Cybercriminals are embedding malware within seemingly legitimate Minecraft mods and game clients, leveraging YouTube videos and search engine optimization (SEO) techniques to lure unsuspecting players. This campaign, identified as WeedHack, has been active since January 2026 and has reportedly infected over 116,000 users globally.
WeedHack operates as a Malware-as-a-Service (MaaS) platform, allowing individuals to download pre-configured malicious payloads and distribute them. The free tier of this service can extract passwords from 36 browsers, access credentials from over 56 browser-based cryptocurrency wallets, and obtain login details for Discord, Steam, and Telegram accounts.
According to McAfee Labs, which shared its findings with Cyber Security News, the campaign has generated over 3,820 unique malicious JAR files and more than 240 URLs distributing the malware, resulting in approximately 2,000 to 3,000 new infections daily. The United States, Germany, India, and the United Kingdom are among the most affected regions.
Alarmingly, many WeedHack users appear to be teenagers and young adults who utilize the tool not only to steal accounts but also to harass victims. They have been known to record individuals through compromised webcams and share these videos in Telegram channels as a form of cyberbullying.
Victims are advised not to comply with attackers’ demands. Instead, they should contact a trusted adult, such as a parent or guardian, and report the incident immediately to prevent further harm.
Distribution Methods: YouTube and SEO Poisoning
WeedHack spreads primarily through fake YouTube videos and SEO poisoning. Threat actors upload professionally edited videos showcasing Minecraft mods and clients, often with voiceovers to enhance authenticity. One such video amassed over 7,500 views and included a link to a malicious download site in its description.
The campaign targets Minecraft mods lacking official websites, enabling attackers to dominate search results for related keywords. These fraudulent sites are designed to appear credible, some even displaying fake security warnings advising users to download only from their page and linking to official Discord servers and GitHub pages to build trust.
Beyond videos, the campaign instructs its users to engage in Discord and Reddit discussions to subtly promote their malicious sites without arousing suspicion. The WeedHack dashboard provides tutorials on effective keyword targeting and strategies to avoid detection.
This campaign underscores the evolving tactics of cybercriminals who exploit popular platforms and trusted online communities to distribute malware. Users should exercise caution when downloading software from unofficial sources and remain vigilant against deceptive online content.
Source: Cyber Security News
