WeedHack Malware Turns Minecraft Mods Into a 116,000-System Infostealer Campaign
WeedHack has infected more than 116,000 systems by targeting Minecraft players through malicious mods, clients, cheats and utilities. McAfee telemetry shows 116,464 affected systems, 2,000 to 3,000 infections a day, more than 240 distribution URLs and 3,820 malicious JAR files. The next signal is whether Minecraft mod communities can move users back toward official download sources before infostealer distribution expands further.
Minecraft Mods Become an Infostealer Distribution Channel
A malware campaign called WeedHack has infected more than 116,000 systems since January by targeting Minecraft players through malicious mods, clients, cheats and utilities.
The campaign uses YouTube promotion and search-engine poisoning to push downloads that look like game tools.
McAfee telemetry shows 116,464 affected systems, with 2,000 to 3,000 infections a day.
The largest victim concentrations identified in the report are in the United States, Germany, India and the UK.
The campaign's scale is visible in more than 240 distribution URLs and 3,820 unique malicious JAR files.
For consumer-security teams, the practical risk is that a gaming mod can become a credential-theft path before users recognize it as a security problem.
Free Malware Tools Lower The Abuse Barrier
WeedHack operates as a malware-as-a-service infostealer with a dashboard that lets users view stolen credentials and data from compromised systems.
McAfee described the use of ordinary public web hosting, rather than hidden dark-web distribution, and the free access model as unusual for an infostealer operation.
The free tier targets Minecraft session IDs, cookies and saved passwords across 36 browsers, 56 cryptocurrency add-ons and 12 desktop cryptocurrency wallet apps.
It also targets Discord, Steam and Telegram credentials and can capture screenshots.
A premium tier costs $5 per month and also offers a lifetime purchase option.
That version adds remote control with mouse and keyboard input, webcam access, a keylogger, remote shell access and remote file management.
The paid feature set changes the consumer-risk profile because a campaign that begins with a fake game utility can extend into direct control over the compromised device.
Social Proof Is Part Of The Attack Surface
McAfee researchers said the campaign reaches victims mainly through YouTube videos and poisoned search results.
Some videos include voice-over narration to appear more authentic and have drawn more than 7,500 views.
The attack also copies legitimacy signals from real projects.
In one example, a malicious site warned users to download Skytils only from the official site while linking to the legitimate GitHub repository and Discord server, creating a false sense of safety around the fake page.
For players, the safer control is source discipline: avoid mod links promoted through videos or search results, and verify downloads through the project's official site or repository rather than a lookalike landing page.
The next signal is whether Minecraft players and mod communities shift downloads back toward official project sources before WeedHack-style distribution keeps scaling through video promotion and search traffic.
