WeedHack Minecraft Malware

Brendan Smith
Brendan Smith - Cybersecurity Analyst
5 Min Read
Editorial image showing a malicious Minecraft mod JAR trap for WeedHack malware.
WeedHack Minecraft malware campaign warning.

McAfee Labs is warning about WeedHack, a Minecraft-focused malware-as-a-service campaign that hides inside fake mods, hacked clients, cheats, and utilities. The practical risk is simple: a downloaded JAR that looks like a game add-on can steal Minecraft session data, browser passwords, cryptocurrency wallet data, Discord or Steam tokens, and in paid builds even give an attacker remote control of the PC.

The campaign is not a small one-off sample. McAfee says WeedHack has been active since January 2026, has produced more than 3,820 unique malicious JAR files, and has used more than 240 distribution URLs. Its telemetry counted 116,464 hits, with roughly 2,000 to 3,000 new hits per day. BleepingComputer coverage of the same report helped surface the story, but the primary facts come from McAfee’s research.

Who Is Affected

The likely victims are Windows users, parents, and Minecraft players who searched for clients, mods, cheats, FPS boosters, launchers, or utilities outside official project pages. McAfee says the campaign uses YouTube videos and SEO-poisoned pages that imitate trusted mod pages. Some lures even warn users about fake downloads while linking to legitimate GitHub or Discord pages nearby, which makes the malicious page feel safer than it is.

Signal Why it matters
Unknown Minecraft JAR, client, or cheat from a video/comment/search result WeedHack is distributed through fake mod and client downloads, not through normal game updates.
Recent Minecraft session problems, Discord/Steam alerts, or browser account warnings The free stealer tier targets session IDs, cookies, saved passwords, messenger tokens, and crypto extensions.
Webcam, shell, file access, or remote-control behavior McAfee reports paid WeedHack tiers add remote access, keylogging, webcam access, shell, and file management.

What To Check First

If you or a child downloaded a Minecraft JAR from a video description, comment, file mirror, or search-result clone, treat the system as exposed until checked. Do not re-open the file to confirm what it does.

  1. Remove the suspicious JAR, launcher, client, and any matching entries from the Minecraft mods folder and Downloads folder.
  2. Run a full security scan. Gridinsoft Anti-Malware can be used as a second-opinion cleanup check for suspicious JARs, stealers, startup entries, and browser-side leftovers.
  3. From a clean device, change the Microsoft account password tied to Minecraft and revoke suspicious sessions where available.
  4. Rotate passwords saved in browsers, then check Discord, Steam, Telegram, email, and cryptocurrency wallets for new sessions or recovery changes.
  5. If remote access is suspected, back up personal files only, avoid copying EXE/JAR/script files, and consider a clean Windows reinstall after account recovery.

For similar gamer-focused malware behavior, see Gridinsoft’s MaksStealer Minecraft mod cleanup and the broader infostealer after downloading a game or mod checklist. If the same malware led to account takeover, the Microsoft account recovery after malware guide is the next step.

Why JAR Mods Are Risky

Minecraft: Java Edition has a large modding ecosystem, but Java mods are still executable code. Minecraft Help notes that Java Edition modding is not officially supported by Minecraft Support, which means players must judge the source and trust chain themselves. A real project page, a long-lived GitHub repository, and a known mod loader are safer signals than a random download button on a cloned page.

FAQ

Is every Minecraft mod dangerous?

No. The problem is untrusted JARs, fake clients, and cloned mod pages. Use official project pages and well-known repositories, and avoid links from video comments or search ads when you cannot verify the developer.

What makes WeedHack worse than a normal stealer?

McAfee says WeedHack combines credential theft with a public dashboard, payload builder, and paid remote-access features. That means a low-skill attacker can steal data and, in some cases, interact with the victim’s machine.

Should I only delete the Minecraft mod?

No. Deleting the JAR is not enough if it already ran. Scan the system, rotate passwords from a clean device, review sessions, and check messaging and gaming accounts for new logins.

References

  1. Aayush Tyagi, McAfee Labs. “Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns.” McAfee Blog, June 2, 2026, accessed June 3, 2026. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/
  2. Minecraft Help. “Mods for Minecraft: Java Edition.” Minecraft Help Center, accessed June 3, 2026. https://help.minecraft.net/hc/en-us/articles/4409139065613-Mods-for-Minecraft-Java-Edition
Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster
MuddyWater Uses Microsoft Teams Phishing in Chaos Ransomware Masquerade
20 Dangerous Types of Cybersecurity Threats
Trojan:Win32/Wacatac.H!ml: Meaning and Removal
Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Suspicious nethost.dll side-loaded beside ProtonVPN.exe malware cleanup warning. nethost.dll ProtonVPN Cleanup
Next Article Kirki CVE-2026-8206 password reset flaw leading to WordPress admin takeover. Kirki CVE-2026-8206
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?