News
MARKET SIGNAL:

WeedHack Malware Turns Minecraft Mods Into a 116,000-System Infostealer Campaign

Newsroom brief

WeedHack has infected more than 116,000 systems by targeting Minecraft players through malicious mods, clients, cheats and utilities. McAfee telemetry shows 116,464 affected systems, 2,000 to 3,000 infections a day, more than 240 distribution URLs and 3,820 malicious JAR files. The next signal is whether Minecraft mod communities can move users back toward official download sources before infostealer distribution expands further.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
WeedHack Malware Turns Minecraft Mods Into a 116,000-System Infostealer Campaign
Image source: BleepingComputer

Minecraft Mods Become an Infostealer Distribution Channel

A malware campaign called WeedHack has infected more than 116,000 systems since January by targeting Minecraft players through malicious mods, clients, cheats and utilities.

The campaign uses YouTube promotion and search-engine poisoning to push downloads that look like game tools.

McAfee telemetry shows 116,464 affected systems, with 2,000 to 3,000 infections a day.

The largest victim concentrations identified in the report are in the United States, Germany, India and the UK.

The campaign's scale is visible in more than 240 distribution URLs and 3,820 unique malicious JAR files.

For consumer-security teams, the practical risk is that a gaming mod can become a credential-theft path before users recognize it as a security problem.

Free Malware Tools Lower The Abuse Barrier

WeedHack operates as a malware-as-a-service infostealer with a dashboard that lets users view stolen credentials and data from compromised systems.

McAfee described the use of ordinary public web hosting, rather than hidden dark-web distribution, and the free access model as unusual for an infostealer operation.

The free tier targets Minecraft session IDs, cookies and saved passwords across 36 browsers, 56 cryptocurrency add-ons and 12 desktop cryptocurrency wallet apps.

It also targets Discord, Steam and Telegram credentials and can capture screenshots.

A premium tier costs $5 per month and also offers a lifetime purchase option.

That version adds remote control with mouse and keyboard input, webcam access, a keylogger, remote shell access and remote file management.

The paid feature set changes the consumer-risk profile because a campaign that begins with a fake game utility can extend into direct control over the compromised device.

Social Proof Is Part Of The Attack Surface

McAfee researchers said the campaign reaches victims mainly through YouTube videos and poisoned search results.

Some videos include voice-over narration to appear more authentic and have drawn more than 7,500 views.

The attack also copies legitimacy signals from real projects.

In one example, a malicious site warned users to download Skytils only from the official site while linking to the legitimate GitHub repository and Discord server, creating a false sense of safety around the fake page.

For players, the safer control is source discipline: avoid mod links promoted through videos or search results, and verify downloads through the project's official site or repository rather than a lookalike landing page.

The next signal is whether Minecraft players and mod communities shift downloads back toward official project sources before WeedHack-style distribution keeps scaling through video promotion and search traffic.

Share this article
inXf

Related articles

More
Palo Alto Sell-Off Shows AI Cybersecurity Demand Still Has a Timing Problem
Cybersecurity

Palo Alto Sell-Off Shows AI Cybersecurity Demand Still Has a Timing Problem

Palo Alto Networks shares fell more than 4% after stronger quarterly results and current-quarter guidance failed to satisfy investors looking for faster AI-linked earnings upside. CEO Nikesh Arora reiterated a fiscal 2030 target of more than 4,000 platformizations and a USD 20 billion NGS ARR goal. The practical question is whether AI-related security demand turns into NGS ARR progress as data center infrastructure is ordered, installed and brought online.

IPA Translation Turns CISA Security Goals Into A Japan Infrastructure Baseline
Cybersecurity

IPA Translation Turns CISA Security Goals Into A Japan Infrastructure Baseline

Japan’s Information-technology Promotion Agency published a Japanese translation of CISA’s Cross-Sector Cybersecurity Performance Goals Version 2.0 for domestic critical infrastructure operators. The guidance covers IT and operational technology, maps goals to NIST CSF 2.0, and frames the controls as minimum practices rather than a full cybersecurity program. The practical question is whether asset owners use the worksheet to rank gaps by cost, complexity and impact, then review progress after 12 months.

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda
Cybersecurity

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda

CISA added exploited Android and Linux vulnerabilities to its Known Exploited Vulnerabilities catalog. The Android flaw affects Android 14 through 16, while the Linux issue centers on older kernel branches and cgroups v1 container environments. The immediate test is whether agencies and infrastructure operators apply vendor updates or mitigations by CISA's June 5 deadline.

AI Coding Push Turns Developers Into a Prime Cybersecurity Target
Cybersecurity

AI Coding Push Turns Developers Into a Prime Cybersecurity Target

A Japanese @IT analysis says attackers are increasingly targeting developers because AI coding tools, OSS, CI/CD pipelines and cloud services concentrate valuable credentials around them. The report highlights vulnerable AI-generated code, fake recruiting approaches, polluted open-source packages and GitHub Actions-style automation attacks. The practical warning is that companies need stronger identity, dependency and workflow controls rather than relying only on individual developer caution.

Sysdig Says AI Ransomware Still Needed Human Setup
Cybersecurity

Sysdig Says AI Ransomware Still Needed Human Setup

Sysdig described JadePuffer as agentic ransomware, but Michael Clark said a human still chose the victim, provisioned infrastructure and supplied database credentials before the AI agent executed the attack.

Hugging Face Says AI Agent Drove Production Infrastructure Intrusion
Cybersecurity

Hugging Face Says AI Agent Drove Production Infrastructure Intrusion

Hugging Face said an autonomous AI agent system drove an intrusion into part of its production infrastructure, reaching internal datasets and service credentials. The company said public models, datasets and Spaces were not tampered with, while its assessment of partner or customer data remains unfinished.

Keep Reading

More Stories

Latest
Regions Bank Digital Transactions Reach 80% After Mobile UpgradeFintech & Digital PaymentsJul 19, 2026Regions Bank Digital Transactions Reach 80% After Mobile UpgradePYMNTS reported that Regions Bank’s second-quarter materials listed digital transactions at 80% of customer activity, with mobile users, logins, Zelle usage and chat volume rising as core modernisation continues.Microsoft And 3M Extend Azure AI Data Centre Partnership Around EBOCloud & Data CentersJul 19, 2026Microsoft And 3M Extend Azure AI Data Centre Partnership Around EBOCapacity reported that Microsoft plans to deploy 3M's Expanded Beam Optical technology in Azure data centres as the companies extend a partnership across AI infrastructure and 3M's internal enterprise systems. The announcement links fibre-connection maintenance and deployment speed in dense cloud environments with 3M workflows for credit checks, delinquency reviews, system updates, customer service, finance, sales and marketing.AI Reprices Cybercrime Risk Around Phishing And DeepfakesCybersecurityJul 19, 2026AI Reprices Cybercrime Risk Around Phishing And DeepfakesA Forbes contributor analysis by Dr. Jonathan Reichental, republished by Yahoo Finance, says generative AI is reducing the cost and skill needed for phishing and social-engineering attacks. The piece frames AI cyber risk as an operating-control problem for payment approvals, access requests, employee training, simulations, defensive tools and board-level governance.Ericsson Wins UK Defence 5G Role Under £8 Billion RM6393 FrameworkTelco & ConnectivityJul 19, 2026Ericsson Wins UK Defence 5G Role Under £8 Billion RM6393 FrameworkRCR Wireless News reported that Ericsson has been selected for services and components under the UK Ministry of Defence RM6393 tactical communications framework, while Nokia is pursuing defence 5G through partner channels.Red Hat Maps AI-RAN Upgrade Path Around Operator EconomicsTelco & ConnectivityJul 19, 2026Red Hat Maps AI-RAN Upgrade Path Around Operator EconomicsRCR Wireless News reported that Red Hat expects AI-RAN adoption to start with operational gains on existing radio networks before operators test shared AI and RAN infrastructure towards 2030.Superhuman Adds Docs With AI Assistant And MCP LinksAIJul 19, 2026Superhuman Adds Docs With AI Assistant And MCP LinksNo Jitter reported that Superhuman has launched Docs, an AI-native collaboration product evolved from Coda, with Docs AI in beta and MCP connections to tools such as Claude, ChatGPT, Cursor, Jira and Salesforce.H2LooP Raises $2m For Embedded-System AI Coding ToolsAIJul 19, 2026H2LooP Raises $2m For Embedded-System AI Coding ToolsYourStory reported that Bengaluru startup H2LooP raised $2 million to build hardware-aware AI coding tools for firmware and embedded systems, with early deployments in semiconductor and automotive teams.France And Germany Name Arcadia As Starting Point For Sovereign Military AICapital & PolicyJul 19, 2026France And Germany Name Arcadia As Starting Point For Sovereign Military AITNW reported that France and Germany pledged to examine a European sovereign digital backbone for military AI, using France's Arcadia as the starting point after both countries moved intelligence services away from Palantir.Moonshot Sets 27 July Open-Source Release For Kimi K3 AI ModelAIJul 19, 2026Moonshot Sets 27 July Open-Source Release For Kimi K3 AI ModelBBC reported that Moonshot AI launched Kimi K3, a 2.8 trillion-parameter model scheduled for open-source release on 27 July. The Chinese startup says the model can rival OpenAI and Anthropic systems, but exact hardware requirements and enterprise customers remain undisclosed.Meta Smart Glasses Face Privacy Backlash As Courtroom Bans SpreadCapital & PolicyJul 19, 2026Meta Smart Glasses Face Privacy Backlash As Courtroom Bans SpreadYahoo Tech reported that backlash against AI-enabled smart glasses is growing as Meta expands camera-equipped eyewear, with courthouse bans, facial-recognition concerns and cloud-review warnings shaping the privacy debate.Nebius Raises $775M Secured Debt Facility For GPU Cloud BuildoutCapital & PolicyJul 19, 2026Nebius Raises $775M Secured Debt Facility For GPU Cloud BuildoutNebius said its first senior secured debt facility is backed by deployed GPU infrastructure and contracted cash flows, with the $775 million financing priced at SOFR + 2.50% and maturing on October 31, 2030.White House Pushes New Gatekeeping Role For Frontier AI Model AccessCapital & PolicyJul 18, 2026White House Pushes New Gatekeeping Role For Frontier AI Model AccessCNBC reported that the Trump administration is pressing deeper into access decisions for frontier AI models from OpenAI and Anthropic, while a White House official said release timing and scope remain company decisions.