McAfee Labs found a new malware campaign for Minecraft users spread via YouTube videos and SEO poisoning that gives attackers complete control over the victim's computer systems.
The Minecraft malware Weedhack campaign has previously been reported to have been present since January 2026 and has been mimicking the behaviour of Minecraft clients and mods as a method of infecting a computer system.
Researchers have located 3820 unique forms of maliciously coded JAR files and 240+ separate URLs that can be used to distribute the payload associated with the Minecraft malware Weedhack campaign.
The Method of Distribution
The distribution of the Minecraft malware Weedhack campaign is accomplished through SEO poisoning and YouTube videos directing users to the malicious URL's location. Hackers have created Youtube channels and numerous Youtube videos, demonstrating how to use Minecraft mods / clients with links to malicious webpages being contained in the description of the Youtube videos.
The Minecraft malware Weedhack campaign videos appear legitimate, and unsuspecting users download what they think is a Minecraft mod or client.
The Weedhack Dashboard
Central to the Minecraft malware Weedhack campaign is an enterprise-grade dashboard hosted at weedhack[.]to.
The dashboard enables customers to view stolen credentials and system information, and it allows them to remotely keep tabs on compromised systems.
The Minecraft malware Weedhack campaign dashboard also allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, and it can inject malware into legitimate Minecraft mods.
The Infection Chain
The malware attack campaign known as Weedhack that targets Minecraft uses a malicious Jar file called DonutDupe.jar that is downloaded from one of many infected sites. The file is then used with a technique called EtherHiding, which relies on the Ethereum blockchain as a dead-drop resolver to find out what command-and-control server domain will be used.
After doing so, the Weedhack campaign will connect to the C2 server from Minecraft in order to download a second Java-based payload/JAR named Elevator.jar.
The Payload Stack
The Elevator.jar payload collects information about the computer it is running on and also creates exclusions in Microsoft Defender. In addition, it will serve as a means to download two additional JAR payloads.
The third JAR payload called SecurityManager.jar establishes persistence and acts as a stager for the final component called Component.jar which deploys the remote access features.
The Weaverhacks malware, which targets Minecraft, utilizes a multi-layered payload architecture that builds upon itself through additional layers of capability.
The Telegram Channel
Through their use of Telegram channels, members of Weaverhacks utilize this platform for various purposes: to distribute warez, publish new content updates, and to provide customer support.
The channel has more than 850 members, and it serves as a community for buyers of the malware-as-a-service platform.
Free Tier Capabilities
The free tier of the Minecraft malware Weedhack campaign includes a comprehensive infostealer.
The free malware can target Minecraft session IDs and four Minecraft launchers, and it can capture screenshots.
The free tier harvests files, system information, cookies, and passwords from 36 different web browsers, and it steals data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps.
The Minecraft malware Weedhack campaign free tier also steals credentials for Discord, Steam, and Telegram.
Premium Tier Capabilities
The premium tier of the Minecraft malware Weedhack campaign starts at $4.99 per month or $24.99 for a lifetime license.
Premium customers get additional remote access capabilities including webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file uploads and downloads.
The Minecraft malware Weedhack campaign premium tier gives attackers complete remote control over victims' systems.
Geographic Distribution
The majority of Minecraft malware Weedhack campaign infections have been identified in the United States.
Additional impacted countries are Germany, India, the UK, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
The Weedhack campaign represents global malware relating to Minecraft as a game and due to the high level of worldwide interest in playing Minecraft as a videogame, it can provide the ability for gamers in any country to use malicious code through their internet connections.
Cyberbullying Component
McAfee Labs observed the Minecraft malware Weedhack campaign acting as a trigger for cyberbullying.
The customers, who appear to be teenagers and young adults, are weaponizing the remote access capabilities to threaten, harass, and monitor their victims, and they have found a way to record victims via their webcams and share the videos on the Telegram channel as "trophies."
The Minecraft malware Weedhack campaign is not just about stealing Minecraft accounts, it is about harassing and terrorizing young players.
CountLoader Campaign
The disclosure of the Minecraft malware Weedhack campaign comes as McAfee Labs shed light on a large-scale CountLoader campaign.
CountLoader is a JavaScript loader typically distributed via cracked software distribution sites, and it is known to deploy various payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
In the CountLoader campaign, about 86,000 unique devices have been affected by this botnet; nearly 9,000 infections were due to USB drives or removable media the malware was using to spread itself around.
The most CountLoader infections occurred in India, with Indonesia, the United States and the Southeast Asian region following behind.
Cryptocurrency Clipper Payload
The new CountLoader attacks have deployed a cryptocurrency clippers malware payload as their last, affecting any user with an address in their clipboard & copying & pasting to create a wallet address, replacing it with the attacker’s address instead of the intended recipient’s.
Both the Weedhack (Minecraft) malware campaign and CountLoader target cryptocurrency users, but use different methods of attack.
Kaspersky also discovered a years-long campaign that has used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin.
The bogus update downloads a ZIP archive which then uses DLL side-loading to drop a fork of SilentCryptoMiner, and the malware configures Defender exclusions, terminates Microsoft's Malicious Software Removal Tool, disables automatic hibernation and sleep mode, repeatedly triggers User Account Control prompts, initiates a watchdog component, runs a RAT agent, and launches XMRig-based CPU and GPU miners.
The threat actors leverage a variety of sites ranging from online libraries to movie and TV show streaming platforms, and there is no telling what channels they will use to distribute malicious archives in the future.
Pirated Content Miners
Kaspersky also discovered a years-long campaign that has used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin.
The bogus update downloads a ZIP archive which then uses DLL side-loading to drop a fork of SilentCryptoMiner, and the malware configures Defender exclusions, terminates Microsoft's Malicious Software Removal Tool, disables automatic hibernation and sleep mode, repeatedly triggers User Account Control prompts, initiates a watchdog component, runs a RAT agent, and launches XMRig-based CPU and GPU miners.
The threat actors leverage a variety of sites ranging from online libraries to movie and TV show streaming platforms, and there is no telling what channels they will use to distribute malicious archives in the future.
How to Protect Yourself
The Minecraft malware Weedhack campaign and related threats require vigilance.
1. Only download Minecraft mods from official sources. The Minecraft malware Weedhack campaign uses YouTube and SEO poisoning to trick users, and official sites like CurseForge and Modrinth are safer.
2. Be suspicious of YouTube videos promoting Minecraft mods. Check the channel's history and look for signs of legitimacy, the Minecraft malware Weedhack campaign channels may have few subscribers or strange video patterns.
3. Use an ad blocker and security software. SEO poisoning leads to malicious sites, and security software can block known malicious URLs.
4. Keep an eye on your device for strange actions. The premium version of the malware Weedhack campaign has access to your webcam, logs your keystrokes, and if you see strange webcam behaviour or lag, your device may have been compromised.
5. Conduct education for youth gamers. The target demographic of the infector Weedhack campaign is comprised mostly of teens and young adults, who may not have the skills to identify malware.
Summary
Weedhack malware is a sophisticated Malware-as-a-Service business enterprise which focuses on infecting young videogame players. The free service will steal your Minecraft account, browser accounts and crypto wallets, and the premium service gives full remote control of your person including access to your webcam and logging all your keystrokes.
The Minecraft malware Weedhack campaign also enables cyberbullying, with teenage attackers recording their victims via webcam and sharing the videos as "trophies."
If you or your children play Minecraft with mods, be careful, only download from trusted sources, and watch for YouTube videos promising free mods or clients.
The Minecraft malware Weedhack campaign is active right now, and the next victim could be in your home.
FAQ Section
Describe the Weedhack Malware Campaign for Minecraft?
The Weedhack Malware Campaign for Minecraft is a Malware as a Service (MaaS) that uses SEO poisoning and Youtube for spreading Malicious JAR files that steal credentials, as well as Cryptocurrency wallets. In addition to stealing private information, Weedhack provides hackers with remote access capabilities.
How does the Weedhack Infection Chain work?
The Infection Chain begins with the download of the malicious JAR file (DonutDupe.jar), which asks for C2 (Command and Control) servers from the Ethereum blockchain via EtherHiding. After the request has been received, DonutDupe.jar downloads Elevator.jar, which drops SecurityManager.jar, and then finally Component.jar, which installs remote access capabilities on the infected computer.
What are the free and premium tiers of Weedhack?
The free tier steals Minecraft session IDs, browser cookies and passwords, and cryptocurrency wallet data, the premium tier ($4.99/month or $24.99 lifetime) adds webcam access, keylogging, reverse shell, and screen sharing.
What number of infections were originally caused by Weedhack?
As reported by McAfee, they have discovered 3,820 distinct malicious JAR files as well as more than 240 URLs that were being used to transmit the malware; most of these infections occurred in the United States, Germany, India and the United Kingdom.
Is the Weedhack campaign being utilized for purposes of cyberbullying?
Yes, we have seen many teenagers and young adult customers utilizing remote access capability to use against victims. We have seen many be recorded via webcams with the recordings being utilized as trophies to bully victims on Telegram.
