Threats Affecting United Kingdom

The WeedHack malware campaign is a large-scale operation targeting Minecraft players by distributing malicious mods, clients, cheats, and utilities. Since January 2026, it has infected over 116,000 systems globally, primarily in the US, Germany, India, and the UK. The malware operates as a malware-as-a-service (MaaS) infostealer, offering free and premium tiers that steal credentials, session IDs, cookies, and cryptocurrency wallet data, and provide remote access capabilities. Distribution relies heavily on YouTube videos and SEO poisoning to lure victims to malicious download sites. The campaign's scale is reflected in thousands of unique malicious files and hundreds of distribution URLs. Users are advised to only download Minecraft mods from official sources and use the in-game Marketplace for safety.

MediumMalwareUnited StatesGermanyIndia+1

A Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor. [...]

MediumMalwareGermanyItalyUnited Kingdom+1

A malware-as-a-service campaign named Weedhack targets Minecraft users by distributing malicious Java JAR files via SEO poisoning and YouTube videos. The malware steals credentials, system information, and can remotely control infected systems. It is notable for its ease of access, free tier, and appeal to younger users, with infections primarily in the U. S. and several other countries. Additionally, a large CountLoader campaign spreads cryptocurrency clipper malware via cracked software, and a separate campaign distributes cryptocurrency miners through pirated content sites. These campaigns leverage sophisticated persistence and evasion techniques and have been active since early 2026.

MediumSecurity-newsUnited StatesGermanyIndia+9#cybersecurity#reddit

A large-scale malware campaign dubbed WeedHack is targeting Minecraft players and has infected more than 116,000 systems since January. [...]

MediumMalwareUnited StatesGermanyIndia+1

The UK National Cyber Security Centre (NCSC) conducted an extensive security analysis of the UK telecommunications sector as part of the DCMS Supply Chain Review initiated in 2018. This analysis resulted in technical recommendations aimed at improving the security posture of the telecom sector, including formal advice on the use of High Risk Vendors (HRVs). The summary document outlines the technical security analysis underpinning these recommendations but does not specify individual vulnerabilities or exploits. No known exploits in the wild have been reported related to this analysis. The severity of the findings is assessed as medium.

MediumVulnerabilityUnited Kingdom

An updated report from the NCSC explaining how UK law firms - of all sizes - can protect themselves from common cyber threats.

MediumVulnerabilityUnited Kingdom

The stealthy vulnerability impacts roughly 88 million domains and can be exploited to bypass DNS filtering and hide command-and-control traffic. The post ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains appeared first on SecurityWeek .

MediumExploitUnited StatesUnited KingdomCanada

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attackers position fake domains above legitimate search results, directing victims to malicious installation pages that deliver fileless PowerShell-based infostealer malware. The malware executes entirely in memory, disables Windows Defender telemetry by patching ETW and AMSI, and harvests credentials from browsers, collaboration platforms, VPN clients, and cloud storage. Stolen data includes OAuth tokens, CI/CD credentials, and corporate VPN details, providing direct enterprise network access. The campaign leverages bulletproof hosting infrastructure and over 30 typosquatted domains registered between March and April 2026, primarily targeting users in the United States and United Kingdom.

MediumCampaignUnited StatesUnited Kingdom#fileless powershell#infostealer#ai platform impersonation

Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.

MediumMalwareGermanyUnited StatesUnited Kingdom+1#brand abuse#document decoy#ultravnc

ThreatFox IOCs for 2026-04-02

MediumMalwareUnited StatesUnited KingdomGermany+7#type:osint#tlp:white