A large malware campaign targeting Minecraft players across the United States and around the world has infected more than thousands of computer systems since January 2026. The campaign, known as WeedHack, spreads through fake Minecraft mods, hacked clients, cheats, and other means that appear legitimate at first glance.
Cybersecurity researchers at McAfee Labs say the campaign logged more than 116,000 infections. It continued to add up to 3,000 new victims per day. McAfee said people can use the platform to launch attacks without creating their own malware. The service offers both free and paid tiers, lowering the barrier to entry for inexperienced attackers.
Researchers found the operation distributed thousands of malicious Java archive files. It also relied on hundreds of download URLs to reach potential victims.
The Minecraft mod disguise
According to McAfee, attackers disguised infected files as popular Minecraft mods and clients. Once installed, the malware could steal passwords, browser cookies, account credentials, Discord tokens, and other sensitive data. Some versions also allowed attackers to access files on a victim’s computer and gain control of infected systems.
Researchers said one of the campaign’s most concerning aspects involved cyberbullying. McAfee researchers said they documented instances in which attackers appeared to use stolen information to harass, intimidate, or embarrass victims.
McAfee noted that the low cost and accessibility of the service appeared to attract younger users, including some teenagers. Reportedly, the United States was the most affected country, followed by Germany, India, the United Kingdom, Italy, and others.
BleepingComputer cited McAfee telemetry, showing the campaign affected 116,464 systems and spread through Minecraft-related mods, clients, cheats, and utilities promoted on YouTube and through SEO poisoning, or tactics that manipulate search results to direct users toward malicious websites.
More advanced paid versions of WeedHack offer capabilities beyond basic credential theft. Premium subscribers can access features such as keystroke logging, webcam monitoring, remote system surveillance, and reverse shell functionality.
Cybersecurity experts recommend caution when downloading mods or third-party software. McAfee advised users to obtain Minecraft modifications only from trusted and verified sources. Researchers also warned against downloading files from links posted in YouTube descriptions, comments, or unfamiliar websites.
People who believe they may have installed a malicious mod should disconnect the affected system from the internet, run a reputable security scan, change passwords, review active login sessions, and enable multi-factor authentication. Users should also monitor financial and online accounts for suspicious activity and consider changing credentials stored in browsers.
Published: Jun 6, 2026 09:58 am