This Minecraft Mod Malware Infected Over 116,000 Devices

McAfee researchers revealed the campaign, known as WeedHack, in a report published on June 2. By the time the findings were released, the malware had recorded 116,464 infections and was reportedly adding between 2,000 and 3,000 new victims every day.

Unlike many malware services that charge hundreds of dollars per month and operate through hidden dark web forums, WeedHack was remarkably easy to access. Anyone with a Discord account could use its free version, while more advanced features were available through a subscription starting at just $5 per month.

Fake Minecraft mods used to spread WeedHack

The malware was distributed through misleading YouTube tutorials and fake download pages designed to appear above legitimate mod websites in search results.

Attackers presented the downloads as tools or modifications for popular Minecraft clients, including Meteor, LiquidBounce, and Wurst. Players who followed the instructions unknowingly installed malware onto their computers.

Once launched, WeedHack carried out several actions without alerting the victim. It contacted a command server whose location was stored through the Ethereum blockchain, making the infrastructure harder to shut down.

It then attempted to disable Windows Defender and installed itself in a way that allowed it to return whenever the computer restarted.

Customers paying for the premium version could also gain direct access to an infected device. This included viewing the victim’s screen, browsing files, activating the webcam, and controlling parts of the computer remotely.

Free users could still steal valuable information

The unpaid version of WeedHack was already capable of collecting a large amount of sensitive data.

It searched 36 different browsers for stored passwords and login cookies. It could also steal Discord and Steam credentials, cryptocurrency wallet information, and Minecraft session tokens.

Minecraft session tokens were particularly dangerous because they could allow an attacker to enter someone’s account without knowing the actual password.

Teenagers reportedly used the malware to harass others

McAfee researchers monitored a Telegram group connected to the operation, which had attracted more than 850 members.

Instead of only using the malware for financial theft, some members appeared to be teenagers targeting other players for entertainment or harassment. Researchers observed users accessing victims’ webcams, recording them without permission, and sharing the footage inside the group.

The Telegram channel has since been removed. However, the people behind WeedHack have continued operating by launching replacement websites whenever existing domains are identified and blocked.

WeedHack operated like a legitimate online service

The campaign included several features more commonly associated with an ordinary subscription business.

Payments were accepted in Bitcoin and Litecoin, with a different wallet address created for each purchase to make transactions more difficult to trace. The service also featured a leaderboard, a free access option, and a public suggestion board where customers could vote on future additions.

Among the most requested features were ransomware capabilities and a jump-scare tool that could suddenly display frightening content on an infected computer.

Malware hidden inside gaming downloads is not a new problem. Earlier in 2026, a horror game was removed from Steam after it was found collecting passwords and browser information. Minecraft players were also targeted by another campaign involving fake cheats and malicious mods in 2025.