Post

Steam Games Exploited to Deliver Malware Once Again

A cybercriminal known as EncryptHub has reportedly exploited the Steam platform to distribute information-stealing malware through the Chemia game. Learn how to stay safe and protect your data.

Posted
By Tom Grant
3 min read
Steam Games Exploited to Deliver Malware Once Again

TL;DR

A cybercriminal known as EncryptHub has exploited the Steam platform to distribute information-stealing malware through the Chemia game. This incident highlights the ongoing threat of malware distribution through popular gaming platforms. Users are advised to be cautious and follow best practices to protect their data.

Malware Distribution Through Steam Games

A cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers 1. EncryptHub managed to embed malicious files within the Chemia game files hosted on Steam. Chemia, an adventurous survival game set in a world ravaged by a catastrophic natural disaster, was available as an early access title on Steam. This development model allows players to purchase and play games while they are still in progress, helping developers receive direct feedback from the community to improve features and find bugs.

According to security researchers at Proactive Defense Against Future Threats (PRODAFT) 2, the initial compromise occurred on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application. The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.

Malware Details

  • Vidar: A Malware-as-a-Service information stealer that uses public networks such as social media, communication platforms, and Steam as parts of its Command & Control infrastructure.
  • HijackLoader: A malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.
  • Fickle Stealer: A relatively new information stealer that uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.

Information stealers can have severe consequences, ranging from financial damage to identity theft, depending on what is stored on the infected device.

Previous Incidents

In another case 3 of Steam platform abuse, a cybercriminal used a sniper video game to distribute malware to unsuspecting gamers. Instead of circulating the malicious demo directly on Steam, the game’s Steam page featured a link to the developer’s external website promoting a demo that turned out to be malware.

A month before that, a game called PirateFi 4 was released on Steam but was found to be circulating malware among gamers.

With Steam’s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to access valuable digital assets, direct financial information, and personal information.

How to Stay Safe

Some tips to help gamers avoid downloading malicious software:

  • Avoid Unsolicited Messages: Do not act on direct messages and other unsolicited ways to try out some game 5. Random people asking you to download something should be treated as suspicious.
  • Verify Invitations: Verify invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
  • Use Anti-Malware Solutions: Make sure to run an up-to-date and active anti-malware solution 6 on your computer.

Malwarebytes blocking the domain hosting the Powershell script

If you have tried the Chemia game, run a full system anti-malware scan.

Indicators of Compromise

Domains:

  • soft-gets[.]com
  • reaitek[.]com
  • safesurf.fastdomain-uoemathhvq.workers[.]dev

Fickle downloader hash:

  • ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b

Fickle Stealer hash:

  • 6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825

Vidar Stealer hash:

  • 2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481

HijackLoader hashes:

  • 9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4
  • 12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227

Additional Resources

For further insights, check:

Conclusion

The exploitation of Steam games to distribute malware underscores the need for vigilance and proactive security measures. By staying informed and following best practices, gamers can protect themselves from potential threats and ensure a safe gaming experience.

References

  1. BleepingComputer (2025). “hacker-sneaks-infostealer-malware-into-early-access-steam-game”. BleepingComputer. ↩︎

  2. PRODAFT (2025). “PRODAFT”. X.com. ↩︎

  3. PCMag (2025). “steam-used-again-to-trick-gamers-into-installing-malware”. PCMag. ↩︎

  4. PCMag (2025). “did-you-download-this-steam-game-sorry-its-windows-malware”. PCMag. ↩︎

  5. Malwarebytes (2025). “can-you-try-a-game-i-made-fake-game-sites-lead-to-information-stealers”. Malwarebytes. ↩︎

  6. Malwarebytes (2025). “premium”. Malwarebytes. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity malware infostealer
This post is licensed under CC BY 4.0 by the author.