Over 116,000 Minecraft systems infected in WeedHack malware campaign

Summary

WeedHack, a malware-as-a-service infostealer operation, has infected over 116,000 systems since January 2026 by distributing malicious Minecraft mods, clients, and cheats through YouTube videos and SEO poisoning. The free platform provides a dashboard for attackers to access stolen credentials, browser cookies, cryptocurrency wallets, and Discord/Steam accounts, with a premium tier offering remote access and keylogging capabilities. Victims are primarily located in the US, Germany, India, and the UK, with daily infection rates between 2,000-3,000 systems.

Full text

Over 116,000 Minecraft systems infected in WeedHack malware campaign By Bill Toulas June 2, 2026 05:54 PM 0 A large-scale malware campaign dubbed WeedHack is targeting Minecraft players and has infected more than 116,000 systems since January. The malware is distributed through Minecraft-related malicious mods, clients, cheats, and utilities that are promoted over YouTube and SEO (search engine optimization) poisoning. WeedHack works as a malware-as-a-service (MaaS) infostealer operation that offers a dashboard for customers to see stolen credentials and information on compromised systems. Telemetry data from cybersecurity company McAfee shows that WeedHack has impacted 116,464 systems, averaging between 2,000 and 3,000 infections every day. Most victims are in the United States, Germany, India, and the UK. The scale of the operation is reflected in the more than 240 distribution URLs and 3,820 unique malicious JAR files. WeedHack malware distribution In a report today, McAfee researchers say that the WeedHack campaign reaches victims mainly through YouTube videos showcasing Minecraft-related tools and SEO poisoning promoting them. On the video platform, the attacker drops download links in descriptions and comments. Some of the videos are well-made, featuring voice-over narration for authenticity, and have accumulated more than 7,500 views. YouTube video promoting malicious Minecraft modsSource: McAfee The SEO poisoning distribution method targets keywords that correspond to clients: Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense. McAfee explains that many of those projects do not have official websites, only GitHub pages. Malware-distributing siteSource: McAfee In one case highlighted in the report, the malicious website displays a security notice warning visitors that they should only download ‘Skytils’ from the official site. It is even linking to the project’s legitimate GitHub repository and Discord server to create a strong, false sense of legitimacy for the fake website. Malicious site warning of fake Minecraft modsSource: McAfee MaaS operation The WeedHack malware platform is hosted on the clear net and provides access to anyone for free, which is very unusual for infostealer operations. Users are given access to a dashboard that shows an overview of their victims, infected system profiles, stolen data, and a payload builder for Minecraft versions 1.21.0 through 1.21.10. WeedHack dashboardSource: McAfee The free tier stealer targets Minecraft session ID theft, cookies, and saved passwords across 36 browsers, 56 cryptocurrency add-ons, 12 desktop cryptocurrency wallet apps, Discord, Steam, and Telegram credentials, and can capture screenshots. WeedHack also offers a premium tier for $5/month, or a lifetime one-time purchase of $24.99, that adds remote control with input access (mouse and keyboard), webcam access, keylogger, remote shell, and remote file management. Weedhack attack overviewSource: McAfee The project’s Telegram channel has over 800 members, and McAfee says that many of the clients appear to be teenagers or young adults who use WeedHack’s remote access tools to harass their victims. Minecraft players should only trust mods from official project sources, verify download links, and treat JAR files hosted on dubious sites with caution. For those looking to extend their playing experience, the in-game Minecraft Marketplace is the safest option. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Ukraine identifies infostealer operator tied to 28,000 stolen accountsAustralia warns of ClickFix attacks pushing Vidar Stealer malwareChatGPT share links abused to host fake outage pages to deliver malwareBTMOB Android malware service generates custom phishing payloadsNew Shai-Hulud malware wave compromises 600 npm packages

Indicators of Compromise

• malware — WeedHack
• malware — Meteor Client
• malware — Radium Client
• malware — Wurst Client
• malware — LiquidBounce

Entities