McAfee is proud to be recognized with the SE Labs Home Anti-Malware Award 2026, one of the most respected independent recognitions in consumer cybersecurity. This marks the second year in a row that McAfee is being recognized with the Home Anti-Malware Award, proving our continued excellence and efficiency.  

Now in its eighth year, the SE Labs Awards honor cybersecurity providers delivering outstanding protection across consumer, small business, and enterprise markets. And McAfee has earned top recognition in the Home Anti-Malware category two years in a row. 

What Are the SE Labs Awards? 

SE Labs is an independent cybersecurity testing and certification organization. Unlike awards based on self-reported data or marketing claims, SE Labs recognition is grounded in: 

• Continuous public testing: Products are evaluated through ongoing, real-world assessments, not one-time snapshots 
• Private assessments: Winners are also evaluated through confidential testing that mirrors actual threat environments 
• Eight years of credibility: The SE Labs Awards have built a track record as a trusted benchmark for both consumers and industry professionals

This makes the SE Labs Award a comprehensive measure of real-world security performance, not just lab scores. 

What the Home Anti-Malware Award Means 

The Home Anti-Malware category specifically recognizes consumer security products that demonstrate exceptional ability to detect, block, and remedy malware threats targeting everyday users. 

Winning this award means McAfee’s protection performed at a level SE Labs considers outstanding, not just effective on paper, but proven against the kind of threats real households face: ransomware, trojans, spyware, phishing-delivered payloads, and more. 

Simon Edwards, Founder and CEO of SE Labs, offered this comment on the 2026 winners: 

“The SE Labs Awards recognises the vendors that are making a real difference in keeping systems secure. Winning an award is a significant achievement. It reflects not only strong product performance in our tests but also the commitment of the teams behind the technology. Congratulations to McAfee on its success.” 

Independent Validation. Not a Marketing Claim 

There’s an important distinction between a company saying its product is effective and an independent lab proving it. 

SE Labs operates separately from the vendors it tests. Its methodology is transparent, its testing is repeatable, and its results are used by journalists, analysts, and buyers to make real purchasing decisions.  

When SE Labs names McAfee a winner, that recognition carries the weight of a process that can’t be paid for or manufactured. 

That’s what makes this award meaningful, and what separates it from a badge a company designs for itself. 

How McAfee Fights Malware 

Malware today doesn’t just arrive as a suspicious download. It hides in phishing texts, fake links, malicious QR codes, and compromised websites. And by the time most people realize something is wrong, the damage is already done. 

McAfee is built to stop threats at every point in that chain. 

Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage  

Secure VPN keeps your data private, especially on public Wi-Fi   

Web Protection helps block risky sites, even if you do accidentally click 

Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you 

Device Security helps detect malicious apps or downloads    

Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast    

Personal Data Cleanup helps remove your information from sites selling it.  

Online Account Cleanup assists in taking down your old, forgotten accounts across the web  

Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks  

Together, these protections are designed to address the broader range of online risks people face every day.  

Which McAfee Plans Include This Protection? 

The same AI-powered threat protection that earned the SE Labs Home Anti-Malware Award is available across every major McAfee plan: 

• McAfee+ Premium 
• McAfee+ Advanced 
• McAfee+ Ultimate 
• McAfee Total Protection 
• McAfee LiveSafe

Whether you’re protecting one device or an entire household, you’re getting independently verified, award-winning malware protection under the hood. 

Ready to get protection recognized by the industry’s toughest independent testers? Explore McAfee+ Plans → 

The post McAfee Wins SE Labs’ Highest Honor for Home Anti-Malware Protection appeared first on McAfee Blog.

A joint congressional report describes a spam operation that turned tens of thousands of fake podcasts into search-engine bait for illegal pharmacy and scam sites.

The new open-source project could serve as the basis for a future of apps with features as complex as Slack, Discord, or Google Docs—but with added protection against surveillance.

“Defenders cannot afford to take weeks to patch,” one Cybersecurity and Infrastructure Security Agency official warned on Wednesday.

A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.

Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.

“A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” the researchers wrote in April.

Check Point found The Gentlemen are the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone.

According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.

Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte. Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms.

WHO IS HASTALAMUERTE?

The cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking person who registered on almost a dozen cybercrime forums between 2019 and the present day, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.

Intel 471 reveals that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital city of Russia’s Udmurt Republic. Likewise, the user Zeta88 signed up at the English-language cybercrime forum Breached in August 2022 from a different Internet address in Izhevsk.

Intel 471 finds Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numeric symbols associated with white supremacy). A lookup on this address at the open source intelligence service Epieos shows it is connected to an account at Apple and to a phone number ending in 04.

Epieos says that Protonmail address is also linked to a GitHub account under the username SantaMuerte. That account is marked private, but a history of this user’s activity shows they are watching and developing a number of malware tools and exploits.

In April 2020, Hastalamuerte said on the crime forum Nulled that they could be contacted at the Telegram instant messenger name @hastalamuerte18, and the threat intelligence company Flashpoint finds this username is assigned the unique Telegram ID number 30907522 [full disclosure: Flashpoint is an advertiser on this blog].

The breach tracking service Constella Intelligence reports that Hastalamuerte’s Telegram ID is connected to another username — “bu4vs” — and to the Russian phone number 79127650004. Pivoting on this phone number in Constella fetches multiple records from hacked Russian government databases showing it is assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.

Constella reveals that phone number was used to create an account at the Russian social media platform Pikabu under the name “4apai18,” and shows Mr. Yapaev has signed up at a number of websites using the common surname Ivanov, or else “Chapaev” (the numeral 4 is often used as shorthand for a “ch” sound in Russian).

A search in Intel 471 for cybercrime forum members with the nickname SantaMuerte unearths an account by the same name created in 2020 on the Russian hacking forum Codeby. Intel 471 shows this user originally registered on Codeby with the not-so-subtle nickname Alexandr 4apaev.

Constella finds Mr. Yapaev regularly used the email address bu4vs@mail.ru. Meanwhile, Epieos shows this address is connected to a LinkedIn account for Alexander Yapaev, who lists himself as the head of B2B marketing at the company Uralenergo Udmurtia, one of Russia’s largest suppliers of electrotechnical and lighting products.

Mr. Yapaev did not respond to multiple requests for comment.

Nearly every time we publish one of these Breadcrumbs stories, readers are curious to know why it seems like so many cybercriminals from Russia apparently do little to hide their real life identities. The truth is that — Russian or not — most didn’t exactly set out to be arch criminals, but instead got drawn into the scene gradually over several years as their skills broadened and sharpened.

Another important dynamic is that the Russian government generally either co-opts or ignores cybercriminal activity within its borders so long as the hackers do not steal from or attack Russian businesses and citizens. As a result, successful cybercriminals in Russia are usually insulated from prosecution and arrest by foreign law enforcement agencies provided they occasionally pay off the right people and do not travel abroad. And cybercriminals who intend to strictly adhere to those unwritten rules may (at least initially) be less concerned about covering their tracks online.

But the simplest explanation is that cybercriminals of all nationalities tend to make a number of basic operational security mistakes early in their careers, when they are less savvy and have far less to lose by their carelessness. A review of Hastalamuerte’s early posts on the crime forums (circa 2019-2020) shows a relatively unsophisticated and low-skilled hacker still trying to learn the ropes and earn a positive reputation on these communities.

For example, in June 2020 Hastalamuerte’s Telegram account joined a multi-month training program (@pntst) to learn how to use popular penetration testing tools, and their candid posts to this hacker training camp show Hastalamuerte struggling to use these tools effectively. A Google-translated record of Hastalmuerte’s posts to @pntst is here.

Update, June 11, 10:23 a.m. ET:  The threat research group PRODAFT has released a detailed writeup on the history and current operations of The Gentlemen. PRODAFT said its findings match the same persona with “high confidence,” and found the administrator (Zeta88/Hastalamuerte) supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group’s own leak database. They also discovered the administrator is using AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.

The ACLU is suing two Florida police departments over the arrest of a Fort Myers man in a child-abduction case, saying officers treated a flawed face-recognition match as a near-certain ID.

Anthropic is releasing Claude Mythos 5 to trusted organizations and Claude Fable 5 to the public, a version it says can’t be used for cyberattacks.

Most people don’t get scammed because they ignore warning signs. 

They get scammed because they find a reason to explain those warning signs away. 

The website looks a little off, but the deal is incredible. The text message is unexpected, but they’re already waiting for a package. The seller is unfamiliar, but the discount is too good to pass up. 

That’s what makes major shopping events such fertile ground for scammers.  

New McAfee research suggests that economic pressure may be making that problem worse, as 40% of consumers say they would trust a lower priced deal without verifying it. That means as costs are climbing, shoppers are less likely to second guess a too-good-to-be-true deal that could be a scam. 

“Anyone who has ever fallen for a scam thought they would recognize one first,” McAfee’s Head of Threat Research Abhishek Karnik reminds shoppers. 

“That confidence is part of what scammers count on,” he says. “Tools like McAfee exist precisely for those moments, flagging suspicious links, messages, and offers in real time, before a split-second decision becomes a costly one.” 

New McAfee Research Reveals the Cost of Deal Hunting 

While most shoppers believe they can spot a scam, McAfee’s new research suggests many are engaging in behaviors that increase their risk. 

Rising Prices Are Driving Riskier Shopping Decisions 

Economic pressure is changing how people shop online. 

McAfee found: 

• 82% prioritize finding the cheapest deal when shopping online 
• 55% spend more time hunting for deals 
• 40% would trust a lower-priced deal without verifying it first 
• 29% would skip researching a seller if the deal seemed especially good 
• 27% are more likely to consider unfamiliar sellers because of lower prices 
• 23% feel pressure to act quickly before deals disappear 

The same behaviors that help shoppers find bargains can also make them more vulnerable to fraud. 

“What the data reflects is that economic pressure has effectively done some of the scammer’s work for them,” says Karnik. “When consumers are already primed to move quickly and prioritize price over authenticity, it takes far less effort to push them toward a bad click or a fraudulent purchase.” 

Shopping Scams Are Already Costing Americans Real Money 

The financial impact is significant: 

• 37% say they have lost money due to online shopping scams or fraud 
• 45% of victims lost more than $100 
• 25% lost between $100 and $499 
• 20% lost $500 or more 
• 36% were unable to recover any of their money 

AI Is Making Shopping Scams Harder to Spot 

Consumers are increasingly aware that artificial intelligence is changing the scam landscape. 

According to McAfee research: 

• 70% agree AI-generated content is making shopping scams harder to identify 
• Nearly three-quarters have encountered shopping content they believed was suspicious or AI-generated 

“The signs people have historically relied on, poor grammar, low-quality images, obviously off branding, are no longer reliable,” advises Karnik. “AI has lowered the production cost of a convincing fake to nearly zero.” 

It’s not just a fake landing page fraudsters are creating.  

“AI is being used to make fake review sections, impersonation messages that look exactly like it came from a major retailer, realistic logos, believable URLS,” Karnik says. “When you’re shopping online, you need to adjust your expectations to match that new AI reality.” 

What Are the Most Common Shopping Scams During Major Sales Events? 

Scammers follow consumer attention. 

Whenever millions of people are searching for deals at the same time, scammers create fake websites, impersonate retailers and delivery companies, and use urgency to pressure shoppers into acting before they think. 

Here are some of the most common shopping scams consumers encounter during major sales events, as well as the red flags consumers can watch for: 

Scam Type	How It Works	Red Flags
Fake shopping websites	Fraudulent websites mimic real retailers and disappear after collecting payments	Prices far below competitors, little company information, newly created websites
Fake social media ads	Ads promote products that never arrive or are counterfeit	Too-good-to-be-true discounts, limited reviews, unfamiliar brands
Delivery notification scams	Fake package alerts claim there is an issue with your shipment	Unexpected texts, suspicious links, requests for payment
Retailer impersonation scams	Messages claim there is a problem with your account or order	Urgent language, login requests, unfamiliar sender addresses
QR code scams	QR codes redirect shoppers to fraudulent websites	Codes placed on flyers, posters, packages, or public locations
Brushing scams	Unsolicited packages arrive at your home	Items you never ordered, requests to scan codes or leave reviews
Fake recall scams	Messages claim a recent purchase has been recalled	Requests for payment, account credentials, or personal information

 According to McAfee research, consumers most commonly report encountering fake shipping notifications, delivery scams, retailer impersonation scams, account alerts, and suspicious discount offers during major shopping periods. 

How McAfee Can Help 

With McAfee+ Premium, multiple layers work together before any damage is done:  

• Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
• Secure VPN keeps your data private, especially on public Wi-Fi  
• Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
• Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
• Device Security helps detect malicious apps or downloads   
• Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
• Personal Data Cleanup helps remove your information from sites selling it. 
• Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
• Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

Plus, click here to get McAfee’s limited-time deals on real-time protection this Amazon Prime Day, from June 23 to June 26.

About our consumer research 

McAfee surveyed 1,000 U.S. adults in May 2026 as part of a broader study of 5,000 respondents across the U.S., UK, France, Germany, and Japan, focused on online shopping intentions, scam awareness, and purchase behaviors. 

The post New Research: Rising Costs Are Driving Consumers to Ignore Scam Instincts for Better Deals appeared first on McAfee Blog.

The code WIRED identified is gone from the latest version of Meta AI, the companion app for the company’s smart glasses. Meta won’t say why or whether it’s coming back.

A WIRED timeline shows how dozens of governments, companies, and other organizations across Europe are moving, or planning to shift, away from US Big Tech.

Plus: Hackers use Meta’s AI bots to hack Instagram accounts, Anthropic helps NSA hackers, a decades-long GPS satellite mystery may have been solved, and more.

One gaming cyberattack this week exposed nearly 64,000 users. 

Another has already infected more than 116,000 players.  

Both are connected by the same common gaming behavior: looking for a cheat, mod, or shortcut. 

This week in scam news, a popular Grand Theft Auto V cheat service was hacked, exposing tens of thousands of users. At the same time, McAfee researchers uncovered a massive malware campaign spreading through fake Minecraft mods, cheats, and game clients. 

The takeaway is simple: some of the biggest threats facing gamers aren’t happening inside games. They’re hiding in the downloads, websites, and tools players use around them. 

Let’s start with the GTA breach. 

GTA Cheat Service Breach Exposes Nearly 64,000 Users 

Atlas Menu, a cheat service for Grand Theft Auto V, was reportedly hacked, exposing data belonging to nearly 64,000 users. 

According to reports, the leaked information included: 

• Email addresses 
• Usernames 
• Scrambled passwords 
• IP addresses 
• Customer support tickets

The hacker who claimed responsibility later posted the data online. 

Why This Matters 

Many players think of cheats as harmless tools that unlock special abilities, provide advantages, or simply make games more entertaining. 

But unofficial cheat services often operate outside the protections offered by legitimate gaming platforms. 

That means users may be: 

• Sharing personal information with unknown developers 
• Downloading unverified software 
• Exposing themselves to malware 
• Putting gaming accounts at risk 

And that brings us to an even bigger threat. 

Minecraft Malware Campaign Has Already Infected 116,000 Players 

McAfee researchers recently uncovered a large-scale malware operation targeting gamers searching for Minecraft mods, clients, and cheats. 

The campaign is called WeedHack. 

What Is WeedHack? 

WeedHack is a type of Malware-as-a-Service (MaaS). 

That means cybercriminals package malware into a subscription service that other attackers can use. 

Researchers found that: 

• More than 116,000 victims have been infected since January 
• The campaign continues to add roughly 2,000 to 3,000 new victims every day 
• More than 3,800 malicious files have been identified 
• More than 240 malicious download URLs have been linked to the operation 

Premium versions reportedly cost as little as $5 per month and include tools that allow attackers to remotely access victims’ devices and webcams. 

What WeedHack Can Steal 

Once installed, the malware can collect: 

• Minecraft account credentials and session IDs 
• Discord, Steam, and Telegram credentials 
• Browser passwords and cookies 
• Cryptocurrency wallet information 
• Screenshots and device information 
• Files stored on a victim’s computer 

Premium versions can also provide: 

• Live webcam access 
• Live screen sharing 
• Remote keyboard and mouse control 
• Keylogging capabilities 
• Full remote access to the infected device

Get the full explainer here. 

How McAfee+ Advanced Helps Protect Gamers 

Gaming malware campaigns rely on three things: 

1. Getting users to visit malicious websites 
2. Convincing them to download infected files 
3. Encouraging them to ignore security warnings  

The post GTA Cheat Users Exposed in Breach as Minecraft Malware Hits 116,000 Players appeared first on McAfee Blog.

Code reviewed by WIRED uncovered an unreleased face-recognition system embedded in Meta’s smart glasses platform. It’s designed to identify people via biometric data stored on users’ phones.

Four people suing Elon Musk's AI firm under pseudonyms due to the risks of being identified may face a difficult choice: Reveal your real names, or drop the lawsuit.

Available for Android 12 and later, the anti-scam feature is baked into Google Dialer, which sends a silent “confirmation signal” to ensure whoever’s calling you is who they appear to be.

McAfee Labs has discovered a massive, ongoing malware campaign called WeedHack that disguises itself as free Minecraft mods and game clients to infect players’ computers. Since January 2026, it has logged more than 116,000 victim infections, averaging 2,000 to 3,000 new hits every single day. 

What makes WeedHack different from most malware is how cheap and easy it is to use. 

Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. WeedHack offers a free version to anyone with a Discord account and an internet connection. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month. 

This low barrier has attracted a younger crowd of would-be attackers, many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers, a pattern we’ve documented and that makes this campaign especially concerning. 

The good news for McAfee users: Web Protection actively blocks the sites distributing WeedHack, and Threat Explainer tells you exactly why a flagged file is dangerous, so you’re never left guessing. 

Key Facts at a Glance 

What	Details
Campaign name	WeedHack
Active since	January 2026
Total victims logged	116,464+
New infections per day	~2,000–3,000
Malicious files discovered	3,820+ unique files
Malicious download URLs	240+
Free tier available?	Yes. Anyone can sign up
Premium price	Starting at $5/month; $24.99 lifetime
Who is being targeted	Minecraft players worldwide
Most affected country	United States, followed by Germany, India, the UK, Italy, and others
What attackers can access	Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files.
The financial impact	It can steal Discord tokens, crypto wallet credentials, Minecraft account credentials.   Hackers will hold your information for ransom, requiring a large payment in exchange for your data.

Read our research team’s full report here.

What Is WeedHack? 

WeedHack is a Malware-as-a-Service (MaaS) campaign, meaning it’s a criminal business that sells hacking tools to customers, the same way a legitimate software company sells subscriptions. 

The “product” is malware that gets secretly installed on a victim’s computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 

The campaign operates a polished, professional-looking dashboard hosted openly on the internet (not the dark web). That dashboard lets customers track their victims, download stolen data, and launch remote access features, all from a browser. 

The Cyberbullying Problem 

One of the most disturbing findings from our investigation is how WeedHack is being used. 

While monitoring the campaign’s Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults, and a significant portion are using the remote access tools not for financial gain, but to harass and intimidate other players.  

We observed attackers recording victims through their webcams without consent and sharing those recordings in the Telegram channel as trophies. Others used knowledge of victims’ IP addresses and system access to threaten them. 

It’s important to note that, at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication. 

Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they have hacked your computer, have your webcam footage, or know your IP address, take it seriously. 

What to do if this happens: 

• Do not follow the attacker’s instructions, it makes things worse 
• Tell a trusted adult immediately (parent, guardian, school counselor) 
• Contact your local law enforcement, this may constitute criminal conduct.  
• Do not engage with the attacker or attempt to negotiate 

How Do People Get Infected? 

WeedHack spreads in two main ways, and the campaign even provides its customers with step-by-step tutorials on how to carry out both. 

1. Fake YouTube Videos

Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.  

The videos are well-produced, some include voiceover narration, and link to malicious download sites in the description and comments. 

One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe. 

2. Fake Mod Websites

WeedHack instructs customers to build convincing-looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning.  

Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to “only download from us,” while actively distributing malware. 

Minecraft clients and mods specifically targeted include: Meteor Client, Radium Client, Wurst Client, LiquidBounce, Impact Client, Future Client, and others. 

What Happens When You’re Infected? 

Infection happens in four stages that happen silently in the background after a victim opens the downloaded file. 

Stage 1 – First Contact: The malicious file launches quietly (without showing a console window), connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that’s difficult to block or take down. 

Stage 2 – Taking Hold: The malware disables Windows Defender protections, gathers detailed information about the victim’s computer (processor, graphics card, RAM, operating system), and takes a screenshot of their screen. It then steals Discord tokens and browser passwords and cookies. For McAfee users, this is where Web Protection would prevent users from visiting the site, and where our Antivirus would prevent any downloaded malware from taking hold. 

Stage 3 – Digging In: The malware installs itself so that it automatically restarts every time the victim logs into their computer. It sets up a hidden scheduled task that runs continuously, even at the highest system privileges. 

Stage 4 – Full Access: For premium customers, an additional component is installed that connects the attacker to the victim’s computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, keylogging (recording every keystroke), a reverse shell (full command-line access to the computer), and the ability to upload or download any files. 

A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. 

What if I’m Infected? 

Visit our guide: How to Quickly Remove Malware in 2026.  

What Can Attackers Steal? 

Free tier steals: 

• Minecraft session IDs (used to hijack Minecraft accounts) 
• Saved passwords and cookies from 36 different browsers 
• Credentials from Discord, Steam, and Telegram 
• Browser-based crypto wallets (56 supported) and desktop crypto wallets (12 supported) 
• Files matching 24 different search keywords 
• Screenshots of the victim’s screen 
• System information (computer name, IP address, hardware specs) 

Premium tier adds: 

• Live webcam access 
• Live screen sharing with keyboard and mouse control 
• Keylogging (every key the victim types) 
• Full remote shell (command-line control of the computer) 
• File management (upload, download, delete files remotely) 

What Parents Need to Know 

Minecraft’s mod ecosystem is enormous and largely unregulated. Kids routinely search YouTube and Google for performance-boosting clients, cosmetic mods, and gameplay cheats, exactly the kinds of things WeedHack exploits.  

Here’s a practical guide for families: 

Red Flag	Safe Practice
The mod isn’t on the developer’s official website	Only download from CurseForge, Modrinth, or the mod’s verified GitHub
A site or video tells you to disable your antivirus to run the file	Never disable antivirus for a game mod. Legitimate mods don’t ask you to
A site you’ve never heard of claims to be the “only official” source	If you can’t verify the site is official, don’t download from it
Download links are in YouTube comment sections	Treat comment section links as a red flag, always
Your antivirus flags a file as malware, but they try to tell you to ignore it, it’s a “false alarm”	Use McAfee’s Threat Explainer to find out why this is malicious. Don’t disable antivirus

One of the best ways parents can protect their families is with McAfee’s award-winning antivirus and Web Protection, which are specifically designed to detect threats like WeedHack and help block malicious downloads before a device can be compromised. 

Are McAfee Users Protected? 

McAfee has been actively tracking WeedHack samples and detects this threat under the following signatures: 

• Trojan:Win/Weedhack.AA through Trojan:Win/Weedhack.AE 

McAfee provides multiple layers of protection against threats like WeedHack. 

• Web Protection helps block access to malicious websites distributing infected Minecraft mods, stopping the threat before a file is ever downloaded.  
• Award-winning antivirus detects and blocks malware if a malicious file does make it onto your device.  
• Threat Explainer shows exactly why a file was flagged, helping users understand what happened and avoid similar scams in the future.  

Together, these protections help proactively block risky downloads, reactively stop malware, and explain what to watch for next. 

McAfee Labs continues to monitor WeedHack and will update coverage as new samples and domains are identified. For the full technical report including indicators of compromise, see the McAfee Labs analysis. 

Key Terms Explained 

Term	What it means
Malware-as-a-Service (MaaS)	A criminal business model where hackers sell or rent attack tools to other people, just like a software subscription
RAT (Remote Access Trojan)	Malware that gives an attacker remote control over a victim’s device — screen, files, camera, and more
Infostealer	Malware designed to silently collect and transmit passwords, cookies, and account credentials
SEO Poisoning	Manipulating search engine results so a malicious website appears near the top when someone searches for a legitimate product
Minecraft Client/Mod	Third-party software that modifies or enhances the Minecraft game experience. Legitimate ones are common; WeedHack fakes them
Minecraft Session ID	A token that proves you’re logged into Minecraft. Stealing it lets an attacker take over your account without your password
Keylogger	Software that secretly records every key a person types — including passwords, messages, and search queries
Reverse Shell	A connection from the victim’s computer back to the attacker that gives the attacker full command-line control
EtherHiding	A technique that hides a malware’s server address inside the Ethereum blockchain, making it very difficult to block
Discord Token	A credential that lets someone access your Discord account. Stealing it gives attackers full access without needing your password

 

The post New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers appeared first on McAfee Blog.

Authored by Aayush Tyagi 

Introduction  

Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history.

It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from.

Its massive popularity and widespread use of third-party tools have also given rise to a dark side of the Minecraft ecosystem, which is filled with Remote Access Trojans (RATs), credential stealers, keyloggers and other malware threats.   

McAfee Labs has recently uncovered a colossal Minecraft-focused Malware-as-a-Service (MaaS) campaign named ‘Weedhack’, that allows threat actors to remotely access and manipulate the victims’ screen, webcam and file system through a dashboard hosted on the clear net, making it easily accessible to anyone with a Discord account and an internet connection. 

Key Findings 

• ‘Weedhack’ has been active since January 2026 and masquerades as genuine Minecraft clients and mods to infect users.  
• We’ve discovered over 3820 unique malicious JAR files that are part of this attack and over 240 URLs responsible for distributing this malware.  
• This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs. We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs. 
• The campaign has accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day. 
• The campaign provides an enterprise-grade dashboard that allows customers to view stolen credentials and system information, download the payload, configure notifications, access tutorials, and remotely monitor their victims.  
• This campaign deploys EtherHiding, a technique that uses Ethereum blockchain to fetch its latest C2 domain. The responses are RSA-signed and verified before execution, helping protect the network from campaign takeover attempts. 
• We’ve uncovered 10 domains that host the next stage payloads and host the malware dashboard for the Weedhack campaign.  
• We’ve identified 11 domains that hosted similar MaaS campaigns in the past, orchestrated by the same threat actor.  
• We’ve unearthed the threat actor’s Telegram account and uncovered a Telegram channel for customers, with over 850 members, as of writing this blog. 
• This campaign offers two service tiers: free and premium.  
• The free tier includes a comprehensive infostealer capable of targeting Minecraft session IDs and four Minecraft launchers, collecting system information, and stealing cookies and passwords from 36 different browsers. It also targets 56 browser-based crypto wallets and 12 desktop crypto wallets, along with Discord, Steam, and Telegram credentials. It can search for files using 24 different keywords and includes screenshot capture capabilities. 
• For premium users, with subscriptions starting at $5 per month, it offers additional remote-access capabilities such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file management features for uploading and downloading files.  
• While monitoring the Telegram channel, we found that WeedHack malware is a major catalyst for cyberbullying. Many of its customers appear to be teenagers and young adults and are using remote access capabilities to threaten, harass and monitor their victims, which are around the same age.
  

The post Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns appeared first on McAfee Blog.

The right-wing think tank is actively pushing “civil terrorism”—increasing penalties for minor crimes committed while people engage in constitutionally protected free speech.

Whether you’re planning a once-in-a-lifetime trip or just hoping to catch a match while it’s in your city, the 2026 FIFA World Cup is already driving a surge in ticket searches, travel bookings, and last-minute plans. 

But where there’s high demand and big money, scammers aren’t far behind. 

“The World Cup is one of those events where excitement and cost collide,” says Abhishek Karnik, Head of Threat Research at McAfee. “Tickets have been expensive, and for many people, especially families or fans traveling, the costs add up quickly between tickets, flights, hotels, and everything else that comes with attending.”

“When prices feel out of reach, people naturally start looking for better deals or cheaper options. That is where things can get tricky. If someone suddenly offers what feels like a great price compared to everything else out there, it can feel like a rare opportunity worth jumping on. Scammers understand that.” 

Let’s break down the new McAfee research, what scams to watch for, and how McAfee’s tools help you stay safe.

New McAfee Research Finds a Gap Between Awareness and Risk 

New research from McAfee shows that while most fans are aware of World Cup-related scams, many are still willing to take risks to secure tickets.  

In fact, 40% say they would consider buying from an unofficial source if they can’t get tickets through the official FIFA site, as many expect tickets to sell out and hope to find affordable resale options. 

That tension is what makes events like the World Cup especially vulnerable for scams. 

With limited ticket availability, rising prices, and the pressure to act quickly, even informed fans can find themselves making decisions they normally wouldn’t, like buying tickets from a reseller on TikTok.  

And scammers are counting on it. 

Survey takeaways: 

• 76% of fans are interested in getting World Cup tickets 
• 35% have already started searching online 
• 43% are willing to spend over $500 on tickets 
• 66% say they’re aware of World Cup-related scams 
• 66% say they’re concerned about being scammed 
• 40% would consider buying tickets from unofficial sources 

The Most Common World Cup Scams to Watch For 

“Usually, it is not just one thing that gives a scam away,” Karnik says. “It is when a few warning signs start adding up at once, pressure to act quickly, prices that feel unusually low, or details that seem slightly off.” 

“One of the biggest is urgency around pricing. If someone is pushing a deal that feels dramatically cheaper than similar tickets, claiming prices are about to go up, or creating pressure to buy immediately, that is worth paying attention to. Creating artificial urgency around a ‘great deal’ is one of the easiest ways scammers get people excited enough to move quickly.”

Below is a comprehensive breakdown of the most common scams tied to major global sporting events like the World Cup, including how they work and what to look for. 

McAfee’s Scam Detector,  Safe Browsing tools, VPN, and Password Manager work together to help you spot scams like these as they happen by flagging suspicious messages, blocking risky websites, and helping you make safer decisions before you click, pay, or share information. 

Scam Type	What It Is	How It Works	Red Flags
Fake Ticket Resale Scam	Fraudulent tickets sold through unofficial sites or individuals	Scammers create fake listings or duplicate real tickets and sell them to multiple buyers	Prices far below or above market, refusal to use official transfer systems, pressure to act fast
Social Media Ticket Scam	Tickets sold through platforms like Instagram, Facebook, TikTok, or X	Fake or hacked accounts post “last-minute” ticket offers and move conversations to DMs	Urgent language (“only 2 left”), new or suspicious profiles, requests to pay outside the platform
Duplicate QR Code Scam	One legitimate ticket is resold multiple times	Multiple buyers receive the same QR code, but only the first scan works	Screenshots instead of official transfers, identical tickets sold repeatedly
Fake Ticket Website Scam	Websites designed to look like official ticket platforms	Victims enter payment info or purchase tickets that don’t exist	Slightly misspelled URLs, unfamiliar domains, lack of official branding verification
Travel & Accommodation Scam	Fake hotels, rentals, or travel packages	Listings appear legitimate but either don’t exist or are already booked	Prices that seem unusually low, requests for upfront payment, lack of verified reviews
Booking Impersonation Scam	Fraudsters pose as airlines, hotels, or booking platforms	Victims receive messages about “issues” with bookings and are asked to click links or provide info	Unexpected messages, requests for login or payment details, links that don’t match official sites
Public Wi-Fi & Phishing Scam	Data theft through unsecured networks while traveling	Scammers intercept data or create fake login portals on public Wi-Fi	Open networks with no password, login pages asking for unnecessary information
Fake Giveaway Scam	Promotions claiming free tickets or VIP access	Victims are asked to enter personal data, click links, or pay “processing fees”	“You’ve won” messages you didn’t enter, requests for payment to claim prizes
Betting & Prediction Scam	Fake betting tips or “guaranteed wins” tied to matches	Scammers sell fake predictions or direct users to malicious betting sites	Claims of guaranteed outcomes, requests for upfront payment, unfamiliar platforms
Merchandise Scam	Counterfeit World Cup gear sold online	Buyers receive low-quality or no product at all	Unverified sellers, poor site quality, deals that seem too good to be true

How AI is Making These Scams More Convincing

Unfortunately, with the continued improvement of AI, these scams are becoming more convincing. 

AI tools allow scammers to create: 

• More realistic websites and messages 
• Personalized outreach that feels legitimate 
• Fake endorsements, images, or promotions 

That means traditional advice like “look for typos” is no longer enough on its own. 

Today’s scams often look polished, professional, and believable. 

What “Official” Actually Means (and Why It Matters) 

For the World Cup, official ticket sales happen through designated FIFA sales phases and platforms. 

Buying outside those channels increases the risk of: 

• Invalid or duplicate tickets 
• Inflated pricing without guarantees 
• No recourse if something goes wrong 

Even if a ticket looks legitimate, it may be: 

• Sold to multiple buyers 
• Already voided 
• Rejected at the gate

When in doubt, go directly to the official FIFA website instead of clicking links from messages or ads. You can also visit their comprehensive FAQ section for all your ticket and event questions. 

How to Stay Safe When Buying Tickets or Traveling 

Here are practical steps fans can take to reduce risk: 

Safety Check	What To Do
Buy from official sources	Use FIFA’s official ticket platform whenever possible
Avoid clicking links in messages	Navigate directly to official websites instead. McAfee’s Safe Browing tools help prevent you from opening malicious links.
Be cautious with resale offers	Verify platforms and avoid direct peer-to-peer payments
Check QR codes before you scan them	You can check for QR code scams on-demand with Scam Detector
Don’t pay with untraceable methods	Avoid wire transfers, gift cards, or crypto-only payments
Double-check URLs	Look for misspellings or unusual domains
Use secure connections	Avoid making purchases on public Wi-Fi, or use a VPN like McAfee’s.
Protect your accounts	Use strong passwords and enable two-factor authentication. Consider a password manager like McAfee’s.
Verify before you buy	If something feels off, pause and check before sending money

What to Do If You Think You’ve Been Scammed 

If you think you may have purchased a fraudulent ticket, clicked a suspicious link, or shared information with a scammer, acting quickly can help limit the impact. 

Immediate steps to take 

Stop communication immediately
Do not send additional money or information, even if the sender claims you need to “complete” a transaction. It’s also a good idea to take screenshots of messages in case the scammer disappears. 

Contact your bank or payment provider
Report the transaction as soon as possible. Many institutions can help reverse charges or flag fraudulent activity if caught early. 

Secure your accounts
Change passwords for any accounts that may be affected, especially email, banking, and ticketing platforms. Our password manager and free password generator help create unique passwords every time.  

Enable two-factor authentication (2FA)
Adding an extra layer of security can help prevent unauthorized access, even if your password was exposed. 

Scan your device for threats
If you clicked a suspicious link or downloaded a file, run a security scan to check for malware or malicious software. Check out our free security scan. 

Monitor for unusual activity
Keep an eye on financial accounts, email logins, and any services tied to your personal information. Our free WebAdvisor helps protect you from malware and phishing attempts while you surf. 

How McAfee Helps You Spot Scams in the Moment 

McAfee offers more than traditional antivirus, combining multiple layers of digital protection in one app to help you stay safer while searching, clicking, and buying online. 

Scam Detector helps flag suspicious texts, emails, and videos automatically, so you can spot a scam before it hits you and your wallet 

Safe Browsing tools help block risky websites, alert you to phishing attempts, and guide you away from malicious links 

VPN helps keep your connection private on public Wi-Fi, protecting your personal and payment information 

Password Manager helps create and store strong, unique passwords to reduce the risk of account takeover 

Identity Monitoring and Alerts notify you if your personal information appears where it shouldn’t, so you can quickly take steps to fix it 

Personal info removal helps find and remove your personal info from data broker sites and close out old forgotten accounts 

Device and Account Security helps protect the devices and accounts you use every day 

Final Thoughts 

The World Cup isn’t just another event, it’s a moment when millions of people are making fast decisions involving real money, travel plans, and personal information. 

What McAfee’s research makes clear is that the biggest risk isn’t a lack of awareness. Most fans already know scams exist. The risk is what happens next. 

“When prices feel out of reach, people naturally start looking for better deals or cheaper options. That is where things can get tricky. If someone suddenly offers what feels like a great price compared to everything else out there, it can feel like a rare opportunity worth jumping on,” Karnik says. “Scammers understand that.”

“If somebody claims they have hard-to-get tickets at an unusually good price, especially for a popular match, people may feel pressure to act quickly before the opportunity disappears.” 

As demand continues to build toward the tournament, more fans will be searching, comparing, and purchasing online.  

The takeaway is simple: Staying safe isn’t just about knowing scams exist. It’s about slowing down, verifying before you buy, and using tools that help you make informed decisions in the moment. 

*McAfee is not affiliated with or endorsed by FIFA. 

The post Are Your World Cup Tickets Legit? 40% of Fans May Risk Unofficial Sellers appeared first on McAfee Blog.

Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.