In a concerning development for cybersecurity, researchers have detected a new campaign aimed at Minecraft enthusiasts through YouTube. This campaign, identified as ‘Weedhack’ by McAfee Labs, involves malware-as-a-service (MaaS) that exploits Minecraft mods to gain control over target systems.
Weedhack: A New Threat to Gamers
Active since January 2026, Weedhack impersonates Minecraft clients and modifications to deceive users. The campaign employs SEO poisoning techniques and YouTube videos to drive traffic to malicious URLs. McAfee Labs has identified 3820 unique malicious JAR files and over 240 URLs distributing this malware.
Aayush Tyagi, a security researcher, highlighted the use of YouTube channels and videos that showcase Minecraft Mods and Clients. These videos direct viewers to dangerous URLs, expanding the campaign’s reach. The malware’s central hub, ‘weedhack[.]to,’ provides an enterprise-level dashboard where criminals can monitor stolen data and manage compromised systems.
Technical Details of the Attack
The attack initiates with a malicious JAR file named ‘DonutDupe.jar,’ which is downloaded from compromised websites. This file uses a technique called EtherHiding, leveraging the Ethereum blockchain to access command-and-control (C2) server details. The subsequent stages involve the malware contacting the C2 server to download additional payloads, each with specific malicious functions.
The malware’s distribution strategy includes leveraging a Telegram channel with over 850 members. This channel advertises the malware and provides support, with the tool available in free and premium versions. The free version targets Minecraft session IDs and harvests data from web browsers and cryptocurrency wallets. The premium tier, starting at $4.99 per month, offers enhanced remote access functionalities.
CountLoader and Cryptocurrency Miners
Alongside Weedhack, McAfee Labs has disclosed a widespread campaign involving CountLoader, a JavaScript loader distributed through cracked software sites. This campaign has compromised approximately 86,000 machines, with significant infections in India and Southeast Asia. The loader facilitates the deployment of various malicious payloads, including a cryptocurrency clipper that manipulates clipboard content to redirect transactions.
Furthermore, illegal streaming sites have been used to spread a cryptocurrency miner disguised as a video player plugin update. This miner employs DLL side-loading techniques to execute its operations stealthily, maximizing runtime by disabling system defenses.
These findings underscore the evolving tactics used by cybercriminals to exploit unsuspecting users. The campaigns’ ability to utilize accessible platforms like YouTube and pirated content sites highlights the persistent threats in the digital landscape.
As the situation develops, it is crucial for users to remain vigilant and implement robust security measures to safeguard against these sophisticated cyber threats.
