WeedHack Malware Has Infected 116,000+ Minecraft Systems Since January
Active Malware Campaign Is Hitting Minecraft at Scale
A large-scale malware campaign called WeedHack has compromised more than 116,000 systems running Minecraft since January 2026, according to BleepingComputer. The campaign is ongoing — this is not a contained incident.
WeedHack spreads by targeting Minecraft players, most likely through malicious mods, loaders, cracked clients, or cheat software distributed via unofficial channels. These are the same infection vectors that have plagued the Minecraft ecosystem for years, but the scale here — over a hundred thousand compromised machines in roughly five months — signals an unusually effective delivery mechanism.
Why This Matters Beyond Gaming
The "it's just Minecraft" dismissal is exactly wrong. The players running these systems are people, and their machines are also used for work, stored credentials, SSH keys, browser sessions, and corporate VPN access. Malware that lands on a gaming rig doesn't stay on the gaming rig.
More importantly for server operators: Minecraft servers are frequently run on the same hardware or network segments as other services. A compromised server host is a foothold, not a dead end. If you or anyone on your team runs a Minecraft server — home lab, VPS, shared host — treat that machine as potentially compromised until verified.
The "WeedHack" branding also suggests the campaign has enough organizational structure to have a name, which typically means it's not a single actor running a script but a coordinated effort with infrastructure behind it.
What to Do Right Now
If you run a Minecraft server:
- Audit the server host immediately. Check for unexpected processes, outbound connections, and scheduled tasks.
- Review any mods, plugins, or third-party software installed on the machine. Cross-reference against known-good hashes where possible.
- Rotate any credentials that were accessible from that machine — SSH keys, API tokens, database passwords.
If you manage users or endpoints:
- Push a reminder that unofficial Minecraft clients, mod loaders from non-canonical sources (not Modrinth, CurseForge, or the official launcher), and cheat tools are active malware vectors right now.
- Check endpoint logs for Minecraft-adjacent processes on any machines that also handle sensitive work.
General hygiene:
- Do not run Minecraft clients or servers as administrator/root. Containment depends on limiting privilege.
- If you use a shared host for your Minecraft server, check whether the provider has issued any notices about this campaign.
The infection count will keep climbing until this campaign's delivery infrastructure is taken down. Assume it is still active and respond accordingly.
Synthesized by Claude · sanity-checked before publish.