Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
A malware-as-a-service campaign named Weedhack targets Minecraft users by distributing malicious Java JAR files via SEO poisoning and YouTube videos. The malware steals credentials, system information, and can remotely control infected systems. It is notable for its ease of access, free tier, and appeal to younger users, with infections primarily in the U. S. and several other countries. Additionally, a large CountLoader campaign spreads cryptocurrency clipper malware via cracked software, and a separate campaign distributes cryptocurrency miners through pirated content sites. These campaigns leverage sophisticated persistence and evasion techniques and have been active since early 2026.
AI Analysis
Technical Summary
The Weedhack campaign uses SEO poisoning and YouTube videos to distribute malicious Minecraft clients and mods, infecting users with malware capable of stealing Minecraft session IDs, credentials, browser data, and cryptocurrency wallets. The malware employs Ethereum blockchain-based EtherHiding for C2 communication and includes multiple Java payloads for persistence and remote access. The service offers free and premium tiers with escalating capabilities, including webcam access and keylogging. The campaign is supported by a Telegram channel with over 850 members. Concurrently, CountLoader malware spreads via cracked software and USB drives, delivering payloads such as cryptocurrency clippers. Another campaign distributes cryptocurrency miners disguised as fake video player updates on pirated streaming sites, using DLL side-loading and persistence mechanisms. These campaigns have been observed globally, with notable infection clusters in the U.S., India, Germany, and Southeast Asia.
Potential Impact
The Weedhack malware compromises Minecraft users by stealing account credentials, browser data, cryptocurrency wallets, and system information, and enables remote access features that can be abused for harassment and cyberbullying. CountLoader infections have compromised approximately 86,000 machines, spreading cryptocurrency clipper malware that hijacks clipboard transactions. The cryptocurrency miner campaign prolongs device compromise by disabling security tools and power-saving features to maximize mining duration. These combined threats result in credential theft, financial fraud risk, privacy invasion, and potential system control by attackers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid downloading Minecraft clients, mods, or software from untrusted sources, especially links found via SEO-poisoned YouTube videos or pirated content sites. Employ endpoint protection solutions capable of detecting Java-based malware and monitor for suspicious network activity. Users should be cautious of unsolicited software updates and verify the authenticity of video player plugins. Since these campaigns rely on social engineering and malicious downloads, user education on safe downloading practices is critical. No official fixes or patches are indicated in the provided data.
Affected Countries
United States, Germany, India, United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, Spain, Indonesia
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
Description
A malware-as-a-service campaign named Weedhack targets Minecraft users by distributing malicious Java JAR files via SEO poisoning and YouTube videos. The malware steals credentials, system information, and can remotely control infected systems. It is notable for its ease of access, free tier, and appeal to younger users, with infections primarily in the U. S. and several other countries. Additionally, a large CountLoader campaign spreads cryptocurrency clipper malware via cracked software, and a separate campaign distributes cryptocurrency miners through pirated content sites. These campaigns leverage sophisticated persistence and evasion techniques and have been active since early 2026.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Weedhack campaign uses SEO poisoning and YouTube videos to distribute malicious Minecraft clients and mods, infecting users with malware capable of stealing Minecraft session IDs, credentials, browser data, and cryptocurrency wallets. The malware employs Ethereum blockchain-based EtherHiding for C2 communication and includes multiple Java payloads for persistence and remote access. The service offers free and premium tiers with escalating capabilities, including webcam access and keylogging. The campaign is supported by a Telegram channel with over 850 members. Concurrently, CountLoader malware spreads via cracked software and USB drives, delivering payloads such as cryptocurrency clippers. Another campaign distributes cryptocurrency miners disguised as fake video player updates on pirated streaming sites, using DLL side-loading and persistence mechanisms. These campaigns have been observed globally, with notable infection clusters in the U.S., India, Germany, and Southeast Asia.
Potential Impact
The Weedhack malware compromises Minecraft users by stealing account credentials, browser data, cryptocurrency wallets, and system information, and enables remote access features that can be abused for harassment and cyberbullying. CountLoader infections have compromised approximately 86,000 machines, spreading cryptocurrency clipper malware that hijacks clipboard transactions. The cryptocurrency miner campaign prolongs device compromise by disabling security tools and power-saving features to maximize mining duration. These combined threats result in credential theft, financial fraud risk, privacy invasion, and potential system control by attackers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid downloading Minecraft clients, mods, or software from untrusted sources, especially links found via SEO-poisoned YouTube videos or pirated content sites. Employ endpoint protection solutions capable of detecting Java-based malware and monitor for suspicious network activity. Users should be cautious of unsolicited software updates and verify the authenticity of video player plugins. Since these campaigns rely on social engineering and malicious downloads, user education on safe downloading practices is critical. No official fixes or patches are indicated in the provided data.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a1fdc4ae29bf47b50861642
Added to database: 6/3/2026, 7:48:26 AM
Last enriched: 6/3/2026, 7:48:33 AM
Last updated: 6/4/2026, 4:59:12 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.