Over 116,000 Mincraft systems infected in WeedHack malware campaign
June 3, 2026
A significant malware operation known as WeedHack has emerged, specifically targeting the vibrant community of Minecraft players. Since its inception in January, this campaign has successfully compromised over 116,000 systems, with daily infections ranging between 2,000 and 3,000. The primary distribution method involves malicious mods, clients, cheats, and utilities that are deceptively promoted through platforms like YouTube, alongside tactics such as SEO poisoning.
WeedHack malware distribution
According to a recent report from cybersecurity firm McAfee, the WeedHack campaign predominantly reaches its victims through carefully crafted YouTube videos that showcase various Minecraft-related tools. These videos often contain download links embedded in their descriptions and comments. Some of these productions are notably polished, featuring voice-over narration to enhance their authenticity, and have garnered view counts exceeding 7,500.
YouTube video promoting malicious Minecraft mods Source: McAfee
The SEO poisoning strategy employed by the attackers targets specific keywords associated with popular Minecraft clients, including Meteor Client, Radium Client, and Wurst Client, among others. Many of these projects lack official websites, relying instead on GitHub pages, which adds to the challenge of identifying legitimate sources.
Malware-distributing site Source: McAfee
In one illustrative case highlighted in the report, a malicious website presents a security notice advising visitors to download ‘Skytils’ only from the official site. This site links to the legitimate GitHub repository and Discord server of the project, creating a deceptive veneer of credibility.
Malicious site warning of fake Minecraft mods Source: McAfee
MaaS operation
The WeedHack malware platform operates as a malware-as-a-service (MaaS) model, hosted on the clear net and available for free, a rarity among infostealer operations. Users gain access to a comprehensive dashboard that provides insights into their victims, including infected system profiles and stolen data, along with a payload builder tailored for Minecraft versions 1.21.0 through 1.21.10.
WeedHack dashboard Source: McAfee
The free tier of this stealer focuses on the theft of Minecraft session IDs, cookies, and saved passwords across a wide array of platforms, including 36 browsers and 56 cryptocurrency add-ons. It can also capture credentials from popular applications such as Discord, Steam, and Telegram, in addition to taking screenshots.
For those seeking enhanced capabilities, WeedHack offers a premium tier priced at per month, or a one-time lifetime purchase of .99. This premium option includes features such as remote control with input access, webcam access, a keylogger, remote shell, and file management capabilities.
WeedHack attack overview Source: McAfee
The project’s Telegram channel boasts over 800 members, with many users appearing to be teenagers or young adults who utilize WeedHack’s remote access tools to target and harass their victims. To safeguard against such threats, Minecraft players are advised to trust only mods from official project sources, verify download links, and exercise caution with JAR files hosted on suspicious sites. For a secure gaming experience, the in-game Minecraft Marketplace remains the safest avenue for expanding gameplay options.
Over 116,000 Mincraft systems infected in WeedHack malware campaign
A significant malware operation known as WeedHack has emerged, specifically targeting the vibrant community of Minecraft players. Since its inception in January, this campaign has successfully compromised over 116,000 systems, with daily infections ranging between 2,000 and 3,000. The primary distribution method involves malicious mods, clients, cheats, and utilities that are deceptively promoted through platforms like YouTube, alongside tactics such as SEO poisoning.
WeedHack malware distribution
According to a recent report from cybersecurity firm McAfee, the WeedHack campaign predominantly reaches its victims through carefully crafted YouTube videos that showcase various Minecraft-related tools. These videos often contain download links embedded in their descriptions and comments. Some of these productions are notably polished, featuring voice-over narration to enhance their authenticity, and have garnered view counts exceeding 7,500.
Source: McAfee
The SEO poisoning strategy employed by the attackers targets specific keywords associated with popular Minecraft clients, including Meteor Client, Radium Client, and Wurst Client, among others. Many of these projects lack official websites, relying instead on GitHub pages, which adds to the challenge of identifying legitimate sources.
Source: McAfee
In one illustrative case highlighted in the report, a malicious website presents a security notice advising visitors to download ‘Skytils’ only from the official site. This site links to the legitimate GitHub repository and Discord server of the project, creating a deceptive veneer of credibility.
Source: McAfee
MaaS operation
The WeedHack malware platform operates as a malware-as-a-service (MaaS) model, hosted on the clear net and available for free, a rarity among infostealer operations. Users gain access to a comprehensive dashboard that provides insights into their victims, including infected system profiles and stolen data, along with a payload builder tailored for Minecraft versions 1.21.0 through 1.21.10.
Source: McAfee
The free tier of this stealer focuses on the theft of Minecraft session IDs, cookies, and saved passwords across a wide array of platforms, including 36 browsers and 56 cryptocurrency add-ons. It can also capture credentials from popular applications such as Discord, Steam, and Telegram, in addition to taking screenshots.
For those seeking enhanced capabilities, WeedHack offers a premium tier priced at per month, or a one-time lifetime purchase of .99. This premium option includes features such as remote control with input access, webcam access, a keylogger, remote shell, and file management capabilities.
Source: McAfee
The project’s Telegram channel boasts over 800 members, with many users appearing to be teenagers or young adults who utilize WeedHack’s remote access tools to target and harass their victims. To safeguard against such threats, Minecraft players are advised to trust only mods from official project sources, verify download links, and exercise caution with JAR files hosted on suspicious sites. For a secure gaming experience, the in-game Minecraft Marketplace remains the safest avenue for expanding gameplay options.