Weedhack MaaS Targets Minecraft Users via YouTube SEO Poisoning

Cybersecurity researchers at McAfee Labs have uncovered a malware-as-a-service (MaaS) campaign dubbed Weedhack that has been actively targeting Minecraft players since January 2026. Disguised as legitimate Minecraft clients and mods, the operation leverages YouTube videos and SEO poisoning to funnel unsuspecting users toward malicious download sites. Investigators have so far identified 3,820 unique malicious JAR files and more than 240 distribution URLs, along with two dedicated YouTube channels that publish tutorials redirecting viewers to the payload infrastructure. The central command panel, hosted at weedhack[.]to, functions as a full enterprise dashboard for tracking compromised systems and stolen data.

The infection chain begins with a malicious Java archive ("DonutDupe.jar") that uses EtherHiding—a technique abusing the Ethereum blockchain as a dead-drop resolver—to retrieve its command-and-control (C2) domain. The initial loader then pulls a secondary JAR ("Elevator.jar"), which collects system information, configures Microsoft Defender exclusions, and drops two further stages: SecurityManager.jar for persistence and Component.jar, which delivers the full remote access toolkit. Threat actors also inject their payloads into legitimate Minecraft mods distributed through their malicious sites, making detection significantly harder for casual users who verify file authenticity. Security researcher Aayush Tyagi noted that the campaign specifically targets Minecraft versions 1.21.0 through 1.21.11.

Weedhack is offered in two tiers. The free variant includes an infostealer capable of capturing session IDs from four Minecraft launchers, screenshots, files, system metadata, cookies and passwords from 36 browsers, wallet data from 56 browser-based and 12 desktop cryptocurrency wallets, plus credentials for Discord, Steam, and Telegram. The Premium plan, starting at $4.99 per month or $24.99 for a lifetime license, adds webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse control, and full file upload/download capabilities. Promotion, customer support, and version updates are handled through a public Telegram channel with over 850 members. Given the credential harvesting scope, users who may have interacted with pirated Minecraft content should immediately verify exposure using a password strength and breach checker and audit any unfamiliar domains tied to suspicious activity via a WHOIS lookup. A broader privacy checkup is also recommended for gamers who reuse passwords across launcher, Discord, and Steam accounts.