Over 116,000 Minecraft systems have fallen to a malware operation that anyone can join. No dark web forums. No high fees. Just a dashboard on the clear web and a Telegram group.
From Mod Hunters to Victims
Players searching for the latest clients or cheats land on poisoned results. They watch polished YouTube videos. They click links in descriptions or comments. They download what looks like Meteor Client, Wurst, or a simple dupe mod. Instead they get a JAR file laced with WeedHack.
The campaign started in January 2026. McAfee Labs counted 3,820 unique malicious JAR files and more than 240 distribution URLs. Infections still arrive at 2,000 to 3,000 per day. Most victims live in the United States, followed by Germany, India and the United Kingdom.
Short. Simple. Effective. Search engines and video platforms do the heavy lifting.
Creators post well-edited clips with overlays and music. Voice-overs narrate fake tutorials. Comments insist the download is clean even when antivirus warnings appear. One viewer wrote that his computer flagged potential malware. The channel owner shot back: “definitely not malware.” The video passed 7,500 views.
SEO tactics focus on popular but officially homeless tools. Threat actors dominate results for names like Radium Client, LiquidBounce, Impact Client, Aristois and Salhack. They build fake sites that mimic legitimate project pages, complete with security warnings and links to real GitHub repositories. The goal is trust. The result is infection.
But the real story sits behind the scenes. WeedHack operates as Malware-as-a-Service. Its creators lowered every barrier. Free tier. Premium for five dollars a month. Lifetime access for $24.99. A clean web dashboard. Tutorials on everything from payload building to OPSEC.
Anyone with a Discord account and internet can sign up. Many do. The project’s Telegram channel once held over 850 members, most of them teenagers and young adults. They don’t write the code. They buy the service. Then they turn the remote tools against other kids.
Free payloads steal Minecraft session IDs from four popular launchers. They grab cookies and passwords from 36 browsers. They drain 56 crypto browser extensions and 12 desktop wallets. Discord, Steam and Telegram tokens fall too. Screenshots. File searches across 24 keywords. System details. All of it flows to the operator’s dashboard.
Premium unlocks the nightmare. Webcam streams. Keylogging. Reverse shell. Live screen sharing with full mouse and keyboard control. File upload and download. Remote access that lets an attacker watch, listen and manipulate in real time.
And. They do.
McAfee researchers watched the Telegram group before it disappeared. Customers posted videos of victims reacting in fear. They recorded webcams. They threatened. They harassed players the same age as themselves. Cyberbullying with a RAT. Trophies shared in a group chat. The operators even received feature requests: jump scares, ransomware, microphone access, support for more clients.
The infrastructure shows polish unusual for this audience. Stage one uses Ethereum blockchain to fetch the command server. Smart contract data comes RSA-signed. Thirty-two JSON-RPC endpoints provide redundancy. If one fails, the malware moves to the next. The technique, called EtherHiding, shields the C2 from easy takedown.
Subsequent stages employ JNIC, a commercial Java native obfuscator costing hundreds of pounds. Bytecode vanishes. Native DLLs take over. UAC bypass via CMSTP. Everything runs in memory when possible. Analysis becomes painful. Execution stays quiet.
Ten domains host payloads and the dashboard. Eleven more trace back to the same actor’s earlier MaaS efforts. The current panel lives at whpayment.ru and rotates when detections rise. Payments arrive in Bitcoin or Litecoin through freshly generated wallets. Tracking stays hard.
Dashboard users see live statistics. Total hits. Twenty-four hour leaderboards. Victim profiles with CPU, GPU, RAM, IP address, usernames and screenshots. Stolen credentials sit ready for export. A builder lets operators craft payloads for Minecraft versions 1.21.0 through 1.21.11 and inject them into legitimate mods so the game appears to work.
Tutorials cover dashboard use, remote features, cashing out stolen tokens, VPN and proxy recommendations, distribution tricks. The suggestion box reveals customer desires. The operation listens.
A New Low for Gaming Communities
This isn’t sophisticated nation-state work. It’s accessible enough for script kids to become digital stalkers. The same Minecraft servers where players once built together now host victims whose webcams feed teenage tormentors.
Security firms have seen similar mod-based attacks before. Check Point Research tracked the Stargazers Ghost Network in 2025 pushing fake cheats through GitHub. Earlier efforts hit mod packs and launchers. Yet WeedHack stands apart for its price point, its clear-net dashboard and its eager underage customer base.
BleepingComputer reported the 116,464 infection figure and noted the operation’s unusual openness. Mashable highlighted the cyberbullying angle, quoting deceptive YouTube exchanges and urging parents to watch for suspicious downloads.
Recent coverage from Help Net Security and The Hacker News echoed McAfee’s warnings and added detail on premium pricing and Ethereum C2 techniques. The pattern holds: low cost plus high visibility equals rapid spread among a demographic least equipped to defend itself.
Protection starts with skepticism. Download mods only from official project pages. Verify every link. Treat JAR files from random sites as dangerous. Run updated security software. Use the official Minecraft Marketplace when possible. Parents should monitor what their children install.
The threat actor maintains multiple backup domains. The Telegram channel vanished once but others can appear. New feature requests keep coming. Infections continue. WeedHack proves that sophisticated remote access no longer requires technical skill or large cash outlays.
It only requires a kid who wants to watch another kid squirm.
That reality should worry every parent, educator and platform host involved in gaming. The barrier between playful griefing and genuine digital harassment has collapsed. The tools are cheap. The audience is vast. The next 100,000 infections may arrive even faster.
WebProNews is an iEntry Publication