A new McAfee Labs report says a Minecraft malware campaign disguised as mods, cheats and custom clients has compromised more than 116,000 systems since January. The operation, called WeedHack, is not just another case of shady downloads doing shady things. Researchers say it gives inexperienced attackers a cheap way to steal passwords, hijack gaming accounts and, at the paid tier, spy through webcams and screens. Because apparently ruining a game session was not sufficient.

McAfee said the campaign had recorded 116,464 hits and was still producing roughly 2,000 to 3,000 new infections per day when its research was published. The company tied the operation to more than 3,820 unique malicious JAR files and over 240 malicious download URLs.

The United States saw the most activity, followed by Germany, India, the United Kingdom, Italy and other regions. The scale matters, but so does the setting: Minecraft has a young, enormous and highly mod-friendly audience, which makes fake tools a very effective trap.

How fake Minecraft mods reached players

The campaign leaned on a pattern that will be familiar to anyone who has spent time around Minecraft: players searching online for free mods, performance clients, cheats, launchers or unofficial utilities. That ecosystem is creative and useful. It is also a convenient hunting ground for people who understand search behavior better than basic ethics.

According to McAfee, attackers promoted infected files through YouTube videos and search engine optimization poisoning, a method used to push malicious pages higher in results for popular search terms. Some videos included voiceovers and polished editing to look legitimate, with download links placed in descriptions and comments. One video pushing a malicious Minecraft mod had more than 7,500 views before it was flagged.

The fake sites were also dressed up to appear trustworthy. Some were designed to resemble official pages or respected community mod hubs. In certain cases, they linked to legitimate GitHub repositories or Discord servers to create a layer of credibility while still delivering malware to visitors.

McAfee said the attackers targeted searches connected to well-known Minecraft clients and tools, including Meteor Client, Radium Client, Wurst Client, LiquidBounce and Impact Client, among others.

What WeedHack offered to would-be attackers

At the center of the campaign is a malware-as-a-service platform. In plain terms, WeedHack packaged cybercrime tools like a software subscription, lowering the technical bar for people who wanted to attack others but did not have the skill to build their own malware. Progress, of a sort.

McAfee described WeedHack as unusual for two reasons. First, it was hosted openly on the clear web rather than being limited to hidden criminal forums. Second, its basic version was available for free to anyone with a Discord account and an internet connection.

That free tier was already dangerous. It could steal:

  • Minecraft session IDs
  • Browser cookies and saved passwords
  • Discord, Steam and Telegram credentials
  • Crypto wallet data
  • Screenshots and system information

The paid version was more invasive. For $5 per month, or a reported $24.99 lifetime payment, WeedHack’s premium tier added remote-control features, including live webcam access, screen sharing with keyboard and mouse control, keylogging, reverse shell access and remote file management.

Security reporters at BleepingComputer also confirmed that the WeedHack dashboard let customers view stolen credentials and information taken from compromised systems.

Why JAR files made the scam harder to spot

McAfee described the infection as a multi-stage chain that begins when a player runs what appears to be a normal Minecraft JAR file. That detail is important because legitimate Minecraft Java Edition mods are commonly distributed as JAR files. To many players, the file format itself does not look suspicious.

Once executed, the malware attempts to hide its activity, collect system details, weaken protections and establish persistence. From there, it can deploy components used for remote access and credential theft.

The campaign also used a blockchain-based technique known as EtherHiding. McAfee said the method relied on the Ethereum blockchain to retrieve command-and-control information, making parts of the infrastructure harder to take down. In other words, the operation did not just rely on a fake download button and optimism. It used layered infrastructure to stay available.

That combination is what makes the case especially messy for players and parents. The initial lure looks like ordinary Minecraft culture: a client, a mod, a performance boost, a shortcut. The result can be stolen accounts, exposed private data and an attacker with direct access to a victim’s machine.

McAfee says teens were using the tools for harassment

The most troubling part of the report is not only the malware itself, but how researchers say it was used inside gaming communities.

McAfee said WeedHack’s Telegram channel had more than 850 members during its investigation, and many customers appeared to be teenagers or young adults. Researchers reported seeing attackers use remote access tools to threaten victims, secretly record them through webcams and share footage as cybercrime trophies.

That shifts the story from a standard account-theft campaign into something more socially corrosive. Minecraft is not merely a game with a large marketplace for mods. It is also a social space where young players communicate, compete and build identities. A tool that lets one player spy on or blackmail another is not just a technical threat. It is a harassment engine with a checkout page.

McAfee said the Telegram channel had been taken down by the time of publication, though the company continued watching for replacements. Given how cheap and openly distributed the service was, that caution is not exactly dramatic.

Why Minecraft remains such a large target

Minecraft’s popularity is central to the risk. Guinness World Records lists it as the best-selling video game of all time, with more than 350 million units sold. That massive audience supports a rich community of mods, launchers, servers and third-party tools.

It also gives criminals a very large pool of potential victims. Accounts can have financial value, Discord and Steam credentials can lead to more accounts, and access to a young person’s device can become a tool for intimidation.

Security experts have long warned that mods should be treated like executable software, because that is effectively what they are. The Fabric documentation team, which maintains resources for one of Minecraft’s major modding ecosystems, advises players to use trusted sources such as Modrinth and CurseForge. It also warns that many sites claiming to host Minecraft mods are actually malware sites.

Microsoft’s Windows guidance similarly recommends downloading programs only from trusted publishers and retail websites. It is basic advice, yes, but basic advice exists because the internet keeps finding new ways to punish people for ignoring it.

What players should do after a suspicious download

Players who think they may have installed a fake Minecraft mod, cheat or custom client should act quickly and avoid using the possibly infected device for account recovery.

Recommended steps include:

  • Disconnect suspicious accounts and stop using the questionable mod or client.
  • Run a full antivirus scan.
  • Remove unknown or recently downloaded JAR files.
  • Reset passwords from a clean device.
  • Revoke active sessions for Microsoft, Discord, Steam, Telegram and other accounts.
  • Check connected email accounts, since email access can be used to retake control of other services.

If someone claims to have webcam footage, stolen files or device access, victims should not pay or negotiate. McAfee advises contacting a trusted adult, school authority or law enforcement when harassment or extortion is involved.

The larger lesson is direct: Minecraft’s modding scene is one of the reasons the game has lasted so long, but trust should not come from a slick video, a familiar logo or a comment section full of suspicious enthusiasm. Before players press “Play,” the download itself may already be the real danger.