WeedHack Malware Infects 116K Minecraft Players via Fake Mods

A malware-as-a-service operation called WeedHack has infected more than 116,000 Minecraft players since January 2026, averaging 2,000 to 3,000 new victims daily. The campaign distributes malicious JAR files disguised as game mods, cheats, and utilities through YouTube videos and SEO-poisoned websites.

McAfee researchers tracking the operation found attackers operating over 240 distribution URLs and 3,820 unique malicious files. The malware targets credentials across browsers, cryptocurrency wallets, and gaming platforms—then offers premium subscribers remote access to compromised machines.

Distribution Tactics

WeedHack spreads primarily through two channels:

YouTube Promotion: Attackers upload videos showcasing popular Minecraft mods with professional narration and high production value. Some videos have accumulated over 7,500 views. Download links in video descriptions point to malicious JAR files instead of legitimate mods.

SEO Poisoning: The campaign targets search terms for legitimate Minecraft clients like Meteor, Radium, Wurst, Future, and LiquidBounce. Fake websites rank for these terms, then redirect visitors to malware downloads. To appear legitimate, these sites often link to the real projects' GitHub repositories and Discord servers.

The gaming community's trust in community-created mods makes this attack surface particularly effective. Players searching for game modifications expect to download executable files—exactly what attackers exploit.

What Gets Stolen

The WeedHack infostealer operates on a tiered pricing model, with even the free version harvesting substantial data:

Free Tier Targets:

• Minecraft session IDs
• Saved passwords and cookies from 36 browsers
• Credentials from 56 cryptocurrency browser extensions
• 12 desktop cryptocurrency wallet applications
• Discord, Steam, and Telegram tokens
• Screenshots of active windows

Premium Tier ($5/month or $24.99 lifetime) adds capabilities that cross from theft into full remote access:

• Remote keyboard and mouse control
• Webcam access
• Keylogging
• Remote shell execution
• File management and exfiltration

The low pricing and clear-web accessibility—unusual for infostealers—suggests the operators prioritize volume over sophistication. The associated Telegram channel has over 800 members, with researchers noting many appear to be teenagers using the tools for harassment rather than financial crime.

Geographic Impact

McAfee telemetry shows the highest infection rates in:

1. United States
2. Germany
3. India
4. United Kingdom

The geographic spread aligns with Minecraft's player base, indicating the campaign isn't targeting specific regions but rather exploiting the game's global popularity.

Connection to Broader Threats

WeedHack represents a growing trend of malware-as-a-service platforms targeting gaming communities. We covered a similar npm supply chain attack last week where attackers compromised developer tools—both campaigns demonstrate how trusted software distribution channels become attack vectors.

The overlap between gaming credentials and cryptocurrency theft is intentional. Many Minecraft players also participate in cryptocurrency communities, making stolen Discord and Telegram tokens valuable for social engineering in crypto schemes.

Detection and Removal

Signs of Infection:

• Unexpected Java processes running in the background
• Browser sessions logged out unexpectedly (attackers clearing cookies)
• Cryptocurrency wallet balance discrepancies
• Discord account sending messages without user action

Immediate Steps:

1. Run a full malware scan with updated definitions
2. Reset passwords for all gaming platforms and cryptocurrency services
3. Revoke Discord, Steam, and Telegram sessions from security settings
4. Enable two-factor authentication everywhere possible
5. Monitor cryptocurrency wallets for unauthorized transactions

Why This Matters

Gaming malware often gets dismissed as a niche threat, but infected gaming PCs frequently contain far more than game credentials. Many players use the same machine for banking, work, and cryptocurrency—creating opportunities for attackers to pivot from game mods to financial fraud.

The 116,000 infections in five months demonstrate how quickly gaming-focused campaigns scale. Parents should be particularly aware: the Minecraft community skews young, and teenagers downloading mods may not recognize malware indicators that experienced users would catch.

For broader guidance on recognizing malicious software, see our malware identification guide.