FBI Investigates Malware-Laced Games Distributed on Steam
The FBI is seeking victims as it investigates a suspected cybercriminal who published multiple malware-tainted games on Steam, using seemingly legitimate titles as Trojan horses to infect players' systems. The games named by the agency include BlockBlasters/BlockBasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova, and were reportedly available between 2024 and 2026. Both reports indicate the titles were functional enough to appear legitimate, but were designed to deliver malware and compromise users after installation.
The reported impact includes account compromise, information theft, and crypto-wallet draining, with one cited case involving the theft of $32,000 in cancer donations from a streamer after exposure to one of the malicious games. The investigation suggests the listed titles may have been developed by the same threat actor, and that the number of affected users remains unknown. The case also highlights ongoing weaknesses in marketplace screening, as malicious games were able to reach Steam users before being removed by Valve.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like bleeping computer
Related Stories
Lumma Stealer Malware Distributed via Fake Game Updates on Itch.io and Patreon
A new malware campaign has targeted users of the indie game platform *Itch.io* and Patreon by distributing the Lumma Stealer malware through fake game update links. Attackers created new accounts to spam comment sections of legitimate games on Itch.io, posting templated messages that claimed to offer game updates. These messages included links to archives such as “Updated Version.zip,” which, when downloaded, contained a malicious executable designed to deploy Lumma Stealer. The campaign also leveraged a reflective Node.js loader to evade detection and increase the likelihood of successful infection. Security researchers observed that the attackers used a shotgun approach, spamming multiple games to maximize reach and exploit users unfamiliar with the platform. The malicious files were often hidden among benign files in the downloaded archive, making it harder for users to detect the threat. This campaign highlights the growing trend of threat actors targeting indie gaming communities and platforms beyond mainstream services like Steam, using social engineering and technical obfuscation to distribute credential-stealing malware.
3 months ago
Trojanized Gaming Utilities Deliver Java-Based RAT via Browser and Chat Platforms
Microsoft Threat Intelligence reported an active malware campaign targeting gamers by distributing **trojanized gaming utilities** through browsers and chat platforms, leading victims to execute a multi-stage downloader that ultimately installs a **Java-based remote access trojan (RAT)**. The infection chain was observed staging a portable Java runtime and launching a malicious JAR (`jd-gui.jar`), while using **PowerShell** and living-off-the-land binaries such as `cmstp.exe` to reduce detection. The activity includes defense evasion by deleting the initial downloader and adding **Microsoft Defender exclusions**, and persistence via a scheduled task and a startup script named `world.vbs`; the RAT then beacons to **`79.110.49[.]15`** for C2, enabling data theft and follow-on payload delivery. Reporting also noted the campaign’s use of gaming-adjacent filenames to increase execution likelihood (e.g., `Xeno.exe`, `RobloxPlayerBeta.exe`) and emphasized that the final payload functions as a **loader/runner/downloader/RAT** rather than a single-purpose stealer, increasing the risk of secondary malware deployment. Separately, one report highlighted the emergence of *Steaelite*, a Windows RAT advertised on criminal forums with claimed “FUD” capabilities and an integrated panel combining data theft and ransomware features, underscoring broader commoditization of multi-function RAT ecosystems even when not directly tied to the specific trojanized-gaming-tools intrusion chain.
2 weeks ago
Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active **social-engineering-driven malware operations** are targeting end users through trusted distribution channels. One campaign, dubbed **GhostPoster**, distributed **17 malicious browser extensions** across *Chrome, Firefox, and Edge* with **840,000+ installs**, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used **steganography** to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections. Separately, threat actors are impersonating **Malwarebytes** via trojanized ZIP “installers” (e.g., `malwarebytes-windows-github-io-X.X.X.zip`) and using **DLL sideloading**—pairing a legitimate EXE with a malicious `CoreMessaging.dll`—to execute **infostealers**; reporting highlighted a campaign fingerprint via **behash** `4acaac53c8340a8c236c91e68244e6cb` and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves **“RedLineCyber”** masquerading as an affiliate of “RedLine Solutions” to build credibility inside private **Discord** communities and deliver a Python-based **clipboard hijacker** (often `Pro.exe` / `peeek.exe`) aimed at **cryptocurrency wallet theft**, relying on long-term grooming of high-value targets rather than broad phishing.
1 months ago