WeedHack — A Free Minecraft Malware Service Has Infected 116,000 Systems, and Some Buyers Use It to Spy on Other Players

A Minecraft cheat that quietly steals your passwords is bad enough. WeedHack is worse: it is a polished, free-to-start malware service whose own customers — many of them kids — are using it to spy on and torment other kids.

SAN JOSE, Calif. — A Minecraft-focused malware-as-a-service that McAfee Labs has named WeedHack has infected more than 116,000 systems since January 2026 by impersonating Minecraft clients and mods, according to research McAfee published this week and coverage by BleepingComputer and The Hacker News on June 3, 2026.

McAfee's telemetry puts the toll at 116,464 systems, with roughly 2,000 to 3,000 new infections a day, driven through SEO poisoning and YouTube videos that demonstrate Minecraft mods and clients before redirecting viewers to malicious downloads. Researchers identified 3,820 unique malicious JAR files spread across more than 240 distribution URLs, and found the most troubling part of the operation has little to do with money.

What Happened

McAfee Labs disclosed this week that it had identified and named WeedHack, a malware-as-a-service operation aimed squarely at Minecraft players that has been running since January 2026. The malware masquerades as Minecraft clients and mods, and McAfee researcher Aayush Tyagi said the campaign reaches victims chiefly through SEO poisoning and YouTube — the team found two YouTube channels and multiple videos that demonstrate Minecraft mods and clients and then redirect viewers to malicious download URLs. In total McAfee counted 3,820 unique malicious JAR files and more than 240 distribution URLs, and its telemetry recorded 116,464 infected systems, averaging between 2,000 and 3,000 new infections every day, concentrated in the United States, Germany, India, the United Kingdom and Italy.

Technically, WeedHack is a layered Java payload chain. The initial malicious file, DonutDupe.jar, resolves its command-and-control domain using EtherHiding — a technique that stashes the C2 address on the Ethereum blockchain as a tamper-resistant dead-drop resolver. It then fetches Elevator.jar, which collects system information, configures Microsoft Defender exclusions, and drops two more payloads: SecurityManager.jar, which establishes persistence and stages the final component, and Component.jar, which delivers the remote-access features. The whole operation is run from an enterprise-grade dashboard at weedhack[.]to that lets customers view stolen credentials and system information, monitor compromised machines, and even build custom payloads targeting Minecraft versions 1.21.0 through 1.21.11 or inject the malware into legitimate mods. Sales, updates and customer support run through a Telegram channel with more than 850 members.

Free to Start Is the Whole Strategy

What makes WeedHack notable, McAfee argues, is not a single clever capability but its accessibility. The free tier — open to anyone with a Discord account — is already a comprehensive infostealer: it grabs Minecraft session IDs and data from four Minecraft launchers, takes screenshots, and harvests files, system information, cookies and passwords from 36 different browsers, along with data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, and credentials for Discord, Steam and Telegram. A premium upgrade starting at $4.99 a month, or $24.99 for a lifetime license, layers on remote-access capabilities: webcam access, keylogging, reverse-shell execution, screen sharing with keyboard and mouse control, and file upload and download. Hosting sophisticated malware on the clear web, for free, with tutorials, collapses the barrier to entry — and because it steals Minecraft accounts, it draws a young audience of would-be operators. McAfee's assessment is blunt: the low cost and the youth appeal reinforce each other and make the campaign more lethal.

The Most Disturbing Finding Is Not Financial

The detail that sets WeedHack apart from a routine infostealer is what McAfee observed its customers actually doing. Rather than monetizing infections, many buyers — who appear to be teenagers and young adults — are weaponizing the remote-access features to threaten, harass and monitor other players. McAfee Labs documented cases where operators recorded victims through their own webcams and shared the footage in the Telegram channel as 'trophies.' That moves WeedHack out of the purely financial-cybercrime category and into the territory of stalkerware and child-safety harm, because both the perpetrators and many of the victims are minors. It is also a reminder that remote-access malware is not abstract: a webcam light that should be off, a cursor that moves on its own, a microphone that activates unprompted are the lived experience of this attack. Defenders and parents should treat any such sign on a machine used for gaming as a possible compromise, not a glitch.

A Consumer Vector That Reaches Corporate Endpoints

WeedHack is the latest entry in a pattern The CyberSignal has tracked all cycle: consumer-facing distribution channels that quietly intersect with corporate environments. It sits alongside the DriveSurge access-broker operation that turns trusted websites into malware delivery, the GlassWorm botnet that took a coordinated multi-vendor takedown to disrupt, the Asocks residential-proxy service built on millions of consumer devices, and the FlutterBridge macOS malvertising campaign. The through-line is that a malware family aimed at gamers does not stay on gaming machines. An employee who plays Minecraft on a corporate laptop, or whose home device is shared with a household member who installs a mod and later connects to the corporate VPN, has extended the organization's attack surface into the game-mod ecosystem — and WeedHack's infostealer harvests exactly the browser cookies, saved passwords and session tokens that bridge a personal infection into a corporate one.

Scope and Impact

The exposure is broadest for individual Windows users who download Minecraft mods, clients, cheats or utilities from outside official channels — and for the households and organizations whose devices they share. Because WeedHack is distributed through SEO poisoning and YouTube rather than a single breached platform, there is no patch to apply and no vendor advisory that closes the hole; the infection depends on a user downloading and running a malicious JAR. The free tier means the operator population is large and unsophisticated, and the Minecraft-account theft means a meaningful share of both attackers and victims are children, which raises the stakes beyond data loss to personal safety. McAfee's 116,464-system figure is telemetry from its own customer base, so the true total is likely higher.

For organizations, the scope question is whether gaming software touches any device that also touches corporate data. That includes obvious cases (a corporate laptop with a game launcher installed) and less obvious ones (a personal or family device used for remote work or VPN access). Because WeedHack's free tier is purpose-built to steal browser credentials, saved passwords and session tokens, a single infected personal device in a BYOD environment can yield the corporate credentials needed for a follow-on intrusion. The defensive scope is therefore both an endpoint-hygiene question and an acceptable-use-policy question, and it should explicitly extend to the families of employees in high-access roles.

Response and Attribution

For corporate IT and endpoint-security teams, the immediate work is inventory and detection. Audit managed endpoints for Minecraft launchers and Java-based game software installed over the past six months, and for BYOD fleets, brief users that household-installed game mods are a corporate-risk question. Ingest McAfee's WeedHack indicators and hunt for the chain it documented: Java/JAR child processes spawning from a Minecraft launcher, unexpected Microsoft Defender exclusion changes, EtherHiding-style C2 resolution, and outbound connections to the weedhack[.]to dashboard or related infrastructure. Because the free tier is an infostealer that targets browser cookies and saved passwords, treat any confirmed infection as a credential-compromise event: force-rotate the affected user's saved credentials and any corporate sessions that could have transited the device, and consider blocking known game-mod distribution domains at the DNS or web-proxy layer where the acceptable-use policy allows.

For parents, schools and security-awareness programs, the response is education and monitoring rather than a product. The single most useful message is concrete: free Minecraft mods, clients and cheats promoted through YouTube or search results are a leading malware vector, and a webcam light that turns on by itself, a cursor that moves on its own, or accounts that get logged out unexpectedly can mean a device is being remotely controlled. On a compromised machine, the priority is to disconnect it, change passwords from a clean device, re-enable multi-factor authentication, and — given the documented harassment and webcam-recording behavior, and that minors are involved — preserve evidence and involve a trusted adult or, where appropriate, law enforcement. The broader lesson for CISOs is that consumer-facing attack vectors belong in the corporate threat model whenever the user population overlaps with consumer device usage, which today is nearly always.

The CyberSignal Analysis

Signal 01 — 'Free' Is a Distribution Decision, Not Generosity

WeedHack's free tier is the strategic core of the operation, not a loss leader gone wrong. By giving away a full-featured infostealer to anyone with a Discord account and pairing it with tutorials on the clear web, the operators recruit a large, low-skill customer base — and because the bait is Minecraft-account theft, that base skews young. The result is volume: 2,000 to 3,000 infections a day is what happens when you remove both the price and the skill barrier at once. For defenders, the lesson is that the most dangerous malware economics are not the expensive, exclusive tools but the cheap, accessible ones, because they scale with population rather than sophistication. The premium tier then monetizes the minority who want remote access, which is where the harm escalates from theft to surveillance.

Signal 02 — Remote-Access Malware Is a Safety Issue, Not Just a Data Issue

The WeedHack finding that should reframe how defenders talk about this class of malware is the harassment behavior. When the documented use of a tool is teenagers recording other teenagers through hijacked webcams and posting the footage as trophies, 'infostealer' undersells the harm. Remote-access capabilities — webcam, microphone, screen, keyboard — turn a compromised device into a surveillance instrument pointed at a person, and when both sides are minors the consequence is closer to abuse than to fraud. Security teams, parents and platforms should treat signs of remote control on a young person's device with the urgency that implies: not a cleanup task to schedule, but a safety incident to act on, preserving evidence and involving the appropriate adults or authorities.

Signal 03 — The Gaming-Mod Channel Is an Under-Defended Bridge

Most corporate endpoint policies do not explicitly contemplate game-mod risk, which is precisely why it works as a bridge into managed environments. WeedHack's infostealer is tuned for the credentials that cross the consumer-corporate boundary — browser cookies, saved passwords, session tokens — so a single infected personal or family device can hand an attacker the keys to a corporate account. The defensive implication is that acceptable-use policies, security-awareness training and BYOD controls need to name consumer software, including games and their mods, as in-scope. Organizations with younger user populations or heavy BYOD — universities, school districts, seasonal employers — are most exposed, and the cheap fix is policy and education rather than another tool. The expensive failure is assuming a Minecraft mod could never become a corporate-breach root cause.

Sources