McAfee Labs has discovered a massive, ongoing malware campaign called WeedHack that disguises itself as free Minecraft mods and game clients to infect players’ computers. Since January 2026, it has logged more than 116,000 victim infections, averaging 2,000 to 3,000 new hits every single day. 

What makes WeedHack different from most malware is how cheap and easy it is to use. 

Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. WeedHack offers a free version to anyone with a Discord account and an internet connection. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month. 

This low barrier has attracted a younger crowd of would-be attackers, many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers, a pattern we’ve documented and that makes this campaign especially concerning. 

The good news for McAfee users: Web Protection actively blocks the sites distributing WeedHack, and Threat Explainer tells you exactly why a flagged file is dangerous, so you’re never left guessing. 

Key Facts at a Glance 

What	Details
Campaign name	WeedHack
Active since	January 2026
Total victims logged	116,464+
New infections per day	~2,000–3,000
Malicious files discovered	3,820+ unique files
Malicious download URLs	240+
Free tier available?	Yes. Anyone can sign up
Premium price	Starting at $5/month; $24.99 lifetime
Who is being targeted	Minecraft players worldwide
Most affected country	United States, followed by Germany, India, the UK, Italy, and others
What attackers can access	Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files.
The financial impact	It can steal Discord tokens, crypto wallet credentials, Minecraft account credentials.   Hackers will hold your information for ransom, requiring a large payment in exchange for your data.

Read our research team’s full report here.

What Is WeedHack? 

WeedHack is a Malware-as-a-Service (MaaS) campaign, meaning it’s a criminal business that sells hacking tools to customers, the same way a legitimate software company sells subscriptions. 

The “product” is malware that gets secretly installed on a victim’s computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 

The campaign operates a polished, professional-looking dashboard hosted openly on the internet (not the dark web). That dashboard lets customers track their victims, download stolen data, and launch remote access features, all from a browser. 

The Cyberbullying Problem 

One of the most disturbing findings from our investigation is how WeedHack is being used. 

While monitoring the campaign’s Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults, and a significant portion are using the remote access tools not for financial gain, but to harass and intimidate other players.  

We observed attackers recording victims through their webcams without consent and sharing those recordings in the Telegram channel as trophies. Others used knowledge of victims’ IP addresses and system access to threaten them. 

It’s important to note that, at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication. 

Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they have hacked your computer, have your webcam footage, or know your IP address, take it seriously. 

What to do if this happens: 

• Do not follow the attacker’s instructions, it makes things worse 
• Tell a trusted adult immediately (parent, guardian, school counselor) 
• Contact your local law enforcement, this may constitute criminal conduct.  
• Do not engage with the attacker or attempt to negotiate 

How Do People Get Infected? 

WeedHack spreads in two main ways, and the campaign even provides its customers with step-by-step tutorials on how to carry out both. 

1. Fake YouTube Videos

Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.  

The videos are well-produced, some include voiceover narration, and link to malicious download sites in the description and comments. 

One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe. 

2. Fake Mod Websites

WeedHack instructs customers to build convincing-looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning.  

Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to “only download from us,” while actively distributing malware. 

Minecraft clients and mods specifically targeted include: Meteor Client, Radium Client, Wurst Client, LiquidBounce, Impact Client, Future Client, and others. 

What Happens When You’re Infected? 

Infection happens in four stages that happen silently in the background after a victim opens the downloaded file. 

Stage 1 – First Contact: The malicious file launches quietly (without showing a console window), connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that’s difficult to block or take down. 

Stage 2 – Taking Hold: The malware disables Windows Defender protections, gathers detailed information about the victim’s computer (processor, graphics card, RAM, operating system), and takes a screenshot of their screen. It then steals Discord tokens and browser passwords and cookies. For McAfee users, this is where Web Protection would prevent users from visiting the site, and where our Antivirus would prevent any downloaded malware from taking hold. 

Stage 3 – Digging In: The malware installs itself so that it automatically restarts every time the victim logs into their computer. It sets up a hidden scheduled task that runs continuously, even at the highest system privileges. 

Stage 4 – Full Access: For premium customers, an additional component is installed that connects the attacker to the victim’s computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, keylogging (recording every keystroke), a reverse shell (full command-line access to the computer), and the ability to upload or download any files. 

A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. 

What if I’m Infected? 

Visit our guide: How to Quickly Remove Malware in 2026.  

What Can Attackers Steal? 

Free tier steals: 

• Minecraft session IDs (used to hijack Minecraft accounts) 
• Saved passwords and cookies from 36 different browsers 
• Credentials from Discord, Steam, and Telegram 
• Browser-based crypto wallets (56 supported) and desktop crypto wallets (12 supported) 
• Files matching 24 different search keywords 
• Screenshots of the victim’s screen 
• System information (computer name, IP address, hardware specs) 

Premium tier adds: 

• Live webcam access 
• Live screen sharing with keyboard and mouse control 
• Keylogging (every key the victim types) 
• Full remote shell (command-line control of the computer) 
• File management (upload, download, delete files remotely) 

What Parents Need to Know 

Minecraft’s mod ecosystem is enormous and largely unregulated. Kids routinely search YouTube and Google for performance-boosting clients, cosmetic mods, and gameplay cheats, exactly the kinds of things WeedHack exploits.  

Here’s a practical guide for families: 

Red Flag	Safe Practice
The mod isn’t on the developer’s official website	Only download from CurseForge, Modrinth, or the mod’s verified GitHub
A site or video tells you to disable your antivirus to run the file	Never disable antivirus for a game mod. Legitimate mods don’t ask you to
A site you’ve never heard of claims to be the “only official” source	If you can’t verify the site is official, don’t download from it
Download links are in YouTube comment sections	Treat comment section links as a red flag, always
Your antivirus flags a file as malware, but they try to tell you to ignore it, it’s a “false alarm”	Use McAfee’s Threat Explainer to find out why this is malicious. Don’t disable antivirus

One of the best ways parents can protect their families is with McAfee’s award-winning antivirus and Web Protection, which are specifically designed to detect threats like WeedHack and help block malicious downloads before a device can be compromised. 

Are McAfee Users Protected? 

McAfee has been actively tracking WeedHack samples and detects this threat under the following signatures: 

• Trojan:Win/Weedhack.AA through Trojan:Win/Weedhack.AE 

McAfee provides multiple layers of protection against threats like WeedHack. 

• Web Protection helps block access to malicious websites distributing infected Minecraft mods, stopping the threat before a file is ever downloaded.  
• Award-winning antivirus detects and blocks malware if a malicious file does make it onto your device.  
• Threat Explainer shows exactly why a file was flagged, helping users understand what happened and avoid similar scams in the future.  

Together, these protections help proactively block risky downloads, reactively stop malware, and explain what to watch for next. 

McAfee Labs continues to monitor WeedHack and will update coverage as new samples and domains are identified. For the full technical report including indicators of compromise, see the McAfee Labs analysis. 

Key Terms Explained 

Term	What it means
Malware-as-a-Service (MaaS)	A criminal business model where hackers sell or rent attack tools to other people, just like a software subscription
RAT (Remote Access Trojan)	Malware that gives an attacker remote control over a victim’s device — screen, files, camera, and more
Infostealer	Malware designed to silently collect and transmit passwords, cookies, and account credentials
SEO Poisoning	Manipulating search engine results so a malicious website appears near the top when someone searches for a legitimate product
Minecraft Client/Mod	Third-party software that modifies or enhances the Minecraft game experience. Legitimate ones are common; WeedHack fakes them
Minecraft Session ID	A token that proves you’re logged into Minecraft. Stealing it lets an attacker take over your account without your password
Keylogger	Software that secretly records every key a person types — including passwords, messages, and search queries
Reverse Shell	A connection from the victim’s computer back to the attacker that gives the attacker full command-line control
EtherHiding	A technique that hides a malware’s server address inside the Ethereum blockchain, making it very difficult to block
Discord Token	A credential that lets someone access your Discord account. Stealing it gives attackers full access without needing your password

 

The post New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers appeared first on McAfee Blog.

Authored by Aayush Tyagi 

Introduction  

Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history.

It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from.

Its massive popularity and widespread use of third-party tools have also given rise to a dark side of the Minecraft ecosystem, which is filled with Remote Access Trojans (RATs), credential stealers, keyloggers and other malware threats.   

McAfee Labs has recently uncovered a colossal Minecraft-focused Malware-as-a-Service (MaaS) campaign named ‘Weedhack’, that allows threat actors to remotely access and manipulate the victims’ screen, webcam and file system through a dashboard hosted on the clear net, making it easily accessible to anyone with a Discord account and an internet connection. 

Key Findings 

• ‘Weedhack’ has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.  
• We’ve discovered over 3820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware.  
• This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs. We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs. 
• The campaign has accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day. 
• The campaign provides an enterprise-grade dashboard that allows customers to view stolen credentials and system information, download the payload, configure notifications, access tutorials, and remotely monitor their victims.  
• This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain. The responses are RSA-signed and verified before execution, helping protect the network from campaign takeover attempts. 
• We’ve uncovered 10 domains that host the next stage payloads and host the malware dashboard for the Weedhack campaign.  
• We’ve identified 11 domains that hosted similar MaaS campaigns in the past, orchestrated by the same threat actor.  
• We’ve unearthed the threat actor’s Telegram account and uncovered a Telegram channel for customers, with over 850 members, as of writing this blog. 
• This campaign offers two service tiers: free and premium.  
• The free tier includes a comprehensive infostealer capable of targeting Minecraft session IDs and four Minecraft launchers, collecting system information, and stealing cookies and passwords from 36 different browsers. It also targets 56 browser-based crypto wallets and 12 desktop crypto wallets, along with Discord, Steam, and Telegram credentials. It can search for files using 24 different keywords and includes screenshot capture capabilities. 
• For premium users, with subscriptions starting at $5 per month, it offers additional remote-access capabilities such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file management features for uploading and downloading files.  
• While monitoring the Telegram channel, we found that WeedHack malware is a major catalyst for cyberbullying. Many of its customers appear to be teenagers and young adults and are using remote access capabilities to threaten, harass and monitor their victims, which are around the same age.
  

The post Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns appeared first on McAfee Blog.