A few days ago, researchers at McAfee Labs published a report on a campaign called Weedhack. The name is kind of funny. The content, not so much.
Since January 2026, this campaign has been infecting machines at a rate of 2,000 to 3,000 per day. Over 116,000 victims so far. The target: Minecraft players looking for mods on Google or YouTube.
But this isn’t really an article about Minecraft.
What is SEO poisoning?
SEO poisoning means using search engine optimization techniques to rank malicious content on legitimate queries.
In practice: you type “best Minecraft mod” into Google. The first result looks clean, credible, well-designed. You download. You’re infected.
The attackers don’t hack Google. They just do SEO. Better than the actual owners of the projects they’re impersonating.
The $5 model that changes everything
Weedhack is what’s called MaaS. Malware-as-a-Service.
The concept: developers build a malicious tool, package it with a dashboard, an interface, documentation. Then sell it online. Exactly like a regular SaaS product.
Free tier: password theft from 36 browsers, crypto wallet credentials, Discord, Steam, Telegram logins. Zero dollars.
Premium tier: $5 a month. Remote webcam access, keylogging, hidden screen sharing, full machine control.
Five dollars. The price of an airport coffee.
Not long ago, hacking someone required real technical skills. Now we’re talking about a “create payload” button. Anyone can sign up, generate a malicious file and distribute it. No coding required.
Cybercrime is copying the SaaS playbook. Free tier to attract. Premium to monetize. Dashboard to manage. The only difference is what you do with it.
How they outrank legitimate sites
The distribution method is the most interesting part of this report.
The attackers identify popular Minecraft mods that have no official website. Small open source projects, maintained by one or two people who never thought about SEO. They build a fake site, optimized to rank on the exact name of the mod.
Clean, reassuring, with fake warnings like “only download from this page, this is the official site, no other site is affiliated.” Fake GitHub link. Fake Discord.
And they rank. Because nobody else is competing for those keywords.
On top of that, well-produced YouTube videos with voiceover demonstrate the mod in action. The malicious download link is in the description. One video had 7,500 views before being flagged.
What this says about SEO in 2026
I often say: niche keywords with no competition are an opportunity.
This story shows the other side. Niches with no official site, no dominant player, are also where low-quality or malicious content can settle in easily. Whether it’s malware or thin affiliate content, the mechanic is the same: fill a gap that nobody’s watching.
If you run a site on a specific technical topic, monitoring who ranks on your keywords isn’t just an SEO matter. It’s also about knowing what your readers find when they search for what you cover.
How to download mods safely
If you have kids who play Minecraft, or if you play yourself, the rule is simple: only download from CurseForge or Modrinth. These are the two reference platforms, with file validation.
Not the first Google result. Never a link from the description of a YouTube video from an account you don’t know.