www.it-connect.fr
Weedhack: Minecraft Players Targeted by Malware Campaign With 116,000+ Victims
Weedhack is the name of a large-scale campaign active since January 2026 that targets Minecraft players. In six months, more than 116,000 machines have been infected by malware offered as Malware-as-a-Service. Here’s what we know about this threat.
Mass distribution via YouTube and SEO poisoning
According to a report published by McAfee security researchers, the WeedHack campaign relies on two main vectors to trap players:
- YouTube videos : they showcase tools related to Minecraft, and download links are then slipped into the description or comments. Some of these videos have several thousand views.
- SEO poisoning : sponsored results target keywords specific to the Minecraft ecosystem, including certain tools and mods (Meteor Client, Radium Client, Phobos, Aristois, and Gamesense).
These are two classic techniques when targeting players, but they still work in 2026.
McAfee researchers explain that everything is designed to reassure the user, including making them believe they are on a secure website. "This website displays a security warning (outlined in red) stating that users should only download 'Skytils' from their site, claiming it is the official site and that no other website is affiliated with the project.", the report notes.
This campaign is built around two YouTube channels, and around 240 distinct URLs are used to distribute the malware. The number of malicious JAR files is even higher, with 3,820 files identified. A substantial global infrastructure.
Weedhack: the malware being distributed
What makes Weedhack unusual is that it is offered as a Malware-as-a-Service hosted on the Web, not on the Dark Web. Anyone can get free access, which is uncommon for a threat like this. In fact, the free version provides access to an infostealer, a type of malware capable of stealing sensitive information from victims' machines.
In practical terms, when a machine is infected, the infostealer malware targets:
- Minecraft session credentials
- Cookies and saved passwords from 36 different browsers
- Data from 56 extensions and 12 desktop cryptocurrency wallet applications
- Discord, Steam, and Telegram credentials
- Your computer screen via screenshots
Cybercriminals who need more features can pay for a subscription. This notably adds remote access (RAT) and access to devices connected to the computer.
The Weedhack campaign is active: the Telegram group has more than 800 members. On the victim side, McAfee telemetry shows that 116,464 systems have already been hit, with an average of 2,000 to 3,000 new infections per day.
