WeedHack Malware Campaign

Cybersecurity researchers have uncovered a sophisticated malware campaign aimed at Minecraft players, using YouTube and search engine manipulation to infect users with malware capable of taking control of their systems.

The operation, tracked under the name Weedhack, has been active since January 2026. Threat actors disguise malicious software as Minecraft clients and mods, luring users into downloading infected files. Researchers have identified 3,820 unique malicious JAR files and more than 240 URLs involved in distributing the malware.

To maximize reach, the campaign relies on SEO poisoning techniques and YouTube content that promotes supposedly legitimate Minecraft modifications. Investigators have already identified multiple videos and at least two YouTube channels directing viewers to malicious download sites.

A Professional Criminal Platform Behind the Campaign

At the core of the operation is an advanced dashboard hosted on weedhack.to, which provides cybercriminals with access to stolen credentials, system information, and monitoring capabilities for compromised devices. The platform also enables customers to generate customized malware payloads targeting Minecraft versions 1.21.0 through 1.21.11 and even inject malicious code into legitimate Minecraft modifications.

The malware ecosystem is marketed through a Telegram channel with more than 850 members. The channel serves as a hub for advertising the service, distributing updates, and offering customer support to users of the platform.

How the Infection Chain Works

The attack begins when a victim downloads a malicious JAR file named DonutDupe.jar from one of the fraudulent websites. Once executed, the file retrieves Command-and-Control (C2) server information through EtherHiding, a technique that leverages the Ethereum blockchain as a dead-drop resolver.

The malware then contacts the C2 infrastructure and downloads a second Java-based payload known as Elevator.jar. This component gathers system information, creates Microsoft Defender exclusions, and prepares the system for additional malware deployment.

A third payload, SecurityManager.jar, establishes persistence on the infected device and acts as a staging component. Finally, Component.jar is delivered, enabling the remote-access functionality that gives attackers extensive control over compromised systems.

Free and Premium Malware Offerings

The Weedhack platform is offered through two subscription levels:

Free Tier: Includes a powerful information stealer capable of harvesting Minecraft session IDs, data from four Minecraft launchers, screenshots, files, system information, browser cookies, passwords from 36 web browsers, information from 56 browser-based cryptocurrency wallets and 12 desktop wallet applications, as well as credentials associated with Discord, Steam, and Telegram.
Premium Tier: Available from $4.99 per month or $24.99 for a lifetime license, this version adds advanced remote-access features such as webcam surveillance, keylogging, reverse shell execution, screen sharing with keyboard and mouse control, and file transfer capabilities.
Global Reach and a Lower Barrier to Cybercrime

Most infections have been recorded in the United States, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.

A defining characteristic of Weedhack is its availability on the clear web rather than hidden underground marketplaces. By providing free access to sophisticated malware alongside detailed tutorials, the platform significantly lowers the barrier to entry for aspiring cybercriminals. The additional ability to steal Minecraft accounts further increases its appeal among younger users, making the campaign particularly dangerous and effective.

From Cybercrime to Cyberbullying

Researchers have also observed an alarming social dimension to the campaign. Many customers appear to be teenagers and young adults who are exploiting the malware's remote-access features to intimidate, harass, and monitor victims.

Investigators documented cases in which attackers secretly recorded victims through compromised webcams and later shared the footage on the Telegram channel as so-called 'trophies.' This behavior highlights how malware platforms like Weedhack are not only facilitating traditional cybercrime but also enabling targeted cyberbullying and digital harassment.