Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
https://thehackernews.com/2026/06/weedhack-attacks-minecraft-users.html
Publish Date: 2026-06-03 02:16:00
Source Domain: thehackernews.com
Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims’ systems.
The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware have been identified.
“This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs,” security researcher Aayush Tyagi said. “We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs.”
Central to the campaign is an enterprise-grade dashboard (“weedhack[.]to”) that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods.
The starting point of the attack is a malicious JAR file (“DonutDupe.jar”) downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding, which employs the Ethereum blockchain as a dead drop resolver.
In the next stage, the malware contacts the C2 server to fetch another Java-based JAR payload (“Elevator.jar”) that collects system information, configures Microsoft Defender exclusions, and serves as a conduit for dropping two additional JAR payloads. The third JAR payload (“SecurityManager.jar”) establishes persistence and acts as a stager for the final component (“Component.jar”) that deploys the remote access features.
The threat actors behind the tooling leverage a Telegram channel to advertise their warez, broadcast…
