Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube in an attempt to spread malware that can take control of victims’ systems.
A Minecraft-focused malware-as-a-service (MaaS) campaign, codenamed Weedhack by McAfee Labs, says the operation has been active since January 2026 and infects users by impersonating Minecraft clients and mods. In total, we identified 3,820 unique malicious JAR files and over 240 URLs involved in malware distribution.
“This campaign uses SEO poisoning and YouTube to generate traffic to these malicious URLs,” said security researcher Aayush Tyagi. “We also found two YouTube channels and multiple videos demonstrating Minecraft mods and clients and redirecting viewers to these URLs.”
At the heart of the campaign is an enterprise-grade dashboard (weedhack[.]This allows customers to view stolen credentials and system information, as well as remotely monitor compromised systems. In addition to injecting malware into legitimate Minecraft mods, criminals can also create custom payloads that target Minecraft versions 1.21.0 to 1.21.11.
The starting point of the attack is a malicious JAR file (‘DonutDupe.jar’) that is downloaded from a malicious website. This file then retrieves the command and control (C2) server domain details using a known technique called EtherHiding, which uses the Ethereum blockchain as a dead drop resolver.
In the next stage, the malware connects to the C2 server and retrieves another Java-based JAR payload (‘Elevator.jar’). This payload collects system information, configures Microsoft Defender exclusions, and acts as a conduit to drop two additional JAR payloads. The third JAR payload (‘SecurityManager.jar’) establishes persistence and acts as a stager for the final component (‘Component.jar’) that deploys remote access functionality.
The threat actors behind the tools utilize Telegram channels to promote their wares, broadcast updates, and provide customer support. This channel has over 850 members. This tool consists of two layers.
free. It includes a comprehensive infostealer that can target Minecraft session IDs and four Minecraft launchers. Capture a screenshot. It collects files, system information, cookies, and passwords from 36 different web browsers, data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, and credentials for Discord, Steam, and Telegram. Premium starts at $4.99 per month ($24.99 for a perpetual license) and provides additional remote access features such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file upload and download.
The attack chain revolves around SEO poisoning and a YouTube video with a description that embeds a link to a malicious Minecraft client to target unsuspecting users. The majority of Weedhack infections have been confirmed in the United States, followed by Germany, India, the United Kingdom, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
“One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free,” Tyagi said. “This cost difference, and ease of access with detailed tutorials on how to use the malware, significantly reduces the barrier to entry for potential customers. Additionally, its ability to steal Minecraft accounts attracts a younger audience. Both of these elements complement each other, making the campaign more deadly.”
McAfee Labs said it has also observed this malware acting as a trigger for cyberbullying. There, customers believed to be teenagers or young adults are said to be armed with remote access capabilities to threaten, harass, and monitor victims. They found a way to record their victims through webcams and shared the videos as “trophies” on their Telegram channel.
CountLoader offers crypto clipper
The disclosure comes as the cybersecurity firm sheds light on a massive CountLoader campaign that it estimates has compromised 86,000 unique machines. CountLoader is a JavaScript loader typically distributed via cracked software distribution sites. It is known to deploy various payloads including Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
Approximately 9,000 of these breaches are said to be due to malware spread via USB drives or removable media. McAfee Research said India had the highest number of infections, followed by Indonesia, the United States, and several countries in Southeast Asia, adding that it was able to successfully sinkhole the malware’s communication infrastructure by registering fake C2 domains.
The company states that “infection begins when the EXE file is executed.” “This file launches a PowerShell command to download and run an obfuscated JavaScript loader known as CountLoader. The loader is executed using ‘mshta.exe’.”
Once CountLoader is executed, it sets up persistence, communicates with the C2 server, attempts to spread via a USB drive, and waits for further instructions from the C2 server to download and execute the payload. The final payload deployed in the latest round of attacks is the Cryptocurrency Clipper malware, which hijacks clipboard contents and redirects cryptocurrency transactions.
Pirated content leads to cryptocurrency miners
The findings also follow the discovery of a multi-year campaign that used illegal movie and TV show streaming sites to distribute cryptocurrency miners under the guise of fake updates to video player plugins. The fake update downloads a ZIP archive and uses DLL sideloading to drop a fork of SilentCryptoMiner.
This malware has a wide range of functionality.
Configure Defender exclusions, close Microsoft’s Malicious Software Removal Tool, and disable automatic hibernation and sleep modes to maximize the miner’s potential execution time on your device. Triggers User Account Control (UAC) prompts repeatedly until the process successfully runs with elevated privileges. Starts the watchdog component that ensures uninterrupted operation of the miner. Runs a RAT agent that provides remote control functionality such as executing arbitrary commands, launching EXE files using ‘explorer.exe’, and executing shellcode. Launch an XMRig-based CPU and GPU miner.
“The archive contained the legitimate executable file HLS Installer.874.exe along with the malicious DLL. Launching the EXE triggered the DLL’s sideloading mechanism, which injected the malicious module into the legitimate program process and executed the code within its context,” Kaspersky said. “The library contained logic to deploy the miner and establish persistence on the device.”
This activity is assessed to be a continuation of a campaign documented by NTT Security in April 2023 to drop miners using fake browser crash warnings.
“The attackers are using a variety of sites, from online libraries to movie and TV show streaming platforms,” Kaspersky said. “We do not know what channels they will use to distribute malicious archives in the future, but this incident shows that users who visit pirated websites continue to pose a serious risk.”
Source link
