Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems.The Minecraft-focused malware-as-a-service (MaaS) campai...

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems.

The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware have been identified.

"This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs," security researcher Aayush Tyagi said. "We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs."

Central to the campaign is an enterprise-grade dashboard ("weedhack[.]to") that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods.

The starting point of the attack is a malicious JAR file ("DonutDupe.jar") downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding, which employs the Ethereum blockchain as a dead drop resolver.

In the next stage, the malware contacts the C2 server to fetch another Java-based JAR payload ("Elevator.jar") that collects system information, configures Microsoft Defender exclusions, and serves as a conduit for dropping two additional JAR payloads. The third JAR payload ("SecurityManager.jar") establishes persistence and acts as a stager for the final component ("Component.jar") that deploys the remote access features.

The threat actors behind the tooling leverage a Telegram channel to advertise their warez, broadcast updates, and provide customer support. The channel has more than 850 members. The tool, for its part, comes in two tiers -

Attack chains revolve around SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. The majority of Weedhack infections have been identified in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.

"One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free," Tyagi said. "This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal."

McAfee Labs said it has also observed the malware acting as a trigger for cyberbullying, where the customers, who appear to be teenagers and young adults, are weaponizing its remote access capabilities to threaten, harass, and monitor their victims. They have found a way to record victims via their webcams and shared the videos on the Telegram channel as "trophies."

Read original source