"One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free," Aayush Tyagi said.
Weedhack: a modular Minecraft-focused MaaS built on clear‑net convenience
McAfee Labs has named a campaign active since January 2026 "Weedhack" — a malware‑as‑a‑service (MaaS) operation that impersonates Minecraft clients and mods to compromise players' systems. McAfee identified 3,820 unique malicious JAR files and more than 240 URLs used to distribute the malware. Central to the offering is an enterprise‑grade dashboard reachable at "weedhack[.]to" that allows customers to view stolen credentials and system information, to remotely monitor compromised hosts, and to build custom payloads that target Minecraft versions 1.21.0 through 1.21.11 or inject into legitimate Minecraft mods.
Chain of infection: DonutDupe.jar through Component.jar, and EtherHiding for C2
McAfee's analysis lays out a multi‑stage Java-based chain. The initial drop is a malicious JAR named "DonutDupe.jar" retrieved from the malicious websites. That file uses a technique called EtherHiding — employing the Ethereum blockchain as a dead‑drop resolver — to obtain a command‑and‑control (C2) domain. The next stage pulls "Elevator.jar," which collects system information, configures Microsoft Defender exclusions, and drops additional payloads. A third payload, "SecurityManager.jar," establishes persistence and stages the final "Component.jar," which delivers remote‑access capabilities.
Distribution and customer support: YouTube, SEO poisoning, Telegram and pricing tiers
Attack traffic is driven by SEO poisoning and YouTube videos. McAfee found two YouTube channels and multiple videos that demonstrate Minecraft mods and clients and redirect viewers to malicious download links. The threat actors also advertise on a Telegram channel with more than 850 members, where they broadcast updates and provide customer support.
The tool is sold in two tiers. The Free tier includes a comprehensive infostealer that targets Minecraft session IDs and four Minecraft launchers; captures screenshots; and harvests files, system information, cookies, and passwords from 36 different web browsers. It also exfiltrates data from 56 browser‑based cryptocurrency wallets and 12 desktop wallet apps, and steals credentials for Discord, Steam, and Telegram. The Premium tier — priced at $4.99 per month or $24.99 for a lifetime license — adds remote access features including webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse control, and file upload/download capabilities.
Collateral and geography: account theft, cyberbullying, and global impact
McAfee reported that the majority of Weedhack infections were seen in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain. The firm also documented the tool's misuse for cyberbullying: customers who appear to be teenagers and young adults weaponize remote‑access features to threaten, harass, and monitor victims, recording webcam footage and sharing videos on the Telegram channel as "trophies."
Parallel campaigns: CountLoader's 86,000 compromises and pirated sites delivering miners
McAfee's disclosure also describes a large CountLoader campaign estimated to have compromised 86,000 unique machines. CountLoader is an obfuscated JavaScript loader commonly distributed via cracked software sites; the campaign's infection begins when an EXE runs a PowerShell command to download CountLoader, which is then executed via "mshta.exe." CountLoader establishes persistence, communicates with C2, attempts lateral spread via USB and removable media (approximately 9,000 infections attributed to USB spread), and fetches additional payloads such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. McAfee successfully sinkholed the malware infrastructure by registering a fake C2 domain.
Separately, Kaspersky described a years‑long campaign using illegal movie and TV streaming sites to deliver a cryptocurrency miner disguised as a fake video‑player update. The bogus update downloads a ZIP that uses DLL side‑loading to drop a fork of SilentCryptoMiner. The archive contained a legitimate HLS Installer.874.exe together with a malicious DLL that injected miner logic. Kaspersky catalogued capabilities including configuring Defender exclusions, terminating Microsoft's Malicious Software Removal Tool, disabling sleep and hibernation, repeatedly prompting User Account Control until elevation succeeds, running a watchdog to ensure uptime, and deploying a RAT agent that can run arbitrary commands, launch EXE files via "explorer.exe," run shellcode, and operate XMRig‑based CPU and GPU miners. Kaspersky noted the activity resembles a campaign NTT Security documented in April 2023 and warned these actors use a variety of sites — online libraries and streaming platforms among them — to distribute the malicious archive.
What this means for parents, gamers, and security teams
- Parents and guardians: the campaign's ability to steal Minecraft session IDs and its documented appeal to teenagers and young adults — plus McAfee's observation of webcam‑recording abuse — means families should watch for unexpected account logouts, unfamiliar videos, or extortion attempts tied to game accounts.
- Gamers and mod users: downloads promoted through YouTube descriptions or third‑party mod pages can be malicious; McAfee's finding of 3,820 malicious JARs and over 240 distribution URLs underscores the scale of counterfeit clients and mod builds.
- Security teams and incident responders: CountLoader's 86,000 compromise estimate and the USB spreading vector (≈9,000 infections) highlight the need to inventory removable media controls and monitor mshta.exe/PowerShell chains; the Weedhack chain demonstrates how infostealers and remote access tools can be packaged and sold via clear‑net dashboards and Telegram support channels.
Across gaming forums, cracked software sites, and pirated streaming platforms, the common thread is commodification: inexpensive, easy‑to‑use malware marketplaces lower barriers to entry and extend criminal reach. With clear‑net dashboards, Telegram support, and tutorials in play, McAfee and Kaspersky's findings show these campaigns are not isolated exploits but commercially organized operations that bridge hobbyist communities and broader cybercrime ecosystems.
https://thehackernews.com/2026/06/weedhack-attacks-minecraft-users.html




