WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware Activity
Summary
Hide ▲
Show ▼
WeedHack is a Minecraft-focused malware-as-a-service operation that has been active since January 2026 and uses SEO poisoning and YouTube to push malicious downloads that infect users. McAfee Labs says the campaign impersonates Minecraft clients and mods, has identified 3820 unique malicious JAR files and over 240 URLs, and uses weedhack[.]to to expose stolen data and manage compromised systems. The platform targets Minecraft versions 1.21.0 to 1.21.11, steals credentials and system information, and offers paid remote-access features including webcam access, keylogging, reverse shell execution, and screen sharing. Most infections are in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
Related Happenings
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
How related:
the WeedHack campaign reaches victims mainly through YouTube videos showcasing Minecraft-related tools and SEO poisoning promoting them.
About this happening:
WeedHack is a Minecraft-focused malware-as-a-service (MaaS) campaign that uses YouTube and SEO poisoning to push malicious mods, clients, cheats, and utilities...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignHow related: the WeedHack campaign reaches victims mainly through YouTube videos showcasing Minecraft-related tools and SEO poisoning promoting them.
About this happening: WeedHack is a Minecraft-focused malware-as-a-service (MaaS) campaign that uses YouTube and SEO poisoning to push malicious mods, clients, cheats, and utilities...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The Gremlin stealer malware has expanded into a modular toolkit with session-hijacking and crypto clipping capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The Gremlin stealer malware has expanded into a modular toolkit with session-hijacking and crypto clipping capabilities, raising the risk of credential theft and a...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
H score37
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across Europe with remote access and residential proxy features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across Europe with remote access and residential proxy features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Timeline
-
03.06.2026 00:54 4 articles · 1mo ago
WeedHack malware campaign infects 116,464 Minecraft systems
Initial DisclosureMcAfee says the WeedHack MaaS infostealer is targeting Minecraft players through malicious mods, clients, cheats, and utilities spread via YouTube videos and SEO poisoning, with telemetry showing 116,464 impacted systems since January and victims concentrated in the United States, Germany, India, and the UK.
Show sources
- Over 116,000 Mincraft systems infected in WeedHack malware campaign — www.bleepingcomputer.com — 03.06.2026 00:54
- Over 116,000 Mincraft systems infected in WeedHack malware campaign — www.bleepingcomputer.com — 03.06.2026 00:54
- Over 116,000 Minecraft systems infected in WeedHack malware campaign — www.bleepingcomputer.com — 03.06.2026 00:54
- Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content — thehackernews.com — 03.06.2026 09:16