McAfee Labs has uncovered the Weedhack campaign — a “malware-as-a-service” (MaaS) platform targeting Minecraft players. According to the researchers, attackers use YouTube channels and search result poisoning (SEO poisoning) to distribute malicious Java archives disguised as Minecraft mods and clients. The campaign, believed to have been active since January 2026, primarily affects users in the US, Germany, India, and the UK. Researchers identified 3,820 unique malicious JAR files and more than 240 distribution URLs. The free service tier provides a fully functional info-stealer, while a premium subscription starting at $4.99 per month adds remote access capabilities, including webcam control and keylogging.
Weedhack infection chain: technical overview
According to research by McAfee Labs, the attack begins with downloading a malicious JAR file (DonutDupe.jar) from fake sites promoted via SEO poisoning and videos on two identified YouTube channels. The videos showcase Minecraft mods and clients, and their descriptions contain links to malicious resources.
The initial loader DonutDupe.jar uses the EtherHiding technique — retrieving the command-and-control (C2) server address via the Ethereum blockchain, which acts as a “dead drop resolver.” This makes it harder to block the infrastructure using standard methods, since data stored on the blockchain cannot be deleted or modified.
The infection chain then unfolds in stages:
- Elevator.jar — second stage: collects system information, configures exclusions in Microsoft Defender, and downloads two additional components.
- SecurityManager.jar — establishes persistence in the system and prepares for deployment of the final module.
- Component.jar — final component with remote access functionality.
The central element of the infrastructure is a control panel hosted on the domain weedhack[.]to, available on the public internet. It allows customers to view stolen credentials, track compromised systems, and create custom payloads for Minecraft versions 1.21.0 through 1.21.11. The service is also reportedly capable of injecting malicious code into legitimate Minecraft mods.
Monetization model and scope of capabilities
Weedhack offers a two-tier subscription model. The free tier already includes a substantial toolset:
- Theft of Minecraft session identifiers and data from four launchers
- Capturing screenshots of the screen
- Extracting passwords and cookies from 36 web browsers
- Stealing data from 56 browser-based cryptocurrency wallets and 12 desktop wallet applications
- Theft of Discord, Steam, and Telegram credentials
The premium subscription ($4.99 per month or $24.99 for a lifetime license) adds: access to the webcam, keylogging, a reverse shell, screen sharing with keyboard and mouse control, and file upload and download. The operators promote the service via a Telegram channel with more than 850 members, where they also provide technical support to customers.
Threat context: parallel campaigns
Weedhack is not the only large-scale campaign identified by researchers during this period. In parallel, McAfee Labs reported on the CountLoader campaign — a JavaScript loader distributed via websites offering pirated software. According to estimates, CountLoader has compromised around 86,000 unique machines, with approximately 9,000 infections occurring via USB drives. Most infections were recorded in India, Indonesia, and the US. In the latest attacks, the final payload was a cryptocurrency clipper that replaces wallet addresses in the clipboard. McAfee managed to intercept CountLoader’s command infrastructure by registering a decoy C2 domain (sinkholing).
Separately, Kaspersky described a multi-year campaign that uses pirated streaming sites to distribute a fork of SilentCryptoMiner. Infection occurs via a fake video player update: a ZIP archive contains a legitimate executable (HLS Installer.874.exe) and a malicious DLL that launches DLL side-loading. The malware disables Windows security mechanisms, repeatedly requests privilege escalation via UAC, deploys XMRig miners for both CPU and GPU, and also installs a RAT agent for remote control. This activity is presumably a continuation of the campaign documented by NTT Security in April 2023.
Impact assessment
Weedhack poses a particular threat for several reasons. Hosting on an open website (rather than the dark web), a free tier with a full-featured info-stealer, and the availability of training materials drastically lower the barrier to entry for would-be attackers. The target Minecraft audience — primarily teenagers and young adults — increases the risk: victims are less aware of social engineering techniques, and the theft of gaming accounts provides attackers with additional motivation.
Geographically, the highest risk is to users in the US, Germany, India, the UK, Italy, Vietnam, Canada, and the Nordic countries. The use of EtherHiding to store C2 addresses on the Ethereum blockchain makes the infrastructure resilient to traditional blocking methods — the domain can be blocked, but the data on the blockchain remains accessible.
Practical recommendations
- Download mods only from official sources: use reputable platforms (CurseForge, Modrinth) with author verification. Treat any JAR files downloaded via links in YouTube descriptions as suspicious.
- Monitor Microsoft Defender exclusions: check current exclusions with the PowerShell command
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath. Unauthorized entries are an indicator of compromise. - Block known IOCs: add the domain weedhack[.]to to DNS and proxy blocklists. Monitor network activity associated with calls to Ethereum contracts from non-gaming processes.
- Control JAR execution: configure AppLocker or WDAC policies to restrict execution of Java archives from user directories (Downloads, Temp, AppData).
- Check USB devices: in the context of the CountLoader threat, ensure that AutoRun/AutoPlay policies for removable media are disabled.
- Awareness training: for organizations with a young audience (schools, libraries), provide education about the risks of downloading mods from untrusted sources.
The three campaigns described — Weedhack, CountLoader, and the distribution of SilentCryptoMiner via pirated sites — share a common vector: exploiting users’ trust in free content. The top-priority actions for administrators are auditing Defender exclusions and JAR execution policies on workstations, especially in environments with young users. For home users, the key protections are to download Minecraft mods exclusively from official platforms and to completely avoid following links from YouTube video descriptions.
