McAfee Labs has discovered a massive, ongoing malware campaign called WeedHack that disguises itself as free Minecraft mods and game clients to infect players’ computers. Since January 2026, it has logged more than 116,000 victim infections, averaging 2,000 to 3,000 new hits every single day.
What makes WeedHack different from most malware is how cheap and easy it is to use.
Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. WeedHack offers a free version to anyone with a Discord account and an internet connection. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month.
This low barrier has attracted a younger crowd of would-be attackers, many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers, a pattern we’ve documented and that makes this campaign especially concerning.
The good news for McAfee users: Web Protection actively blocks the sites distributing WeedHack, and Threat Explainer tells you exactly why a flagged file is dangerous, so you’re never left guessing.
| What | Details |
| Campaign name | WeedHack |
| Active since | January 2026 |
| Total victims logged | 116,464+ |
| New infections per day | ~2,000–3,000 |
| Malicious files discovered | 3,820+ unique files |
| Malicious download URLs | 240+ |
| Free tier available? | Yes. Anyone can sign up |
| Premium price | Starting at $5/month; $24.99 lifetime |
| Who is being targeted | Minecraft players worldwide |
| Most affected country | United States, followed by Germany, India, the UK, Italy, and others |
| What attackers can access | Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. |
| The financial impact | It can steal Discord tokens, crypto wallet credentials, Minecraft account credentials.
Hackers will hold your information for ransom, requiring a large payment in exchange for your data. |
Read our research team’s full report here.
WeedHack is a Malware-as-a-Service (MaaS) campaign, meaning it’s a criminal business that sells hacking tools to customers, the same way a legitimate software company sells subscriptions.
The “product” is malware that gets secretly installed on a victim’s computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files.
The campaign operates a polished, professional-looking dashboard hosted openly on the internet (not the dark web). That dashboard lets customers track their victims, download stolen data, and launch remote access features, all from a browser.
One of the most disturbing findings from our investigation is how WeedHack is being used.
While monitoring the campaign’s Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults, and a significant portion are using the remote access tools not for financial gain, but to harass and intimidate other players.
We observed attackers recording victims through their webcams without consent and sharing those recordings in the Telegram channel as trophies. Others used knowledge of victims’ IP addresses and system access to threaten them.
It’s important to note that, at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication.
Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they have hacked your computer, have your webcam footage, or know your IP address, take it seriously.
What to do if this happens:
WeedHack spreads in two main ways, and the campaign even provides its customers with step-by-step tutorials on how to carry out both.
Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.
The videos are well-produced, some include voiceover narration, and link to malicious download sites in the description and comments.
One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe.
WeedHack instructs customers to build convincing-looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning.
Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to “only download from us,” while actively distributing malware.
Minecraft clients and mods specifically targeted include: Meteor Client, Radium Client, Wurst Client, LiquidBounce, Impact Client, Future Client, and others.
Infection happens in four stages that happen silently in the background after a victim opens the downloaded file.
Stage 1 – First Contact: The malicious file launches quietly (without showing a console window), connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that’s difficult to block or take down.
Stage 2 – Taking Hold: The malware disables Windows Defender protections, gathers detailed information about the victim’s computer (processor, graphics card, RAM, operating system), and takes a screenshot of their screen. It then steals Discord tokens and browser passwords and cookies. For McAfee users, this is where Web Protection would prevent users from visiting the site, and where our Antivirus would prevent any downloaded malware from taking hold.
Stage 3 – Digging In: The malware installs itself so that it automatically restarts every time the victim logs into their computer. It sets up a hidden scheduled task that runs continuously, even at the highest system privileges.
Stage 4 – Full Access: For premium customers, an additional component is installed that connects the attacker to the victim’s computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, keylogging (recording every keystroke), a reverse shell (full command-line access to the computer), and the ability to upload or download any files.
A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes.
Visit our guide: How to Quickly Remove Malware in 2026.
Free tier steals:
Premium tier adds:
Minecraft’s mod ecosystem is enormous and largely unregulated. Kids routinely search YouTube and Google for performance-boosting clients, cosmetic mods, and gameplay cheats, exactly the kinds of things WeedHack exploits.
Here’s a practical guide for families:
| Red Flag |  Safe Practice |
| The mod isn’t on the developer’s official website | Only download from CurseForge, Modrinth, or the mod’s verified GitHub |
| A site or video tells you to disable your antivirus to run the file | Never disable antivirus for a game mod. Legitimate mods don’t ask you to |
| A site you’ve never heard of claims to be the “only official” source | If you can’t verify the site is official, don’t download from it |
| Download links are in YouTube comment sections | Treat comment section links as a red flag, always |
| Your antivirus flags a file as malware, but they try to tell you to ignore it, it’s a “false alarm” | Use McAfee’s Threat Explainer to find out why this is malicious. Don’t disable antivirus |
One of the best ways parents can protect their families is with McAfee’s award-winning antivirus and Web Protection, which are specifically designed to detect threats like WeedHack and help block malicious downloads before a device can be compromised.
McAfee has been actively tracking WeedHack samples and detects this threat under the following signatures:
McAfee provides multiple layers of protection against threats like WeedHack.
Together, these protections help proactively block risky downloads, reactively stop malware, and explain what to watch for next.
McAfee Labs continues to monitor WeedHack and will update coverage as new samples and domains are identified. For the full technical report including indicators of compromise, see the McAfee Labs analysis.
| Term | What it means |
| Malware-as-a-Service (MaaS) | A criminal business model where hackers sell or rent attack tools to other people, just like a software subscription |
| RAT (Remote Access Trojan) | Malware that gives an attacker remote control over a victim’s device — screen, files, camera, and more |
| Infostealer | Malware designed to silently collect and transmit passwords, cookies, and account credentials |
| SEO Poisoning | Manipulating search engine results so a malicious website appears near the top when someone searches for a legitimate product |
| Minecraft Client/Mod | Third-party software that modifies or enhances the Minecraft game experience. Legitimate ones are common; WeedHack fakes them |
| Minecraft Session ID | A token that proves you’re logged into Minecraft. Stealing it lets an attacker take over your account without your password |
| Keylogger | Software that secretly records every key a person types — including passwords, messages, and search queries |
| Reverse Shell | A connection from the victim’s computer back to the attacker that gives the attacker full command-line control |
| EtherHiding | A technique that hides a malware’s server address inside the Ethereum blockchain, making it very difficult to block |
| Discord Token | A credential that lets someone access your Discord account. Stealing it gives attackers full access without needing your password |
The post New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers appeared first on McAfee Blog.
Login