top of page
Writer's picturekrupal patel

Steam game mod breached

On Christmas Day, at roughly 2:30 PM Easter time, the Downfall mod for Slay the Spire strategy game experienced a security breach. That breach allowed a malicious upload to overtake our game on Steam’s library for roughly one hour. The team members' Steam and Discord accounts were compromised, hindering their ability to promptly inform the community. Players who opened the infected mod encountered a Unity library popup, with the malware attempting to pilfer passwords from internet browsers and services like Discord and Telegram. It's a crucial reminder to prioritize gaming security and stay vigilant.

 

Once installed on a compromised computer, the malware will collect cookies and saved passwords and credit cards from web browsers (Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi), as well as Steam and Discord info. It will also look for documents containing 'password' in the filenames and for more credentials, including the local Windows login and Telegram.

 

  Epsilon malware harvesting credentials (Any.run)


Downfall users are advised to change all important passwords, especially those for accounts not protected by 2FA (2-factor authentification).


Users who received the malicious update reported that the malware would install itself as a Windows Boot Manager application in the AppData folder or as UnityLibManager in the /AppData/Roaming folder.


Epsilon Stealer is an information-stealing malware sold via Telegram and Discord to other threat actors. It is commonly used to target gamers on Discord by tricking them into installing the malware under the guise of testing a new game for bugs in exchange for payment. 


However, after the game is installed, it also deploys the malware which runs in the background and steals the user's passwords, credit card details, and authentication cookies. The stolen information is either used by the threat actors to breach further accounts or sold on dark web marketplaces.


According to VirusTotal data, it's likely that the threat actor behind this attack has also targeted other games and game developers.

 


Steam tightens security

Valve's move to enhance Steam's security by implementing a new authentication system in October was a proactive step to mitigate potential security risks. The requirement for creators to use two-factor authentication was intended to reduce the likelihood of hacks and malicious updates. However, the specific details of how the hackers managed to compromise the accounts of the mod makers remain unclear. The incident underscores the ongoing challenge of maintaining the security of gaming platforms and user-generated content. As always, staying vigilant and taking necessary security measures, such as using two-factor authentication, is crucial for a safe gaming experience.


Security incidents, including hacks and malware infections, are unfortunately not uncommon in the gaming world, particularly in projects like mods. These incidents highlight the challenges associated with the often decentralized and community-driven nature of mod development. While developers generally work to address and fix security issues promptly, users must remain vigilant and take precautions to protect their accounts and systems. These events underscore the importance of maintaining a security-conscious approach in the gaming community and the need for continued efforts to enhance security measures across gaming platforms. Players are encouraged to follow best practices, such as using reputable sources for mods, enabling security features, and staying informed about potential risks.

12 views0 comments

Recent Posts

See All

Battle of the Backends: Java vs Node.js

Comparing Java and Node.js involves contrasting two distinct platforms commonly used in backend development. Here’s a breakdown of their...

Comments


bottom of page