Ethical Hacking News
A new campaign has been identified targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The malicious activity, dubbed "Weedhack" by McAfee Labs, leverages SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. With over 3820 unique malicious JAR files identified, the campaign provides access to sophisticated malware for free, making it a highly lethal threat to users.
The malware also targets Minecraft session IDs, provides remote access capabilities, and steals credentials for various platforms, including Discord, Steam, and Telegram. Researchers have identified two tiers of malware, with prices ranging from $4.99 per month to $24.99 for a lifetime license. The campaign has been active since January 2026 and primarily targets users in the U.S., Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
Stay informed about this evolving threat by following the latest developments and taking proactive steps to protect yourself against malware infections.
Minecraft players are being targeted via YouTube with malware capable of gaining control of victims' systems, dubbed "Weedhack" by McAfee Labs. The campaign uses SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients. Weedhack is an enterprise-grade dashboard that enables customers to view stolen credentials and system information, as well as remotely access compromised systems. The malware has been identified in over 10 countries, with the majority of infections coming from the U.S., Germany, India, and other European nations. Another campaign, CountLoader, has compromised 86,000 unique machines, deploying various payloads including Cobalt Strike and PureHVNC RAT. A years-long campaign used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin.
In a disturbing trend that highlights the evolving tactics of threat actors, researchers at McAfee Labs have identified a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The malicious activity, dubbed "Weedhack" by the cybersecurity firm, has been active since January 2026 and leverages a variety of sites, including online libraries, movie and TV show streaming platforms, to distribute its malicious archive.
According to Aayush Tyagi, a security researcher at McAfee Labs, the campaign utilizes SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. The malware-as-a-service (MaaS) campaign has been identified as having 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware.
At its core, Weedhack is an enterprise-grade dashboard ("weedhack[.]to") that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods.
The starting point of the attack is a malicious JAR file ("DonutDupe.jar") downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding, which employs the Ethereum blockchain as a dead drop resolver.
In the next stage, the malware contacts the C2 server to fetch another Java-based JAR payload ("Elevator.jar") that collects system information, configures Microsoft Defender exclusions, and serves as a conduit for dropping two additional JAR payloads. The third JAR payload ("SecurityManager.jar") establishes persistence and acts as a stager for the final component ("Component.jar") that deploys the remote access features.
The threat actors behind the tooling leverage a Telegram channel to advertise their warez, broadcast updates, and provide customer support. The channel has more than 850 members. The tool, for its part, comes in two tiers:
Free, which includes a comprehensive infostealer that can target Minecraft session IDs and four Minecraft launchers; capture screenshots; and harvest files, system information, cookies, and passwords from 36 different web browsers, data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, and credentials for Discord, Steam, and Telegram.
Premium, which starts at $4.99 per month (or $24.99 for a lifetime license) and offers additional remote access capabilities, such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file uploads and downloads.
Attack chains revolve around SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. The majority of Weedhack infections have been identified in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
"One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free," Tyagi said. "This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal."
In addition to the Weedhack campaign, researchers have also identified another large-scale campaign that has compromised 86,000 unique machines. CountLoader is a JavaScript loader that is typically distributed via cracked software distribution sites. It is known to deploy various payloads, including Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
Of the compromises, approximately 9,000 infections are said to have resulted from the malware spreading via USB drives and removable media. McAfee Labs stated that the highest number of infections was observed in India, followed by Indonesia, the U.S., and several countries across Southeast Asia, adding it successfully sinkholed the malware communication infrastructure by registering a fake C2 domain.
The CountLoader campaign is just one example of how threat actors are leveraging pirated content to spread malware. In another discovery, researchers have found a years-long campaign that has used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin.
This bogus update downloads a ZIP archive, which then uses DLL side-loading to drop a fork of SilentCryptoMiner. The malware is equipped with a wide range of capabilities, including configuring Defender exclusions, terminating Microsoft's Malicious Software Removal Tool, and disabling automatic hibernation and sleep mode to maximize the miner's potential runtime on the device.
Repeatedly triggering User Account Control (UAC) prompts until the process is successfully executed with elevated privileges. Initiating a watchdog component that ensures the uninterrupted operation of the miner. Running an XMRig-based CPU and a GPU miner.
The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context, according to Kaspersky.
In conclusion, the recent campaigns targeting Minecraft players via YouTube to spread malware highlight the evolving tactics of threat actors in their quest for exploitation. These campaigns demonstrate the increasing sophistication and ease of access to malware, as well as the willingness of threat actors to use various vectors to achieve their goals.
As users continue to navigate the complex landscape of cybersecurity threats, it is essential that individuals take proactive steps to protect themselves against such threats. This includes staying up-to-date with the latest security software and patches, exercising caution when interacting with online content, and regularly monitoring system activity for signs of suspicious behavior.
By understanding the tactics used by threat actors and taking steps to mitigate these risks, users can significantly reduce their vulnerability to malware infections and protect themselves against the many threats that are emerging in this rapidly evolving cybersecurity landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Campaigns-Target-Minecraft-Players-via-YouTube-to-Spread-Malware-ehn.shtml
https://thehackernews.com/2026/06/weedhack-attacks-minecraft-users.html
Published: Wed Jun 3 02:54:49 2026 by llama3.2 3B Q4_K_M
