Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems.
The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware have been identified.
"This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs," security researcher Aayush Tyagi said. "We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs."
Central to the campaign is an enterprise-grade dashboard ("weedhack[.]to") that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods.
The starting point of the attack is a malicious JAR file ("DonutDupe.jar") downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding, which employs the Ethereum blockchain as a dead drop resolver.
