A new malware campaign named WeedHack is targeting Minecraft players by disguising itself as free game mods and clients, infecting thousands of systems daily. Since January 2026, over 116,000 users have been affected, with an average of 2,000 to 3,000 new infections each day, according to McAfee Labs.
WeedHack operates as a malware-as-a-service (MaaS), offering both free and premium versions. The free tier includes an infostealer capable of extracting Minecraft session IDs, browser cookies, passwords, and credentials for platforms like Discord, Steam, and Telegram. The premium version, starting at $4.99 per month, adds remote access features such as webcam control, keylogging, and file manipulation.
The malware is distributed through malicious JAR files masquerading as legitimate Minecraft mods. These files are promoted via YouTube videos and search engine optimization (SEO) poisoning, leading unsuspecting users to download the infected software. McAfee identified over 3,820 unique malicious JAR files and more than 240 distribution URLs associated with this campaign.
Once installed, the malware employs a technique called EtherHiding, using the Ethereum blockchain to retrieve command-and-control (C2) server domains. This method helps the malware evade detection and maintain persistence on infected systems.
WeedHack’s accessibility and low cost have attracted a younger demographic, including teenagers, who use the malware not only for financial theft but also for harassment and cyberbullying. The campaign’s reach is global, with the highest number of infections in the United States, followed by Germany, India, the UK, and Italy.
McAfee’s Web Protection actively blocks sites distributing WeedHack, and their Threat Explainer provides detailed information on flagged files, enhancing user security.
The rise of WeedHack underscores the growing trend of malware-as-a-service platforms that lower the barrier to entry for cybercriminals. This development is particularly concerning as it enables less experienced individuals to engage in malicious activities, leading to a broader and more diverse range of cyber threats. Users should exercise caution when downloading mods and clients, ensuring they originate from reputable sources to mitigate the risk of infection.
Source: The Hacker News
