Weedhack Malware Targets Minecraft Players via YouTube and SEO Poisoning
Cybersecurity researchers have identified a new malware campaign, dubbed Weedhack, that specifically targets Minecraft players through YouTube videos and search engine optimization (SEO) poisoning techniques. This campaign, active since January 2026, impersonates Minecraft clients and mods to distribute malicious software capable of compromising users’ systems.
McAfee Labs has reported that the Weedhack campaign utilizes SEO poisoning and YouTube to drive traffic to malicious URLs. Researchers have discovered 3,820 unique malicious JAR files and over 240 URLs associated with this campaign. Notably, two YouTube channels have been identified that showcase Minecraft mods and clients, directing viewers to these harmful links.
At the core of this operation is an enterprise-grade dashboard hosted on weedhack[.]to. This platform allows cybercriminals to monitor stolen credentials and system information, as well as manage compromised systems remotely. Additionally, it enables the creation of custom payloads targeting Minecraft versions 1.21.0 to 1.21.11 and facilitates the injection of malware into legitimate Minecraft mods.
Attack Methodology:
1. Initial Infection: The attack begins when a user downloads a malicious JAR file, such as DonutDupe.jar, from a compromised website.
2. Command-and-Control Communication: The malware retrieves the command-and-control (C2) server domain using a technique known as EtherHiding, which leverages the Ethereum blockchain as a dead drop resolver.
3. Payload Deployment: The malware contacts the C2 server to download an additional Java-based JAR payload named Elevator.jar. This component collects system information, configures Microsoft Defender exclusions, and serves as a conduit for deploying two more JAR payloads.
4. Persistence and Remote Access: The third payload, SecurityManager.jar, establishes persistence on the infected system and acts as a stager for the final component, Component.jar, which provides remote access capabilities.
The operators behind Weedhack promote their tools through a Telegram channel with over 850 members, offering both free and premium tiers:
– Free Version: Includes an information stealer targeting Minecraft session IDs, four Minecraft launchers, and the ability to capture screenshots. It also harvests files, system information, cookies, and passwords from 36 web browsers, data from 56 browser-based cryptocurrency wallets, 12 desktop wallet applications, and credentials for Discord, Steam, and Telegram.
– Premium Version: Priced at $4.99 per month or $24.99 for a lifetime license, this tier offers additional remote access features, including webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse control, and file uploads and downloads.
The Weedhack campaign primarily targets users in the United States, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
Implications and Recommendations:
The Weedhack campaign underscores the evolving tactics of cybercriminals who exploit popular platforms like YouTube and manipulate search engine results to distribute malware. By offering sophisticated malware tools on the clear net, often for free or at low cost, these actors lower the barrier to entry for potential cybercriminals and attract a younger audience, particularly within the gaming community.
To protect against such threats, users are advised to:
– Download Software from Trusted Sources: Only obtain Minecraft mods and clients from official or reputable sources.
– Be Cautious of Unverified Links: Avoid clicking on links from unverified YouTube channels or unfamiliar websites.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware programs are up to date to detect and prevent infections.
– Regularly Monitor System Activity: Keep an eye on system performance and network activity for any unusual behavior that may indicate a compromise.
By staying vigilant and adhering to these best practices, users can significantly reduce the risk of falling victim to campaigns like Weedhack.
