Overview
- McAfee disclosed on June 2–3 that the WeedHack campaign has impacted about 116,464 systems since January 2026 and continues to record roughly 2,000 to 3,000 new infections per day.
- Attackers push malicious JAR files by impersonating popular Minecraft mods and clients on YouTube and by poisoning search results so victims download infected files from fake sites.
- The infection uses a multi-stage Java chain that begins with a DonutDupe.jar loader, resolves command servers via EtherHiding on the Ethereum blockchain, and fetches successive JARs that establish persistence and deliver payloads.
- WeedHack operates as a clear‑web malware-as-a-service with an enterprise-style dashboard, a free infostealer tier that harvests Minecraft session IDs, browser cookies and crypto wallets, and paid tiers that add webcam access, keylogging, remote shell and full input control.
- Researchers say the platform's low cost and public tutorials have enabled teenagers and other young users to weaponize its remote-access tools for harassment, and they advise downloading mods only from verified sources, keeping antivirus updated, and avoiding links in comments or untrusted videos.