Infected Steam game "BlockBlasters" downloads crypto stealer malware

SUMMARY :

A 2D platformer game called BlockBlasters on Steam has been infected with malware disguised as a patch. The malicious update, released on August 30, 2025, contains files that exhibit multiple malicious behaviors, including stealing crypto wallet data and other sensitive information from users' PCs. The infection process involves multiple stages, including a trojan stealer batch file, VBS loaders, and the main payload consisting of a backdoor and the StealC stealer malware. The campaign affects hundreds of players who have installed the game. The malware collects IP and location information, detects installed antivirus products, gathers login credentials, and uploads data to command and control servers. The game has since been removed from Steam, but not before causing significant damage to unsuspecting users.

OPENCTI LABELS :

backdoor,stealc,information theft,gaming,crypto stealer,steam,blockblasters,patch infection


AI COMMENTARY :

1. Introduction: The latest threat intelligence investigation reveals that a popular 2D platformer game, \"BlockBlasters\", available on Steam, was compromised by cybercriminals who delivered crypto stealer malware disguised as an official patch. This incident highlights the evolving tactics of threat actors targeting gaming communities and the critical need for robust defenses against information theft.

2. Infection Vector and Discovery: On August 30, 2025, the threat actors released a malicious update labeled as a patch for BlockBlasters. Once installed, the update unleashed a multi-stage infection process beginning with a trojan stealer batch file. This initial script uses VBS loaders to execute the primary payload, which consists of a backdoor component and the StealC stealer malware designed specifically to harvest cryptocurrency wallet data.

3. Multi-Stage Payload Architecture: After execution of the VBS loaders, the backdoor establishes persistence on the victim’s PC and communicates with command and control servers. The StealC stealer then scans the system for crypto wallets, captures login credentials, and collects details about installed antivirus products. The malware also gathers IP addresses and geolocation data to tailor subsequent attacks.

4. Data Exfiltration and Command and Control: The harvested data is packaged and uploaded to attacker-controlled servers, enabling real-time data theft. Command and control communications are obfuscated using encryption to evade network-based detection mechanisms. This approach allows threat actors to continually extract sensitive information without raising immediate alarms.

5. Impact on Players and the Gaming Community: Hundreds of unsuspecting players who downloaded the infected patch suffered significant breaches of privacy and financial loss. The theft of cryptocurrency assets and personal credentials eroded trust within the gaming community and highlighted the vulnerability of digital distribution platforms to supply chain attacks.

6. Remediation and Mitigation Strategies: In response to the incident, Steam removed BlockBlasters from its storefront and issued warnings to affected users. Security teams recommend verifying patch sources, enabling heuristic-based antivirus detection, and using hardware or software wallet solutions with transaction approvals to protect crypto assets. Regular threat hunting and network monitoring can help identify anomalous connections to C2 servers.

7. Conclusion and Threat Intelligence Insights: The BlockBlasters incident serves as a stark reminder that gaming platforms are a lucrative target for information theft. By analyzing the tactics, techniques, and procedures used in this campaign, security professionals can enhance threat intelligence frameworks and develop proactive defenses against future patch infection exploits.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Infected Steam game "BlockBlasters" downloads crypto stealer malware