A malware-as-a-service operation called WeedHack has infected over 116,000 Minecraft systems through fake mods and clients. For just $5 a month, attackers gain live webcam access to victims.
A large-scale malware campaign called WeedHack has infected more than 116,464 systems since January 2026 by disguising itself as free Minecraft mods and game clients. Discovered by McAfee Labs, the operation averages 2,000 to 3,000 new infections every day and gives attackers the ability to access victims’ webcams, steal passwords, hijack accounts, and remotely control their computers.
What Is WeedHack and Why Is It Different?
WeedHack operates as a Malware-as-a-Service (MaaS) platform, meaning it functions like a criminal subscription business. While most attack toolkits cost hundreds of dollars per month on underground markets, WeedHack offers a free tier to anyone with a Discord account. A premium upgrade starts at just $5 per month (or $24.99 for lifetime access) and unlocks live webcam surveillance, keylogging, and full remote control of infected systems.
The operation runs a polished, professional dashboard hosted on the clear web rather than the dark web. This dashboard lets customers track their victims, download stolen data, build custom payloads targeting Minecraft versions 1.21.0 through 1.21.11, and even inject malware into legitimate Minecraft mods. McAfee has catalogued over 3,820 unique malicious JAR files and more than 240 distribution URLs tied to the campaign.
How Does WeedHack Spread?
The campaign uses two primary distribution methods, both designed to exploit how Minecraft players search for mods online.
Fake YouTube videos: Attackers create convincing video reviews and demonstrations of Minecraft clients and mods. Some feature professional voice-over narration. Download links to malicious files are placed in video descriptions and pinned comments. McAfee identified one video that reached over 7,500 views before being flagged. In comment sections, planted accounts reassure viewers that flagged files are “safe.”
SEO poisoning: WeedHack operators deliberately target open-source Minecraft clients that lack official websites, such as Meteor Client, Wurst Client, LiquidBounce, Radium Client, Impact Client, and several others. They build convincing fake websites optimized to appear at the top of search results for these mod names. Some sites display fake security notices, link to the project’s legitimate GitHub and Discord pages, and warn visitors to “only download from us” while actively distributing malware.
What Happens After Infection?
The malware operates through a four-stage infection chain that executes silently once a victim runs the downloaded JAR file:
- Initial contact: The file launches without showing a console window and uses a technique called EtherHiding. It queries the Ethereum blockchain to locate its command-and-control server address, making the infrastructure extremely difficult to take down. RSA signature verification prevents third parties from tampering with the instructions.
- System compromise: The malware disables Windows Defender protections by adding dozens of exclusion paths, collects detailed hardware and system information, takes a screenshot, and steals Discord tokens along with browser passwords and cookies.
- Persistence: WeedHack installs itself to restart automatically on every login. It creates hidden scheduled tasks that run with elevated system privileges.
- Full remote access (premium tier): An additional component connects the attacker to the victim’s machine in real time. This includes live webcam streaming at 25 FPS, 720p screen sharing with keyboard and mouse control, keylogging, reverse shell access, and the ability to upload or download any files.
What Data Does WeedHack Steal?
Even the free tier of WeedHack is a comprehensive infostealer:
- Minecraft session IDs (enabling instant account hijacking)
- Saved passwords and cookies from 36 different browsers
- Credentials from Discord, Steam, and Telegram
- Data from 56 browser-based cryptocurrency wallets and 12 desktop wallets
- Files matching 24 predefined keyword searches
- Screenshots and full system information (IP address, hardware specs, computer name)
The premium tier adds live webcam access, screen sharing with input control, a keylogger recording every keystroke, a full remote shell, and complete file management. A separate component specifically targets Telegram credentials and cryptocurrency wallets, exfiltrating that data to a different server every five minutes.
Who Is Behind It and Who Is Using It?
While McAfee attributes the core malware code to a single threat actor (with the platform apparently being a rebrand of earlier malware called “Majanito”), what makes WeedHack especially alarming is its user base. The campaign’s now-removed Telegram channel had over 850 members, and McAfee’s researchers found that many customers appeared to be teenagers and young adults.
Rather than using WeedHack primarily for financial theft, a significant portion of users weaponised the remote access tools for cyberbullying and harassment. Researchers observed attackers recording victims through their webcams without consent and sharing the footage as “trophies” in the Telegram group. Others used stolen IP addresses and system access to threaten and intimidate their targets. The United States accounts for the largest share of infections, followed by Germany, India, the United Kingdom, Italy, and several other European countries.
How to Protect Yourself from Minecraft Mod Malware
Minecraft’s modding ecosystem is enormous and largely unregulated, particularly for the Java Edition. Here is what you should do to stay safe:
- Download only from trusted sources: CurseForge, Modrinth, or the mod developer’s verified GitHub page are the safest options. Avoid download links found in YouTube descriptions, comment sections, or unknown websites.
- Never disable your antivirus: Legitimate Minecraft mods do not require you to turn off security software. Any site or video telling you to do so is a red flag.
- Be sceptical of new YouTube videos: Recently uploaded videos from lesser-known channels promoting Minecraft tools, especially those with download links in descriptions, should be treated with extreme caution.
- Verify the source independently: If a website claims to be the “official” source for a mod, cross-check it against the project’s actual GitHub repository or community channels before downloading anything.
- Enable two-factor authentication: Activate 2FA on your Minecraft/Microsoft account, Discord, Steam, and any other services linked to your gaming identity.
- Use strong, unique passwords: Never reuse passwords across platforms. A password manager can help manage this.
What to Do If You Think You Are Infected
If you suspect WeedHack has compromised your system, act immediately. Run a full scan with reputable antivirus software. Consider using the dedicated WeedHack Remover tool published on GitHub by security researcher 0xresetti. After cleaning your system, change every password stored in your browser: Discord, Steam, Telegram, Minecraft, email, and any cryptocurrency wallets. Revoke your Discord token by changing your Discord password. Check crypto wallets for unauthorised transactions. Enable 2FA on all accounts where it is available.
If you are a young person and someone contacts you claiming to have hacked your computer, accessed your webcam, or obtained your IP address, do not follow their instructions or attempt to negotiate. Tell a trusted adult immediately and report the incident to local authorities, as this may constitute criminal conduct.
The Bigger Picture: A Pattern of Minecraft-Targeted Threats
WeedHack is not an isolated incident. In June 2023, the Fractureiser malware compromised developer accounts on CurseForge and Bukkit, injecting malware into popular modpacks that had accumulated millions of downloads. In early 2025, Check Point Research identified a separate campaign using the Stargazers Ghost Network on GitHub to distribute Java-based stealers disguised as Minecraft mods, affecting over 1,500 players.
The recurring pattern is clear: Minecraft’s massive player base and thriving third-party mod ecosystem make it an attractive target for cybercriminals. The Java Edition’s openness, while a strength for creativity and community content, also creates vulnerability. Bedrock Edition’s built-in Minecraft Marketplace, where all content is reviewed, remains a safer alternative for players who want additional content without the risk.
Common Questions Players Are Asking
Does WeedHack only affect Windows?
Yes, the current WeedHack campaign specifically targets Windows systems. Its infection chain disables Windows Defender, uses Windows registry keys for persistence, and deploys Windows-specific executables. Mac and Linux users are not directly targeted by this particular campaign, but caution is always advisable when downloading any mod files.
Are CurseForge and Modrinth safe to use?
Both platforms scan uploads for malware and are generally considered safe by the community. WeedHack does not distribute through these platforms. Instead, it relies on fake standalone websites and YouTube links. However, the 2023 Fractureiser incident showed that even trusted platforms can be compromised through developer account hijacking, so verifying sources remains important.
Can WeedHack steal my cryptocurrency?
Yes. Even the free tier targets 56 browser-based cryptocurrency wallet extensions and 12 desktop wallet applications. A dedicated component also runs separately, exfiltrating crypto wallet credentials and Telegram data to an alternate server every five minutes. If you have been infected, check all wallets for unauthorised transactions immediately.
How can I tell if a Minecraft mod site is fake?
Check whether the download URL matches the project’s official domain or GitHub page. Fake sites often use slightly altered domain names, display fake security warnings, and may claim to be the “only official source.” Cross-reference with the mod’s community on Discord or Reddit before downloading. If a site pushes you to download immediately or asks you to disable your antivirus, leave.
Keeping your gaming accounts secure is a broader discipline. Whether you are managing a Minecraft account, your Steam library, or any other gaming asset, the fundamentals remain the same: strong unique passwords, two-factor authentication, and trusted sources.
