Threat actor EncryptHub has injected HijackLoader and Fickle Stealer malware into the early access game 'Chemia' on Steam, exploiting platform trust to infect unsuspecting players. This marks the third such incident on Steam in 2025, highlighting systemic vulnerabilities in early access game vetting processes.
Malware Hidden in Plain Sight: How a Steam Game Became a Cybercriminal Delivery Vehicle
In a sophisticated supply chain attack, threat actor EncryptHub (aka Larva-208) compromised the early access game Chemia on Steam to distribute info-stealing malware. Developed by Aether Forge Studios, the survival crafting title served as an unwitting trojan horse when attackers injected malicious binaries into its game files on July 22.
The Attack Chain: From Game Launch to Data Theft
According to threat intelligence firm Prodaft, the compromise unfolded in two phases:
- HijackLoader deployment: The initial payload (
CVKRUTNP.exe) established persistence on victims' systems and downloaded Vidar infostealer malware, with command-and-control instructions pulled from a Telegram channel - Fickle Stealer injection: Just three hours later, attackers added a malicious DLL (
cclib.dll) that used PowerShell scripts to fetch Fickle Stealer—a potent data thief targeting:- Browser credentials and cookies
- Auto-fill information
- Cryptocurrency wallet data
"The compromised executable appears legitimate to users downloading from Steam, creating an effective social engineering component that relies on platform trust rather than traditional deception techniques," Prodaft noted in their report.
Stealthy Execution and Platform Trust Exploitation
The malware operates silently in the background without impacting gameplay performance, leaving players unaware of the compromise. EncryptHub previously used Fickle Stealer in a 2024 campaign that breached over 600 organizations, showcasing their evolving tactics.
Systemic Vulnerabilities in Early Access Programs
This incident marks Steam's third malware incident in 2025, following similar compromises in 'Sniper: Phantom’s Resolution' (March) and 'PirateFi' (February). All shared concerning commonalities:
- Early access status with no fixed release date
- Limited visibility into developer vetting processes
- Apparent gaps in Steam's security reviews for in-development titles
Valve and Aether Forge Studios haven't commented on the incident, and Chemia remains available on Steam with unclear infection status. Until platforms implement stricter validation for early access titles, developers and gamers alike face mounting supply chain risks in the $200B gaming industry.
Source: BleepingComputer
Comments
Please log in or register to join the discussion