www.it-connect.fr
Weedhack Malware Targets Minecraft Players, Infecting Over 116,000 Devices
Weedhack is the name of a large campaign active since January 2026 that targets Minecraft players. In 6 months, more than 116,000 machines have been infected by malware offered as Malware-as-a-Service. Here's what we know about this threat.
Mass distribution via YouTube and SEO poisoning
According to a report published by McAfee security researchers, the WeedHack campaign relies on two main vectors to trap players:
- YouTube videos : they showcase tools related to Minecraft, and download links are then slipped into the description or comments. Some of these videos also have several thousand views.
- SEO poisoning : sponsored results target keywords specific to the Minecraft ecosystem, including certain tools and mods (Meteor Client, Radium Client, Phobos, Aristois, and Gamesense).
Two classic techniques when targeting gamers, but they still work in 2026.
McAfee researchers explain that everything is designed to reassure the user, including making them believe they are on a secure website. "This website displays a security warning (outlined in red) stating that users should only download 'Skytils' from their site, claiming it is the official site and that no other website is affiliated with the project.", they wrote.
This campaign revolves around two YouTube channels, and about 240 distinct URLs are being used to distribute the malware. The number of malicious JAR files is even higher, with 3,820 files identified. A substantial global infrastructure.
Weedhack: the malware being distributed
What makes Weedhack unusual is that it is offered as a Malware-as-a-Service hosted on the Web, not on the Dark Web. Anyone can get free access, which is unusual for a threat like this. Indeed, the free version provides access to an infostealer, i.e. malware capable of stealing sensitive information from victims' machines.
In practical terms, when a machine is infected, the infostealer malware targets:
- Minecraft session credentials
- Cookies and saved passwords from 36 different browsers
- Data from 56 extensions and 12 desktop crypto wallet applications
- Discord, Steam, and Telegram credentials
- Your computer's screen via screenshots
Cybercriminals who need more features can pay for a subscription. This gives them access to remote access capabilities (RAT) and connected peripherals.
The Weedhack campaign is active: the Telegram group has more than 800 members. On the victim side, McAfee telemetry shows that 116,464 systems have already been hit, with an average of 2,000 to 3,000 new infections per day.
