Overview
- McAfee's June 2 report shows the WeedHack campaign has infected over 116,000 systems since January 2026 and is adding roughly 2,000 to 3,000 new infections per day.
- Researchers found more than 3,820 unique malicious JAR files and over 240 distribution URLs that impersonate Minecraft mods, clients, cheats and utilities to lure downloads via YouTube links and SEO‑poisoned search results.
- WeedHack is run as a clear‑web Malware‑as‑a‑Service with a web dashboard that displays stolen credentials and victim profiles and offers a free infostealer tier plus a premium tier priced about $4.99 per month that unlocks webcam, keylogging, remote shell and screen control.
- The attack begins with a malicious JAR (DonutDupe.jar) that uses EtherHiding to fetch command‑and‑control info and then stages additional JAR payloads to establish persistence and deploy remote‑access components.
- McAfee found evidence that many customers are teenagers or young adults using the tool to harass victims and share recorded webcam material, which raises immediate risks for Minecraft communities and underscores the need to only download mods from verified sources and run up‑to‑date antivirus software.