A large-scale malware campaign called WeedHack has infected more than 116,000 computers since January by targeting Minecraft players.
According to cybersecurity company McAfee, the malware spreads through fake Minecraft mods, cheats, clients, and other tools. The programs are promoted through YouTube videos and fake websites that appear in search results.
Researchers found that WeedHack infects between 2,000 and 3,000 systems every day. Most victims are located in the United States, Germany, India, and the United Kingdom.
The malware is designed to steal sensitive information, including passwords, browser cookies, cryptocurrency wallet data, and login details for platforms such as Discord, Steam, and Telegram. It can also take screenshots of infected devices.
Researchers found more than 3,820 unique malicious JAR files and over 240 distribution URLs. The threat actor uses SEO poisoning and YouTube-based social engineering to attract victims, including dedicated YouTube channels and videos promoting Minecraft mods and clients that redirect users to malware-hosting websites. The infrastructure has generated approximately 116,464 recorded visits, averaging between 2,000 and 3,000 daily hits.
The campaign leverages the EtherHiding technique that uses data stored on the Ethereum blockchain to retrieve current command-and-control (C&C) domains. Retrieved responses are protected through RSA digital signatures and validated before execution.
Researchers identified 10 domains hosting secondary-stage payloads and the campaign’s management dashboard, as well as 11 additional domains previously associated with similar MaaS operations attributed to the same threat actor. Investigation also uncovered the operator’s Telegram account and a customer-facing Telegram channel containing more than 850 members.
The malware is offered through free and premium subscription tiers. The free version functions as a comprehensive information stealer, targeting Minecraft session identifiers and four Minecraft launchers, collecting system information, and extracting cookies and passwords from 36 web browsers. It also targets 56 browser-based cryptocurrency wallets, 12 desktop cryptocurrency wallets, and credentials associated with Discord, Steam, and Telegram. Additional capabilities include keyword-based file discovery across 24 predefined search terms and screenshot capture functionality.
Premium subscribers, with plans starting at $5 per month, gain access to advanced remote administration features, including webcam access, keystroke logging, reverse shell execution, screen sharing with keyboard and mouse control, and file management functions supporting both upload and download operations.
McAfee says many of the people using the service appear to be teenagers or young adults who use the remote access features to harass victims.