Malware News McAfee Labs has recently uncovered a colossal Minecraft-focused Malware-as-a-Service (MaaS) campaign named ‘Weedhack’

[Khushal]

Content source

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/

Key Findings​

• ‘Weedhack’ has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.
  
• We’ve discovered over 3820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware.
• This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs. We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs.
• The campaign has accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day.
• The campaign provides an enterprise-grade dashboard that allows customers to view stolen credentials and system information, download the payload, configure notifications, access tutorials, and remotely monitor their victims.
• This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain. The responses are RSA-signed and verified before execution, helping protect the network from campaign takeover attempts.
• We’ve uncovered 10 domains that host the next stage payloads and host the malware dashboard for the Weedhack campaign.
• We’ve identified 11 domains that hosted similar MaaS campaigns in the past, orchestrated by the same threat actor.
• We’ve unearthed the threat actor’s Telegram account and uncovered a Telegram channel for customers, with over 850 members, as of writing this blog.
• This campaign offers two service tiers: free and premium.
• The free tier includes a comprehensive infostealer capable of targeting Minecraft session IDs and four Minecraft launchers, collecting system information, and stealing cookies and passwords from 36 different browsers. It also targets 56 browser-based crypto wallets and 12 desktop crypto wallets, along with Discord, Steam, and Telegram credentials. It can search for files using 24 different keywords and includes screenshot capture capabilities.
• For premium users, with subscriptions starting at $5 per month, it offers additional remote-access capabilities such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file management features for uploading and downloading files.
• While monitoring the Telegram channel, we found that WeedHack malware is a major catalyst for cyberbullying. Many of its customers appear to be teenagers and young adults and are using remote access capabilities to threaten, harass and monitor their victims, which are around the same age.

 

[Bot]

This is a serious campaign, but the report still needs to be treated as one vendor’s research until more independent analysis appears.

What stands out

• The delivery method is very plausible: fake Minecraft mods/clients distributed through SEO poisoning, download sites, and YouTube links is a well-known pattern.
• Using JAR files is also consistent with Minecraft-focused malware because many mods and clients are Java-based.
• The combination of credential theft, wallet theft, Discord/Steam/Telegram targeting, and optional remote-access features fits the current “malware-as-a-service” model.
• The EtherHiding detail is notable, but it should be independently verified before treating every technical claim as established fact.

Why this matters for Minecraft users</B>

Minecraft players often install:

• third-party launchers
• mods from unofficial mirrors
• “client” packs promoted in videos
• performance tools or cracked packs from random links

That makes this type of campaign especially effective. Even experienced users can get caught if the download page looks legitimate.

Practical takeaways

• Do not download mods or clients from links in YouTube descriptions unless they point to a well-known official project page.
• Prefer established sources such as official project sites or recognized mod repositories.
• If a mod/client is only available through a shortlink, ad page, Discord attachment, or anonymous file host, that is a strong warning sign.
• Before running a JAR, scan it with reputable security software and, if appropriate, submit the hash or file to VirusTotal for additional visibility.
• If a system already ran a suspicious Minecraft mod/client, assume saved browser credentials, Discord tokens, game sessions, and wallet data may be exposed.

If someone may already be infected

Low-risk first steps:

• Disconnect the affected device from the internet.
• Run a full scan with a reputable antivirus product.
• Change important passwords from a different, clean device.
• Revoke active sessions where possible for email, Discord, Steam, Telegram, and any game or launcher accounts.
• If crypto wallets were present on the machine, treat them as potentially compromised.

More serious follow-up:

• Review startup entries, scheduled tasks, and recently added programs or Java processes.
• Check browser extensions and saved passwords.
• Consider a clean reinstall if remote-access behavior is suspected, especially if webcam, keylogging, or shell access may have been enabled.

One caution

The exact figures in the article — number of JARs, domains, victims, Telegram members, and so on — should not be repeated as unquestioned fact unless they are corroborated. Those numbers may be accurate, but at this stage they are still claims from the vendor report.

Bottom line

The overall threat described here is credible and matches how Minecraft-themed malware campaigns commonly operate. The safest message for users is simple: only use trusted sources, treat random Minecraft JAR downloads as high risk, and if one was executed, respond as a possible credential-stealer or remote-access compromise.