WeedHack is a malware-as-a-service campaign targeting Minecraft users by distributing malicious Java Archive (JAR) files masquerading as mods, clients, and cheats. It has infected over 116,000 systems since early 2026, with daily infections averaging 2,000 to 3,000. The malware steals sensitive information such as Minecraft session IDs, browser data, cryptocurrency wallets, and credentials for multiple communication platforms. The service offers a free tier with infostealing capabilities and a paid tier that enables remote control features including keylogging and webcam access. Distribution methods include YouTube videos with download links and SEO poisoning of search results for popular Minecraft clients. The operation is notable for its scale, use of legitimate-looking websites to deceive users, and a Telegram channel with over 800 members. McAfee telemetry and analysis underpin these findings.

The campaign compromises user systems by stealing a wide range of sensitive data including Minecraft session IDs, browser cookies, saved passwords, cryptocurrency wallet information, and credentials for Discord, Steam, and Telegram. The premium version of the malware enables attackers to remotely control infected systems, capturing keystrokes, webcam footage, and managing files, which significantly increases the potential for privacy invasion, harassment, and further exploitation. The large infection count and daily infection rate indicate a widespread impact on the Minecraft player community, especially in the US, Germany, India, and the UK.

Users should only download Minecraft mods and clients from official project sources or the in-game Minecraft Marketplace to avoid malicious files. Verify download links carefully and avoid JAR files from untrusted or dubious websites. There is no vendor patch or fix since this is malware distributed through third-party files, so prevention relies on user vigilance and safe download practices. Security teams should educate users about the risks of downloading unofficial Minecraft-related software and monitor for signs of infection. Since this is a MaaS campaign, blocking known distribution URLs and monitoring for related indicators may help reduce exposure.