Minecraft mods with a surprise: how WeedHack infected 116,000 gaming PCs

More than 116,000 devices worldwide were hit by a large-scale malware campaign called WeedHack. The attack targeted gaming communities — and hit Minecraft fans especially hard. McAfee researchers tracked the campaign starting in January 2026: on average, between 2,000 and 3,000 systems were infected every day. The numbers are striking — and a reminder of how dangerous familiar download sources can be.

Where the virus was hiding

The attackers were clever. Malicious files were distributed as popular Minecraft mods, clients, cheats, macros, and various utilities. Users downloaded them thinking they were improving their gameplay — without suspecting any danger.

The main distribution channels were:

• YouTube — review videos with links to malicious downloads in descriptions and comments. Some videos were professionally made, with voice-over narration, and gathered more than 7,500 views.
• Discord — gaming servers where users trusted files shared by “their own.”
• SEO poisoning — fake sites were pushed into search results for well-known clients such as Meteor, Wurst, LiquidBounce, Future Client, and others. Many of these projects have no official websites, only GitHub pages — giving scammers perfect cover.

What exactly was stolen

WeedHack operated as an infostealer service under the MaaS (Malware-as-a-Service) model. That meant anyone could gain access to the platform and their own control panel for infected devices — and the basic version was free.

Even the free version could:

• steal passwords and cookies from 36 browsers;
• capture data from Discord, Steam, and Telegram;
• extract information from 56 cryptocurrency extensions and 12 desktop wallets;
• take screenshots.

For $5 per month or a one-time payment of $24.99, operators got a far more dangerous toolkit: remote mouse and keyboard control, webcam access, a keylogger, remote command line access, and file management. The project’s Telegram channel had more than 800 members — and according to McAfee, many of its customers were teenagers who used the tools not only to steal data, but also to spy on and harass their victims.

Why it worked so well

The campaign’s success is easy to explain: gaming culture is built on trust. That is especially true for Minecraft — one of the world’s most popular games, with a massive ecosystem of user-generated content. Players are used to downloading mods and clients from unofficial sources, and WeedHack took full advantage of that habit. Add polished videos and convincing-looking websites — and you get the perfect trap.

How to avoid it

Here are a few simple rules that really work:

• Download mods and clients only from official sources — project websites or their GitHub pages.
• Do not trust links in YouTube descriptions or Discord servers without checking them first.
• Be cautious with JAR files — especially if the source looks suspicious.
• Enable two-factor authentication on all gaming and social platforms.
• Scan your device regularly with antivirus software and change your passwords if you have already downloaded anything from questionable sources.

Stay safe

WeedHack is a clear reminder that online threats are evolving. This is no longer just about stolen passwords: it is about spying, blackmail, and the targeting of real people. Gaming communities are becoming targets more and more often — and the more carefully each of us treats what we download, the harder it becomes for campaigns like this to succeed.

Have you come across suspicious links in gaming communities? Share your experience in the comments — it might help protect someone else.