tools they can use to steal credentials and also gives them very cheap premium subscriptions that empower them with remote control capabilities.
The scale & the easy way hackers access these tools have made the malware campaign one of the largest cybercrimes in the gaming sector this year.
YouTube Videos and Fake Mod Websites Are Driving Thousands of New Infections Daily
Researchers found that WeedHack makes use of social engineering tactics, which they designed to catch Minecraft players who want to get mods and client software that are popular.
The campaign pushes the players to carry out malicious downloads through the videos they shared on YouTube, which usually appear legitimate. These videos sometimes use professional voice-over narration and real demonstrations of Minecraft tools to make the players fall for the tricks.
In some of the cases, videos asking players to download files infused with malware accumulated over 7,500 views before the experts identified them as malicious.
The second huge channel the campaign is using to catch players is through “SEO poisoning”. Attackers design and host websites that rank highly in search results for popular Minecraft clients & modifications.
These include Meteor Client, and Radium Client, Wurst Client, Aristois, & LiquidBounce. There are also Impact Client, Future Client, & Inertia Client, Cornos Client, plus WWE Client. Moreover, 3arthh4ck, plus Salhack, Phobos, & Gamesense are also available.
According to the researchers, many of these projects operate primarily through GitHub repositories instead of through dedicated websites, and this makes it easier for threat actors to create their own pages that cleanly impersonate the real ones.
McAfee found 240 malicious distribution URLs & 3,820 unique malicious JAR files that have links to the campaign. Some malicious websites even try to appear real by linking to legitimate GitHub repositories & Discord servers while sharing downloads laced with malware at the same time.
One site even added a security warning advising users to download a project only from its “official” source while dishing out corrupted files from the same page.
WeedHack’s Free Malware Platform is Lowering the Barrier to Cybercrime
Unlike other commercial infostealers, users can buy on underground forums; WeedHack is carrying out its work openly on the clear web and even giving people a free entry-level service.
According to McAfee, anyone who has a Discord account can enter the platform & make use of its dashboard to view infected devices, check out stolen information, and create malicious payloads that are suitable for Minecraft versions 1.21.0 through 1.21.10.
The free version allows users to carry out information thievery. It can help the criminals steal Minecraft session IDs, players’ browser cookies, their passwords they saved, plus their Discord credentials.
It could also allow them to steal players’ Steam accounts, credentials to log into Telegram, and even their data from 56 cryptocurrency browser extensions plus 12 desktop cryptocurrency wallet apps.
Account theft is a common goal across scams. Fake YouTube copyright notices are designed to steal Google accounts, highlighting the diverse methods attackers use to capture credentials. The malware also has the power to take screenshots of systems that are already.
The operation’s premium business model is even more dangerous because with just $5 per month or a one-time payment of $24.99, the customers can lay hands on advanced remote administration features.
These include the ability to control a system’s keyboard & mouse, gain access to its webcam, carry out keylogging functions, complete remote shell access, & manage the file there all remotely.
Researchers revealed that even the campaign’s Telegram channel has over 800 members, showing that many people are already joining the ecosystem of the malware platform.
Researchers Warn Teenagers Are Using WeedHack for Harassment and Cyberbullying
One of the more unusual things McAfee found and mentioned was the demographic of WeedHack customers.
Researchers believe that more of those who use the platform are teenagers or young adults who are not actually interested in making money from victims but instead are using the remote access feature of the malware to harass, monitor, or cyberbully some other Minecraft players.
This particular finding makes WeedHack different from traditional infostealer operations, which always aim to steal credentials, commit banking fraud, or steal cryptocurrency from victims.
Due to the low cost of using the remote access feature, the malware has moved into personal harassment beyond financial crime. As such, threat actors can now hijack victims’ accounts, read or view their personal messages, activate their webcams and control their systems remotely.
Researchers are imploring Minecraft players to only download mods from the official project sites and also verify the download links before executing JAR files. Also they should not rely on YouTube descriptions or results from search engine results when they want to search for client software.
Experts in cybersecurity also advise that players should always run reviews on their Microsoft account sessions. They should also change passwords if they download something that seems suspicious to them.
Further, players should try to run scans that check everything about their systems to know if the malware has entered without them knowing.
