A recent investigation by McAfee researchers has unveiled a concerning Malware-as-a-Service (MaaS) operation known as WeedHack, which is specifically targeting the vast community of Minecraft users. This sophisticated platform enables cybercriminals to gain remote access to victims’ screens, webcams, and files through a user-friendly web-based dashboard. Since its emergence in January 2026, WeedHack has reportedly compromised over 116,000 systems, with an alarming addition of 2,000 to 3,000 new infections each day.
Minecraft, developed by Mojang Studios and launched in 2011, has achieved remarkable success, selling over 350 million copies globally. The popularity of this game has made it a prime target for malicious activities, with WeedHack leading the charge. Researchers have identified more than 3,820 unique malicious JAR files associated with this campaign, along with over 240 URLs facilitating the distribution of the malware. The United States has been identified as the most affected country, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
YouTube spreading and SEO poisoning
The WeedHack operation employs a clever strategy of leveraging YouTube for distribution and utilizing SEO poisoning techniques to ensnare unsuspecting victims. Attackers promote various Minecraft mods, clients, and utilities through engaging videos that include download links in their descriptions and comments. Some of these videos, crafted with professional voice-over narration, have garnered over 7,500 views, illustrating the effectiveness of this approach.
According to McAfee, WeedHack specifically targets Minecraft clients and mods that lack official websites, opting instead for those hosted on file-sharing platforms like GitHub. By selecting mods with unique names, the attackers can easily dominate search engine results, increasing their chances of reaching potential victims.
Lowering the barrier to entry
What distinguishes WeedHack from other malware campaigns is its accessibility. Unlike traditional MaaS offerings, which often require substantial financial investment, WeedHack is hosted on the clear web and provides access to sophisticated malware at no cost. While competitors like Lumma Stealer and X-Worm can cost hundreds of dollars per month or require lifetime subscriptions through underground channels, WeedHack offers its services for free, with premium features starting at just per month and lifetime access priced at .99.
The free tier includes an infostealer that targets Minecraft session IDs, collects system information, and extracts cookies and passwords from 36 different browsers. It also targets 56 browser-based cryptocurrency wallets and 12 desktop cryptocurrency wallets, in addition to credentials from platforms like Discord, Steam, and Telegram. The malware is capable of searching infected systems using 24 predefined keywords and capturing screenshots from compromised devices. Premium subscriptions unlock advanced features such as remote-access capabilities, keystroke logging, screen sharing with keyboard and mouse control, and the ability to upload and download files.
Tools, tutorials, and infection tracking
At the heart of the WeedHack operation lies a comprehensive web-based dashboard that provides customers with access to data harvested from compromised systems. Victim profiles include detailed information such as screenshots, system specifications, IP addresses, usernames, computer names, and stolen credentials. A dedicated section tracks Minecraft session hits, which can be exploited for account hijacking.
The platform also features a payload builder that allows users to inject malware into legitimate Minecraft mods targeting versions 1.21.0 through 1.21.11. Users can monitor infection statistics through a leaderboard that refreshes every 10 minutes, showcasing both all-time and 24-hour data. Additionally, extensive documentation is available, covering topics such as malware distribution, operational security practices, remote-access features, stolen credentials, VPN and proxy services, and troubleshooting.
A suggestions page invites users to propose feature requests and vote on potential additions, including ransomware capabilities, microphone access, and support for additional Minecraft clients. Beyond the theft of accounts and credentials, the operation appears to have contributed to incidents of cyberbullying, as evidenced by the activity within its Telegram channel, which has attracted over 850 members. This activity suggests that teenagers and young adults are utilizing WeedHack’s remote-access tools to monitor, threaten, and harass victims.
In light of these developments, McAfee urges users to exercise caution when engaging with recently uploaded YouTube videos promoting Minecraft tools, particularly those hosted outside of official websites. Additionally, users should be wary of any requests to disable antivirus software prior to installation.
Malware campaign targeting Minecraft users infects over 116,000 systems
A recent investigation by McAfee researchers has unveiled a concerning Malware-as-a-Service (MaaS) operation known as WeedHack, which is specifically targeting the vast community of Minecraft users. This sophisticated platform enables cybercriminals to gain remote access to victims’ screens, webcams, and files through a user-friendly web-based dashboard. Since its emergence in January 2026, WeedHack has reportedly compromised over 116,000 systems, with an alarming addition of 2,000 to 3,000 new infections each day.
Minecraft, developed by Mojang Studios and launched in 2011, has achieved remarkable success, selling over 350 million copies globally. The popularity of this game has made it a prime target for malicious activities, with WeedHack leading the charge. Researchers have identified more than 3,820 unique malicious JAR files associated with this campaign, along with over 240 URLs facilitating the distribution of the malware. The United States has been identified as the most affected country, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
YouTube spreading and SEO poisoning
The WeedHack operation employs a clever strategy of leveraging YouTube for distribution and utilizing SEO poisoning techniques to ensnare unsuspecting victims. Attackers promote various Minecraft mods, clients, and utilities through engaging videos that include download links in their descriptions and comments. Some of these videos, crafted with professional voice-over narration, have garnered over 7,500 views, illustrating the effectiveness of this approach.
According to McAfee, WeedHack specifically targets Minecraft clients and mods that lack official websites, opting instead for those hosted on file-sharing platforms like GitHub. By selecting mods with unique names, the attackers can easily dominate search engine results, increasing their chances of reaching potential victims.
Lowering the barrier to entry
What distinguishes WeedHack from other malware campaigns is its accessibility. Unlike traditional MaaS offerings, which often require substantial financial investment, WeedHack is hosted on the clear web and provides access to sophisticated malware at no cost. While competitors like Lumma Stealer and X-Worm can cost hundreds of dollars per month or require lifetime subscriptions through underground channels, WeedHack offers its services for free, with premium features starting at just per month and lifetime access priced at .99.
The free tier includes an infostealer that targets Minecraft session IDs, collects system information, and extracts cookies and passwords from 36 different browsers. It also targets 56 browser-based cryptocurrency wallets and 12 desktop cryptocurrency wallets, in addition to credentials from platforms like Discord, Steam, and Telegram. The malware is capable of searching infected systems using 24 predefined keywords and capturing screenshots from compromised devices. Premium subscriptions unlock advanced features such as remote-access capabilities, keystroke logging, screen sharing with keyboard and mouse control, and the ability to upload and download files.
Tools, tutorials, and infection tracking
At the heart of the WeedHack operation lies a comprehensive web-based dashboard that provides customers with access to data harvested from compromised systems. Victim profiles include detailed information such as screenshots, system specifications, IP addresses, usernames, computer names, and stolen credentials. A dedicated section tracks Minecraft session hits, which can be exploited for account hijacking.
The platform also features a payload builder that allows users to inject malware into legitimate Minecraft mods targeting versions 1.21.0 through 1.21.11. Users can monitor infection statistics through a leaderboard that refreshes every 10 minutes, showcasing both all-time and 24-hour data. Additionally, extensive documentation is available, covering topics such as malware distribution, operational security practices, remote-access features, stolen credentials, VPN and proxy services, and troubleshooting.
A suggestions page invites users to propose feature requests and vote on potential additions, including ransomware capabilities, microphone access, and support for additional Minecraft clients. Beyond the theft of accounts and credentials, the operation appears to have contributed to incidents of cyberbullying, as evidenced by the activity within its Telegram channel, which has attracted over 850 members. This activity suggests that teenagers and young adults are utilizing WeedHack’s remote-access tools to monitor, threaten, and harass victims.
In light of these developments, McAfee urges users to exercise caution when engaging with recently uploaded YouTube videos promoting Minecraft tools, particularly those hosted outside of official websites. Additionally, users should be wary of any requests to disable antivirus software prior to installation.