116,464 systems have been infected by the WeedHack malware campaign since January, according to telemetry collected by McAfee.
McAfee telemetry: scope, pace, and technical footprint
McAfee researchers report that WeedHack has impacted 116,464 systems, with infections occurring at an average rate of between 2,000 and 3,000 systems per day. The operation’s measurable footprint is large: McAfee counts more than 240 distribution URLs and 3,820 unique malicious JAR files pushing the malware to victims.
The company’s telemetry places most victims in the United States, Germany, India, and the United Kingdom. The scale and diversity of artifacts tracked by McAfee underline an active, high-volume campaign rather than a contained or narrowly targeted intrusion.
Distribution mechanics: YouTube links and SEO poisoning
WeedHack reaches victims primarily through two vectors, McAfee says: YouTube videos and SEO poisoning. On YouTube, videos that appear to demonstrate Minecraft mods, clients, cheats, or utilities include download links in video descriptions and comments. Some of those videos are produced with voice-over narration and have accumulated more than 7,500 views, a signal McAfee cites to explain how attackers establish credibility.
The SEO poisoning approach targets search terms associated with a long list of community clients and cheats. McAfee lists the targeted names explicitly: Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense. McAfee also notes that many of those projects do not have official websites and exist only as GitHub pages, a fact attackers exploit to mimic legitimate distribution pages.
In one highlighted example, a malicious website displayed a security notice telling visitors to download Skytils only from the “official site” and then linked to the project’s legitimate GitHub repository and Discord server. McAfee interprets that design as a deliberate attempt to create a strong, false sense of legitimacy for the fake download site.
WeedHack as a malware‑as‑a‑service (MaaS) operation
Unlike many infostealer operations that hide behind invite-only channels or private forums, WeedHack is hosted on the clear net and provides free access to anyone, McAfee reports. The platform presents a dashboard that gives users an overview of victims, infected system profiles, stolen data, and a payload builder compatible with Minecraft versions 1.21.0 through 1.21.10.
The free tier of the stealer targets Minecraft session ID theft as well as cookies and saved passwords across 36 browsers; 56 cryptocurrency add-ons; 12 desktop cryptocurrency wallet applications; and credentials for Discord, Steam, and Telegram. It can also capture screenshots. For a fee, the platform expands capabilities: a $5/month premium tier or a $24.99 lifetime purchase adds remote control with input access (mouse and keyboard), webcam access, a keylogger, a remote shell, and remote file management.
McAfee further reports that the project’s Telegram channel has over 800 members and that many of the platform’s clients appear to be teenagers or young adults who use the remote access tools to harass victims.
Geography, artifacts, and the targeted software list
McAfee’s dataset links the campaign to thousands of unique JAR files and hundreds of distribution endpoints; the researchers’ reporting underscores a distributed, multi-domain effort to push malicious payloads. The explicit list of targeted clients and cheat projects — named above — shows the attackers are optimizing for the search queries and community tools that Minecraft players commonly seek when they look for third‑party clients and mods.
McAfee notes that the malicious payloads are built specifically for current Minecraft releases (1.21.0–1.21.10), indicating an effort to remain compatible with players’ actual installations and to lower the friction for successful compromise.
What this means for Minecraft players, mod maintainers, and parents
- Minecraft players: McAfee’s central advice is practical and specific — trust mods only from official project sources, verify download links, and treat JAR files hosted on dubious sites with caution. For people looking to extend gameplay, McAfee recommends the in‑game Minecraft Marketplace as the safest option.
- Mod maintainers and GitHub‑hosted projects: McAfee’s findings highlight the reputational and operational risks that follow when projects lack official websites. Attackers exploit that gap by creating pages that link to legitimate GitHub and Discord resources to lure downloads; maintainers should be aware that attackers will mimic or piggyback on community signals to establish trust.
- Parents and guardians: McAfee reports that many WeedHack clients appear to be teenagers or young adults and that attackers’ remote access tools are being used to harass victims. That combination — broad availability, low-cost premium tools, and social misuse — increases the likelihood that younger users may both fall victim and be tempted to misuse the platform.
The WeedHack campaign is notable for three converging facts in McAfee’s reporting: a large, measured infection count (116,464 systems), an open clear‑net MaaS model that offers a free tier alongside low‑cost premium features, and distribution tactics that exploit popular community channels such as YouTube and search results for Minecraft clients. For players and community managers the immediate actions are concrete — verify sources, avoid dubious JARs, and prefer official marketplaces — while the broader question McAfee’s data leaves visible is how freely available, low‑cost infostealer platforms will continue to shape abuse inside gaming communities.
Source: BleepingComputer — Over 116,000 Minecraft systems infected in WeedHack malware campaign




