Gamers downloading Minecraft mods or cheat tools face a serious threat. A malware campaign called WeedHack Minecraft malware has infected more than 116,000 systems since January 2026, and it is still spreading at a rate of 2,000 to 3,000 new infections every day.
The campaign was uncovered by researchers at McAfee Labs and represents one of the more sophisticated attacks to target the gaming community in recent memory. What makes it especially alarming is how little effort it takes to join the operation as an attacker, and how easy it is to fall victim as a player.
How WeedHack Spreads
The malware does not rely on technical exploits or zero-day vulnerabilities. Instead, it uses social engineering and search manipulation to reach players who are simply looking for game enhancements.
WeedHack spreads primarily through YouTube videos that showcase Minecraft mods, cheat clients, and utilities. These videos link to fake download portals designed to look like legitimate Minecraft community sites. Alongside YouTube, the campaign uses SEO poisoning to push these fake sites to the top of search results, so players searching for popular clients or mods encounter malicious downloads before they find real ones.
Researchers identified more than 3,820 unique malicious JAR files and over 240 distribution URLs tied to the campaign. The scale of that infrastructure makes it clear this is not a casual operation.
What Gets Stolen
WeedHack operates as a malware-as-a-service (MaaS) infostealer. Once installed, it begins harvesting sensitive data from the infected machine. The free tier alone is capable of stealing Minecraft session IDs, saved passwords and cookies from 36 different browsers, credentials from Discord, Steam, and Telegram, cryptocurrency wallet data from 56 browser extensions and 12 desktop wallet apps, and screenshots of the victim’s screen.
That is a significant amount of data. A stolen Minecraft session ID can be used to hijack an account without needing a password. Combined with browser credentials and crypto wallet access, a single infection can result in multiple types of account takeover simultaneously.
The premium tier goes further. For $5 per month, or a one-time payment of $24.99, operators gain remote control over the infected machine. This includes full mouse and keyboard input, webcam access, a keylogger, a remote shell, and remote file management. At that price point, the barrier to running a surveillance operation is almost nonexistent.
A Platform Built for Anyone
One of the most striking aspects of WeedHack is its accessibility. The platform is hosted on the open web and available for free. That is highly unusual for infostealer operations, which are more commonly sold through dark web forums with restricted access.
Operators receive a dashboard that displays an overview of their victims, profiles of infected systems, and a payload builder compatible with Minecraft versions 1.21.0 through 1.21.10. The project’s Telegram channel has gathered over 800 members, functioning as a support and distribution community.
This structure lowers the barrier to cybercrime significantly. Someone with no coding knowledge can download the platform, generate a payload through the dashboard, upload it to a fake mod site, and start collecting stolen credentials. The WeedHack campaign does not require sophisticated resources or state-level infrastructure — it requires very little at all.
Who Is at Risk
McAfee’s telemetry shows the campaign has hit victims in the United States, Germany, India, the United Kingdom, and Italy, among other countries. The US has the highest concentration of infections, but the reach is clearly global.
The target demographic skews young. Minecraft remains the best-selling video game in history, with more than 350 million copies sold. Its player base includes a large number of younger users who may be less familiar with the risks of downloading third-party mods or cheat software. That makes them particularly vulnerable to fake sites that look convincing and YouTube videos that appear to offer something genuinely useful.
Researchers also noted that in some cases, the remote access features of the premium tier were used not just for data theft but to harass victims directly. That crosses a line from financial crime into targeted abuse, making the consequences of infection far harder to predict.
How to Stay Protected
The safest approach is straightforward: only download Minecraft mods from official project pages and well-established repositories. The in-game Minecraft Marketplace is the safest source for extensions and add-ons. Any site that asks you to disable your antivirus software before downloading should be treated as a major red flag — legitimate software does not require you to turn off your defenses.
Using a VPN does not prevent malware infections directly, but it can reduce your exposure to SEO poisoning and help mask your network activity from trackers associated with malicious sites. Combined with up-to-date antivirus software, a VPN adds a useful layer of protection when browsing unfamiliar corners of the internet.
Be cautious of YouTube videos promoting free game tools, especially those with download links in the description. If a channel is new, has few subscribers, or promotes multiple different game utilities, treat the content with skepticism.
Final Thoughts
The WeedHack Minecraft malware campaign is a clear reminder of how gaming communities have become prime targets for cybercriminals. The tools are cheap, the victims are plentiful, and the infrastructure is surprisingly easy to build. Over 116,000 infections in just a few months — with thousands more every day — shows the real cost of downloading mods and cheats without verifying the source. Players who stick to official channels and keep their security software active are in a far better position than those chasing shortcuts.
