Malware campaign targeting Minecraft users infects over 116,000 systems

A Malware-as-a-Service (MaaS) operation named WeedHack is targeting Minecraft users and allows threat actors to gain remote access to victims’ screens, webcams, and files through a web-based dashboard, McAfee researchers found.

Minecraft, developed by Mojang Studios and released in 2011, is one of the best-selling video games of all time, with more than 350 million copies sold worldwide.

Since January 2026, the campaign has infected more than 116,000 systems and continues to add between 2,000 and 3,000 new infections per day.

“We’ve discovered over 3,820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware,” researchers said.

The United States accounted for the largest share of WeedHack infections, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.

YouTube spreading and SEO poisoning

The WeedHack campaign relies on YouTube-driven distribution and SEO poisoning to reach victims.

On YouTube, attackers promote Minecraft mods, clients, and utilities through videos containing download links in descriptions and comments. Some well-made videos feature voice-over narration and have attracted more than 7,500 views.

YouTube video promoting malicious Minecraft Mods (Source: McAfee)

“WeedHack targets Minecraft clients and mods without an official website that are hosted exclusively on file hosting websites like GitHub and specifically select mods with unique names, so it is easier to dominate search engine results,” McAfee explained.

Lowering the barrier to entry

What sets WeedHack apart from other malware campaigns is how accessible it is. The platform is hosted on the clear web and provides access to sophisticated malware for free.

Researchers noted that MaaS offerings such as Lumma Stealer and X-Worm typically cost hundreds of dollars per month or require lifetime subscriptions purchased through underground forums, dark web marketplaces, or Telegram channels. WeedHack offers the malware for free, with premium features starting at $5 per month and lifetime access available for $24.99.

The free tier includes an infostealer that targets Minecraft session IDs and four Minecraft launchers, collects system information, and steals cookies and passwords from 36 browsers.

It also targets 56 browser-based cryptocurrency wallets and 12 desktop cryptocurrency wallets, along with Discord, Steam, and Telegram credentials. The malware can search infected systems using 24 predefined keywords and capture screenshots from compromised devices.

Premium subscriptions unlock remote-access capabilities including webcam access, keystroke logging, reverse shell execution, screen sharing with keyboard and mouse control, and tools for uploading and downloading files.

Tools, tutorials, and infection tracking

At the center of the operation is a web-based dashboard that gives customers access to data collected from compromised systems. Victim profiles contain screenshots, system information, IP addresses, usernames, computer names, and harvested credentials, while a separate section tracks Minecraft session hits used for account hijacking.

The platform includes a payload builder capable of injecting malware into legitimate Minecraft mods targeting versions 1.21.0 through 1.21.11. Users can also view all-time and 24-hour infection statistics through a leaderboard refreshed every 10 minutes.

Documentation available through the portal covers malware distribution, operational security practices, remote-access features, stolen credentials, VPN and proxy services, and troubleshooting.

A suggestions page allows users to submit feature requests and vote on proposed additions, including ransomware functionality, microphone access, and support for additional Minecraft clients.

Beyond account theft and credential harvesting, the platform appears to have fueled cyberbullying. The operation’s Telegram channel attracted more than 850 members, with activity indicating that teenagers and young adults were using WeedHack’s remote-access tools to monitor, threaten, and harass victims.

McAfee advises users to be cautious of recently uploaded YouTube videos promoting Minecraft tools, downloads hosted outside official websites, and requests to disable antivirus software before installation.