McAfee has detailed WeedHack, a malware-as-a-service infostealer campaign that has infected more than 116,000 systems since January by targeting Minecraft players. The malware spreads through malicious Minecraft mods, clients, cheats, and utilities promoted via YouTube videos (some with voice-over narration and thousands of views) and SEO poisoning of keywords matching popular clients like Meteor, Wurst, LiquidBounce, and Impact. WeedHack averages 2,000-3,000 infections daily, mostly in the US, Germany, India, and the UK, across 240+ distribution URLs and 3,820 unique malicious JAR files. It offers customers a dashboard to view stolen credentials and victim data. Some fake sites even link to legitimate GitHub repos to fabricate credibility.
Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.