Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.
As developer Michael Mayhem told BleepingComputer, the compromised package is the prepackaged standalone modified version of the original game and not a mod installed via Steam Workshop.
The attackers compromised one of Downfall's developers' Steam, Discord, and email accounts, allowing them to gain control of the mod's Steam account.
Once installed on a compromised computer, the malware will collect cookies and saved passwords and credit cards from web browsers, as well as Steam and Discord info.
It will also look for documents containing 'password' in the filenames and for more credentials, including the local Windows login and Telegram.
Downfall users are advised to change all important passwords, especially those for accounts not protected by 2FA. Users who received the malicious update reported that the malware would install itself as a Windows Boot Manager application in the AppData folder or as UnityLibManager in the /AppData/Roaming folder.
Epsilon Stealer is an information-stealing malware sold via Telegram and Discord to other threat actors.
It is commonly used to target gamers on Discord by tricking them into installing the malware under the guise of testing a new game for bugs in exchange for payment.
After the game is installed, it also deploys the malware which runs in the background and steals the user's passwords, credit card details, and authentication cookies.
The stolen information is either used by the threat actors to breach further accounts or sold on dark web marketplaces.
According to VirusTotal data, it's likely that the threat actor behind this attack has also targeted other games and game developers.
In October, Valve announced that it now requires SMS-based security checks from game developers pushing an update on the default release branch on Steam.
The decision was taken in response to an increasing number of compromised Steamworks accounts being used to upload malicious game builds to infect players with malware starting in late August.
Rhadamanthys Stealer malware evolves with more powerful features.
Atomic Stealer malware strikes macOS via fake browser updates.
Malware dev says they can revive expired Google auth cookies.
Google ads push malicious CPU-Z app from fake Windows news site.
Microsoft disables MSIX protocol handler abused in malware attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 28 Dec 2023 21:20:15 +0000