Weedhack Malware‑as‑Service Targets Minecraft Players via YouTube, Deploys CountLoader Miner to 86K Victims
What Happened — Researchers identified a new malware‑as‑a‑service (MaaS) campaign, codenamed Weedhack, that leverages YouTube videos and pirated Minecraft mods to deliver a malicious loader called CountLoader. Since January 2026 the campaign has distributed over 3,800 malicious files and recorded roughly 86 000 downloads, installing cryptominers and additional payloads on victim machines.
Why It Matters for TPRM
- Gaming platforms, video‑sharing sites, and mod repositories are emerging supply‑chain vectors that can compromise corporate endpoints.
- Cryptomining payloads consume CPU/GPU resources, potentially degrading performance of work‑related applications and increasing utility costs.
- Vendors that host user‑generated content may lack sufficient vetting, exposing downstream customers to malware infection.
Who Is Affected — Gaming & entertainment companies, SaaS platforms that host user‑generated content, corporate IT environments where employees use gaming applications, and any third‑party service that distributes or mirrors Minecraft mods.
Recommended Actions — Review security controls of any third‑party content delivery or mod‑hosting services; enforce application whitelisting and endpoint detection‑and‑response (EDR) on devices that may access game content; incorporate threat‑intel feeds for emerging MaaS campaigns into your vendor risk monitoring program.
Technical Notes — Attack vector: YouTube video lure and pirated Minecraft mod downloads (phishing‑style social engineering). No specific CVE cited. Payload: CountLoader downloader, cryptomining module, optional credential‑stealer. Data at risk includes system credentials and cryptocurrency wallet information. Source: The Hacker News