Overview
- McAfee's June 2 report showed the WeedHack campaign has compromised about 116,464 systems since January and is adding roughly 2,000 to 3,000 new infections each day.
- Operators push malicious Java JARs disguised as Minecraft mods or clients via SEO‑poisoned search results and YouTube videos that include download links and instructions.
- WeedHack is run as a web dashboard service with a free tier that steals Minecraft session IDs, browser cookies and saved passwords and paid tiers starting at $4.99 per month that add webcam access, keylogging and remote shell control.
- The malware uses a multi‑stage Java payload chain, hides command servers through an EtherHiding technique that leverages the Ethereum blockchain, and attempts to evade Windows Defender by configuring exclusions.
- Researchers observed a Telegram community of roughly 800–850 members where many users, often teenagers, used the tool for harassment and webcam spying; some channels and domains were removed but operators are creating replacements so basic defenses remain critical.