Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread Hacked Content

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware that can take control of victims’ systems.

A Malware-as-a-service (MaaS) campaign focused on Minecraft has been codenamed Weedhack by McAfee Labs, saying the project has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In total, 3820 unique malicious JAR files and more than 240 URLs responsible for spreading the malware were identified.

“This campaign uses SEO and YouTube poison to generate traffic to these malicious URLs,” said security researcher Aayush Tyagi. “We also found two YouTube channels and multiple videos showing Minecraft Mods and clients and redirecting viewers to these URLs.”

Central to this campaign is an enterprise-grade dashboard (“weedhack[.]to”) ​​that enables customers to view stolen credentials and system information, as well as keep tabs on compromised systems remotely. In addition, it allows hackers to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention install malware on legitimate Minecraft mods.

The starting point of the attack is a malicious JAR file (“DonutDupe.jar”) downloaded from malicious websites. The file then retrieves the domain information of the command and control server (C2) using a well-known technique called EtherHiding, which uses the Ethereum blockchain as a drop-drop solver.

In the next stage, the malware contacts the C2 server to download another Java-based JAR payload (“Elevator.jar”) that collects system information, configures Microsoft Defender exclusions, and acts as a dump for two additional JAR payloads. A third payload JAR (“SecurityManager.jar”) establishes persistence and serves as a staging area for the final component (“Component.jar”) that implements remote access features.

The scary actors behind the tools are growing a Telegram channel to advertise their warez, broadcast updates, and provide customer support. The channel has over 850 members. The tool, on the other hand, comes in two categories –

• Free, which includes a comprehensive infostealer that can identify Minecraft session IDs and four Minecraft launchers; take screenshots; and harvest files, system information, cookies, and passwords from 36 different web browsers, data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, as well as Discord, Steam, and Telegram credentials.
• Premium, which starts at $4.99 per month (or $24.99 for a lifetime license) and offers additional remote access capabilities, such as webcam access, keystroke logging, reverse shell creation, screen sharing with keyboard and mouse access, and file uploads and downloads.

Attack chains revolve around SEO poisons and YouTube videos that contain descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. Most Weedhack infections have been identified in the US, followed by Germany, India, the UK, Italy, Vietnam, Canada, Norway, Sweden, Finland and Spain.

“One of the key things that makes Weedhack different is that it is hosted on the clear internet and provides access to the malware for free,” Tyagi said. “This difference in cost and ease of access with detailed tutorials on how to use the malware significantly lowers the barrier to entry for potential customers. In addition, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign more lethal.”

McAfee Labs said it has also seen the malware act as a catalyst for cyberbullying, where customers, seemingly teenagers and adults alike, use their remote access capabilities to intimidate, harass, and stalk their victims. They found a way to film the victims with their webcams and share the videos on the Telegram channel as “trophies.”

CountLoader Delivers Crypto Clipper

The disclosure comes as the cybersecurity firm sheds light on the massive CountLoader campaign that is estimated to have compromised 86,000 unique machines. CountLoader is a JavaScript loader commonly distributed through cracked software distribution sites. It is known for installing various payloads such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.

In this compromise, nearly 9,000 infections were attributed to malware spread via USB drives and removable media. McAfee Labs said the highest number of infected people was seen in India, followed by Indonesia, the US, and several Southeast Asian countries, adding that it was able to successfully infiltrate the communications infrastructure with malware by registering a fake C2 domain.

“The infection starts when the EXE file is executed,” the company said. “This file introduces a PowerShell command, which downloads and executes an obfuscated JavaScript loader called CountLoader. The loader is executed using ‘mshta.exe.'”

Once released, CountLoader stops persisting, communicates with the C2 server, tries to propagate via USB drives, and waits for further instructions from the C2 server to download and release the payload. The final payload included in the latest set of attacks is cryptocurrency clipper malware that steals the contents of a clipboard to redirect cryptocurrency transactions.

Cracked Content Leads to Cryptocurrency Miners

The findings also follow the discovery of a multi-year campaign that used illegal movie streaming sites and TV shows to distribute a cryptocurrency miner under the guise of a fake video player plugin update. The fake update downloads a ZIP archive, which then uses a DLL sideloader to dump the SilentCryptoMiner fork.

The malware is equipped with various capabilities –

• Configure Defender releases, disable the Microsoft Malicious Software Removal Tool, and disable automatic masking and sleep mode to maximize the miner’s potential runtime on the phone.
• Repeatedly run the User Account Prompt (UAC) until the process is successfully executed with elevated privileges.
• Run a watchdog component that ensures uninterrupted operation of the miner.
• Run a RAT agent that provides remote control capabilities, including running arbitrary commands, running EXE files using “explorer.exe,” and running shellcode.
• Introduces XMRig based CPU and GPU miner.

“The archive contains a legitimate executable, HLS Installer.874.exe, next to a malicious DLL. Launching the EXE triggered the DLL’s sideloading mechanism, injecting a malicious module into a legitimate program process and executing code within its context,” Kaspersky said. “The library contained the concept of mining and getting persistence on the phone.”

It is considered that this operation is a continuation of a campaign written by NTT Security in April 2023, which used fake browser crash alerts to dump a cryptocurrency mine.

“Scare actors use a variety of sites, from online libraries to movie and TV show streaming platforms,” ​​Kaspersky said. “It is impossible to say what channels they will use to distribute malicious archives in the future. However, the current situation shows that users who visit jailed websites continue to be very vulnerable.”