WeedHack Malware Targets Minecraft Players With Advanced Info-Stealing Techniques

Cybersecurity researchers have uncovered a sophisticated malware campaign called Weedhack that targets Minecraft players through YouTube videos and search engine manipulation. Active since January 2026, this attack has generated nearly 4,000 malicious files and over 240 websites designed to distribute the malware. The attackers use YouTube channels to showcase fake Minecraft mods and cheats, directing unsuspecting viewers to dangerous download sites. Once victims download a file called DonutDupe.jar, the malware uses an advanced technique called EtherHiding that leverages the Ethereum blockchain to conceal the location of its command and control server, making detection significantly more difficult.

The malware operates through multiple stages, downloading additional components that disable security software, steal login credentials, and establish persistent remote access to infected computers. What makes Weedhack particularly dangerous is its availability through a web-based control panel that allows attackers to customize malware for specific Minecraft versions and embed it into legitimate game modifications. The criminals behind this operation run a Telegram channel with over 850 members where they advertise the tool, provide customer support, and disturbingly share videos recorded from victims' webcams as trophies. Most infections have occurred in the United States, with significant numbers also found in Germany, India, and several European countries.

Security experts warn that Weedhack represents a troubling trend because it offers powerful malware capabilities at low or no cost through the regular internet, making it accessible to inexperienced cybercriminals. The tool specifically appeals to younger users by promising the ability to steal Minecraft accounts, while its remote access features are being weaponized for cyberbullying, harassment, and surveillance by what appear to be teenage and young adult customers. This combination of easy accessibility and features that appeal to younger threat actors significantly amplifies the danger of this campaign.

This discovery coincides with reports of another massive malware operation called CountLoader that has infected approximately 86,000 computers worldwide. CountLoader spreads primarily through pirated software websites and has the ability to propagate via USB drives, with India experiencing the highest infection rates followed by Indonesia and the United States. These parallel campaigns highlight an ongoing problem where users seeking free or pirated content on questionable websites expose themselves to serious security risks, including cryptocurrency miners, remote access trojans, and information stealers that can compromise their systems and personal data.

Stay secure — stay Wavasec. 🔐