WeedHack Malware Hits 116,000+ Minecraft Systems in Global Infostealer Campaign

A large-scale malware-as-a-service operation dubbed WeedHack has infected more than 116,464 systems since January 2026 by targeting Minecraft players with trojanized mods, clients, cheats, and utilities. According to telemetry from McAfee, the campaign averages between 2,000 and 3,000 daily infections across more than 240 distribution URLs and 3,820 unique malicious JAR files, with victims concentrated in the United States, Germany, India, and the United Kingdom. Distribution relies on two primary vectors: YouTube videos that embed download links in descriptions and comments, some polished with voice-over narration and racking up over 7,500 views, and SEO poisoning campaigns targeting keywords for popular Minecraft clients such as Meteor, Radium, Wurst, Aristois, LiquidBounce, Impact, Future, Inertia, Cornos, WWE, 3earthh4ck, Salhack, Phobos, and Gamesense.

The malicious sites behind the campaign are engineered to appear legitimate, often warning visitors to download tools like Skytils only from the official source and linking directly to the real GitHub repository and Discord server to build false trust before serving a payload. Once executed, the JAR-based stealer harvests Minecraft session IDs, cookies, and saved passwords from 36 browsers, 56 cryptocurrency wallet extensions, 12 desktop crypto wallet applications, and credentials for Discord, Steam, and Telegram, while also capturing screenshots of infected hosts. Compromised users can quickly check whether their browser-saved credentials have appeared in known exposures using a email breach checker, and they should immediately run any saved logins through a password checker to evaluate strength and reuse.

What makes WeedHack notable is that its dashboard is hosted on the clear web and accessible for free, an unusual move for modern infostealer operations that typically gate access behind private forums or Telegram channels. The platform provides a victim overview, infected system profiles, a payload builder supporting Minecraft versions 1.21.0 through 1.21.10, and a premium tier priced at $5 per month or $24.99 lifetime, which adds remote desktop control with mouse and keyboard input, webcam access, and a keylogger. The free accessibility, combined with the gaming-focused social engineering, significantly lowers the barrier for low-skill attackers to launch credential theft operations at scale.

Security teams and individual players should treat any third-party Minecraft client or mod distributed outside the project's official GitHub or verified Discord as high-risk and verify distribution sites with a WHOIS lookup to confirm ownership before downloading. Users who installed suspicious utilities since January should rotate all credentials stored in browsers and crypto wallets, revoke active sessions on Steam and Discord, and audit browser extensions for unfamiliar add-ons. With the gaming community now firmly in the crosshairs of organized infostealer operations, the WeedHack campaign underscores how MaaS models are industrializing commodity malware delivery through trusted platforms like YouTube and search engines.