WeedHack MaaS Infected 116,000 Minecraft Players via Malicious Mods
McAfee researchers reported that the WeedHack malware-as-a-service operation has infected more than 116,000 systems by targeting Minecraft players with trojanized mods, clients, cheats, and utilities. The campaign has been active since at least January and is spreading through YouTube videos, gaming forums, and SEO-poisoned websites that mimic legitimate mod-download pages, often borrowing trust signals such as links to real GitHub repositories and Discord servers. Researchers tracked more than 3,820 malicious JAR files, over 240 distribution URLs, and infection volumes of roughly 2,000 to 3,000 systems per day, with the largest victim concentrations in the United States, Germany, India, and the UK.
WeedHack is operating openly on the clear web with a free dashboard for viewing stolen data and building payloads, while a premium tier priced at about $5 per month adds remote-access and surveillance features. The malware steals Minecraft session IDs, browser cookies and passwords, cryptocurrency wallet data, and credentials for services including Discord, Steam, and Telegram; paid users can also gain webcam access, keylogging, reverse shell, screen sharing, and file-management capabilities. McAfee said the Java-based, multi-stage malware uses Ethereum-based C2 discovery, persistence, and Windows Defender evasion, and observed that many customers in its 800-plus-member Telegram community appear to be teenagers or young adults using the service for account theft, harassment, cyberbullying, and webcam spying.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
McAfee publishes WeedHack campaign research
On June 2, 2026, McAfee Labs published research describing WeedHack as a clear-net malware-as-a-service operation with more than 116,464 hits, over 3,820 malicious JAR files, and more than 240 distribution URLs. The report detailed free infostealer features, premium remote-access capabilities, and abuse by teenage users for harassment and cyberbullying.
WeedHack campaign begins targeting Minecraft players
McAfee said the WeedHack malware-as-a-service campaign has been active since January 2026, distributing malicious Minecraft mods, clients, cheats, and utilities through YouTube promotion and SEO poisoning.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
WeedHack Malware Campaign Infects Minecraft Users
securityonline.info
Open sourceWeedHack malware campaign targets over 116,000 Minecraft players | brief | SC Media
scworld.com
Open sourceMalware campaign targeting Minecraft users infects over 116,000 systems - Help Net Security
helpnetsecurity.com
Open sourceАтака, нацеленная на игроков Minecraft, привела к заражению 116 000 систем - Хакер
xakep.ru
Open sourceGame Over: WeedHack - The Rise of Minecraft Malware-as-a-Service Campaigns | McAfee Blog
mcafee.com
Open sourceOver 116,000 Mincraft systems infected in WeedHack malware campaign
bleepingcomputer.com
Open sourceOver 116,000 Minecraft systems infected in WeedHack malware campaign
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LofyGang Targets Minecraft Players With LofyStealer Masquerading as Slinky Cheat
The Brazilian cybercrime group **LofyGang** has resurfaced after more than three years with a malware campaign aimed at Minecraft players, distributing a new infostealer known as **LofyStealer** or **GrabBot** through a fake cheat tool called **"Slinky."** Researchers linked the activity to LofyGang through code artifacts, infrastructure, and command-and-control branding, and said the lure uses the official Minecraft icon and social engineering to trick users into launching the malware. The campaign reflects a shift from the group’s earlier npm typosquatting and software supply-chain activity toward a broader **malware-as-a-service** operation. The infection chain uses a JavaScript or Node.js-based loader to deploy a native payload in memory as `chromelevator.exe`, where it injects into live browser processes to evade conventional antivirus and EDR visibility. The stealer targets at least eight major browsers and harvests cookies, passwords, session tokens, payment card data, and IBANs before compressing and exfiltrating the data to **`24.152.36.241:8080`**. Researchers said the operation includes **Free** and **Premium** tiers, a victim dashboard, and a custom builder called **Slinky Cracked**, while also highlighting the wider abuse of trusted platforms such as GitHub, Reddit, and search results to spread malware through fake repositories, bogus alerts, and gaming-cheat lures.
Apr 30, 2026
Mirai-Based xlabs_v1 Botnet Hijacks ADB-Exposed Android Devices to Hit Minecraft Servers
Researchers uncovered **`xlabs_v1`**, a Mirai-derived botnet that compromises internet-exposed Android and IoT devices with **ADB enabled on TCP port `5555`** and repurposes them for **DDoS-for-hire** attacks, with a strong focus on **Minecraft and other game servers**. Hunt.io traced the operation to bulletproof-hosted infrastructure in the Netherlands, including an exposed server at **`176.65.139[.]44`** and a control panel tied to **`xlabslover[.]lol`**. The malware drops a bot binary into **`/data/local/tmp/`**, disguises itself as **`/bin/bash`**, decrypts configuration data with **ChaCha20**, and communicates with command-and-control over **TCP port `35342`**. Analysts also found an embedded operator handle, **"Tadashi,"** though attribution remains unconfirmed. The botnet supports **21 flood methods** across TCP, UDP, and raw protocols, including a **RakNet flood** capability tailored to disrupt Minecraft services, and it even serves its bot binary over **TCP port `25565`**, the default Minecraft server port. Hunt.io said the malware profiles victim bandwidth by opening **8,192 parallel TCP sockets** to nearby Speedtest servers, likely to sort infected devices into service tiers for customers. The malware also includes a built-in killer to remove competing malware and a fallback access path on **TCP port `26721`**, but it lacks persistence and must reinfect devices through the same exposed ADB route. Separately, Darktrace reported threat actors abusing a deliberately misconfigured Jenkins honeypot to deploy another DDoS botnet, underscoring continued targeting of gaming-related infrastructure.
May 7, 2026
AI-Assisted Malware Campaign Distributed Through Fake Software Downloads
Researchers reported a large-scale **malware distribution campaign** that used fake software offerings hosted on trusted platforms to infect users, with operators increasingly relying on **AI-assisted or “vibe-coded” development** to scale payload creation. McAfee identified more than **443 malicious ZIP archives** masquerading as AI tools, game cheats, VPNs, drivers, and decryptors, distributed via services including *Discord*, *SourceForge*, *FOSSHub*, *MediaFire*, and *mydofiles.com*. The campaign used **48 variants** of `WinUpdateHelper.dll` across **17 kill chains**, each with separate command-and-control infrastructure but linked through shared cryptocurrency wallet credentials, allowing researchers to trace monetization activity and victim distribution across countries including the US, UK, India, Brazil, France, Canada, and Australia. A separate but related report described another **multi-stage malware campaign** that also relied on deceptive delivery and evasion, using **.NET Ahead-of-Time (AOT) compilation** to hinder analysis and a host-scoring system to avoid sandboxes and low-value targets. In that intrusion chain, a phishing-delivered ZIP launched `KeyAuth.exe`, which fetched `bound_build.exe` and then deployed both the **Rhadamanthys infostealer** and an **XMRig** miner disguised as *MicrosoftEdgeUpdater*. The malware checked conditions such as RAM, uptime, document count, and active antivirus processes, and terminated itself if the environment scored below a threshold, showing a deliberate effort to evade detection while maximizing successful infections.
Apr 3, 2026