WeedHack Malware Campaign Infects Over 116,000 Minecraft Systems, Harvesting Credentials and Crypto Wallets
What Happened – A malware‑as‑a‑service operation named WeedHack has compromised more than 116 000 Minecraft clients since January 2026. The infostealer is delivered via malicious mods, cheats and utilities promoted on YouTube and through SEO‑poisoned search results. Victims’ session IDs, browser cookies, cryptocurrency wallet files, Discord, Steam and Telegram credentials, plus screenshots, are exfiltrated to a public dashboard.
Why It Matters for TPRM –
- Third‑party mod distributors and hosting platforms become inadvertent infection vectors.
- Stolen credentials can be leveraged against corporate VPNs, SSO providers, and crypto‑related services used by employees.
- The free‑tier dashboard provides attackers with real‑time victim intelligence, increasing the speed of downstream attacks on supply‑chain partners.
Who Is Affected – Gaming and entertainment firms, SaaS providers hosting mod repositories, cloud‑hosting services, advertising networks that monetize gaming content, and any organization whose employees use Minecraft‑related tools on corporate devices.
Recommended Actions –
- Audit all employee endpoints for unauthorized Minecraft clients or mods.
- Block download of executable JAR files from unverified URLs and enforce application allow‑lists.
- Require MFA for accounts that could be compromised via stolen session IDs or passwords.
- Conduct threat‑intel monitoring for new WeedHack distribution URLs and related YouTube channels.
Technical Notes – Distribution via YouTube video descriptions/comments and SEO‑poisoned sites; payload is a Java‑based JAR file that runs as a stealthy infostealer. Data stolen includes session IDs, cookies, 36 browsers, 56 crypto add‑ons, 12 desktop wallets, Discord/Steam/Telegram credentials, screenshots, and remote‑control capabilities in the premium tier. Source: BleepingComputer