Skip to content

Minecraft Players Targeted in Large-Scale WeedHack Malware Campaign

A large-scale malware campaign has been targeting Minecraft players, infecting over 116,000 systems since January. The campaign, dubbed WeedHack, is a malware-as-a-service (MaaS) infostealer operation that offers a dashboard for customers to see stolen credentials and information on compromised systems.

**WeedHack Campaign Overview**

According to telemetry data from cybersecurity company McAfee, the campaign has impacted 116,464 systems, averaging between 2,000 and 3,000 infections every day. The majority of victims are located in the United States, Germany, India, and the UK.

The scale of the operation is reflected in the more than 240 distribution URLs and 3,820 unique malicious JAR files. McAfee researchers found that the campaign reaches victims mainly through YouTube videos showcasing Minecraft-related tools and SEO poisoning promoting them.

**Distribution Methods**

Attackers use two primary methods to distribute the malware: YouTube videos and SEO poisoning. On YouTube, attackers drop download links in descriptions and comments of well-made videos featuring voice-over narration for authenticity. These videos have accumulated more than 7,500 views.

The SEO poisoning distribution method targets keywords that correspond to clients such as Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense.

**Malware Platform Details**

McAfee explains that many of those projects do not have official websites, only GitHub pages. In one case highlighted in the report, the malicious website displays a security notice warning visitors that they should only download ‘Skytils’ from the official site. It is even linking to the project’s legitimate GitHub repository and Discord server to create a strong, false sense of legitimacy for the fake website.

The WeedHack malware platform is hosted on the clear net and provides access to anyone for free, which is very unusual for infostealer operations. Users are given access to a dashboard that shows an overview of their victims, infected system profiles, stolen data, and a payload builder for Minecraft versions 1.21.0 through 1.21.10.

**Free and Premium Tiers**

The free tier stealer targets Minecraft session ID theft, cookies, and saved passwords across 36 browsers, 56 cryptocurrency add-ons, 12 desktop cryptocurrency wallet apps, Discord, Steam, and Telegram credentials, and can capture screenshots. WeedHack also offers a premium tier for $5/month, or a lifetime one-time purchase of $24.99, that adds remote control with input access (mouse and keyboard), webcam access, keylogger, remote shell, and remote file management.

**Remote Access Abuse**

The project’s Telegram channel has over 800 members, and McAfee says that many of the clients appear to be teenagers or young adults who use WeedHack’s remote access tools to harass their victims. Minecraft players should only trust mods from official project sources, verify download links, and treat JAR files hosted on dubious sites with caution.

**Prevention Tips**

For those looking to extend their playing experience, the in-game Minecraft Marketplace is the safest option.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *