116,464 systems have been infected by a single campaign since January, according to telemetry that tracks malware activity — a rate of roughly 2,000 to 3,000 new infections every day.
Scale and footprint of the WeedHack campaign
McAfee researchers report that the operation, dubbed WeedHack, has infected 116,464 systems worldwide. The bulk of victims are concentrated in the United States, Germany, India, and the United Kingdom. The campaign’s reach is reflected in more than 240 distribution URLs and 3,820 unique malicious JAR files detected in telemetry.
Those numbers underline a broad, sustained campaign rather than a handful of isolated attacks: McAfee’s daily averages place WeedHack among large-scale infostealer operations in terms of sheer infection volume.
How the campaign reaches Minecraft players: YouTube links and SEO poisoning
The primary distribution methods are YouTube and search engine optimization (SEO) poisoning, McAfee says. Attackers publish Minecraft-related videos — sometimes professionally produced and featuring voice-over narration — and place download links in video descriptions and comments. Some of these videos have gathered more than 7,500 views, giving the malicious downloads apparent credibility.
SEO poisoning targets searches for specific Minecraft clients and tools. McAfee lists the keywords being abused: Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense. Many of those projects lack traditional official websites and are distributed via GitHub pages, creating openings that the attackers exploit.
In one highlighted example, a malicious site displays a faux security notice advising visitors to download a mod called “Skytils” only from the “official” site and even links to the project’s legitimate GitHub repository and Discord server — a deliberate attempt to manufacture trust.
WeedHack as a malware-as-a-service platform
Unlike many infostealer operations that sell access behind closed channels, WeedHack is hosted on the clear net and offers a publicly accessible platform, McAfee reports. It provides a user-facing dashboard that presents an overview of victims, infected system profiles, stolen data summaries, and a payload builder specifically for Minecraft versions 1.21.0 through 1.21.10.
The service model includes a free tier and a paid tier. The free tier’s stealer is already capable of harvesting Minecraft session IDs, browser cookies, and saved passwords across 36 browsers; it targets 56 cryptocurrency add-ons and 12 desktop cryptocurrency wallet applications, and it can capture Discord, Steam, and Telegram credentials plus screenshots.
For $5 per month or a one-time $24.99 lifetime purchase, the premium tier adds remote control features: input access (mouse and keyboard), webcam access, a keylogger, a remote shell, and remote file management. McAfee also notes that the project’s Telegram channel has more than 800 members.
Who is using the tools and how victims are affected
McAfee’s reporting suggests that many WeedHack clients are teenagers or young adults. The researchers say those users often employ WeedHack’s remote access tools not only to steal data but to harass victims, leveraging webcam and input-control features in real incidents.
The technical impact on compromised systems ranges from credential theft — including persistent account access via session IDs — to full remote control. Stealing cookies and stored passwords across many browsers and applications can enable account takeover, while remote shell and file-management capabilities provide attackers broad access to infected machines.
Advice for Minecraft players, mod maintainers, and platform custodians
McAfee recommends that Minecraft players trust mods only from official project sources, verify download links, and treat JAR files hosted on dubious or unfamiliar sites with caution. For players looking to extend the game safely, McAfee points to the in-game Minecraft Marketplace as the safest option.
For mod maintainers and projects that currently publish only GitHub pages, the WeedHack campaign is a reminder that absence of a traditional website can be abused by attackers who clone, mimic, or poison search results to funnel users toward malicious files. Visibility into where legitimate downloads are indexed and proactive communication with user communities about verified download sources could blunt this type of abuse.
WeedHack’s combination of large-scale distribution, a web-hosted dashboard, and a low-cost premium tier makes it an unusually accessible infostealer operation. The result, McAfee’s telemetry shows, is that hundreds of thousands of Minecraft users and the systems they use have become a fertile ground for credential theft and remote harassment.




