www.it-connect.fr
Weedhack: Minecraft Players Are the Target of a Malware Campaign That Has Already Infected 116,000 Machines
Weedhack is the name of a large-scale campaign that has been active since January 2026 and is targeting Minecraft players. In 6 months, more than 116,000 machines have been infected by malware offered as Malware-as-a-Service. Here's what we know about this threat.
Mass distribution via YouTube and SEO poisoning
According to a report published by McAfee security researchers, the WeedHack campaign relies on two main vectors to trap players:
- YouTube videos : they showcase tools related to Minecraft, and download links are then hidden in the description or comments. Some of these videos have several thousand views.
- SEO poisoning : sponsored results target keywords specific to the Minecraft ecosystem, especially for certain tools and mods (Meteor Client, Radium Client, Phobos, Aristois, and even Gamesense).
Two classic techniques when targeting gamers, but they are still working in 2026.
McAfee researchers explain that everything is done to reassure the user, including making them believe they are on a secure website. "This website displays a security warning (outlined in red) indicating that users should only download « Skytils » from their site, claiming it is the official site and that no other website is affiliated with the project.", the report says.
This campaign is built around two YouTube channels and around 240 distinct URLs are used to distribute the malware. The number of malicious JAR files is even higher, with 3,820 files identified. A substantial global infrastructure.
Weedhack: the malware being distributed
What makes Weedhack unusual is that it is offered as a Malware-as-a-Service hosted on the Web, not on the Dark Web. Anyone can get free access, which is uncommon for a threat like this. In fact, the free version provides access to an infostealer, a type of malware capable of stealing sensitive information from victims' machines.
In practical terms, when a machine is infected, the infostealer malware will target:
- Minecraft session credentials
- Cookies and saved passwords from 36 different browsers
- Data from 56 extensions and 12 desktop cryptocurrency wallet applications
- Discord, Steam, and Telegram credentials
- Your computer screen through screenshots
Cybercriminals who need more functionality can pay for a subscription. This includes access to remote access (RAT) and connected peripherals on the computer.
The Weedhack campaign is active: the Telegram group has more than 800 members. On the victim side, McAfee telemetry shows that 116,464 systems have already been hit, with an average of 2,000 to 3,000 new infections per day.
