A seemingly innocent patch update for the popular 2D platformer game BlockBlasters has transformed into a sophisticated malware campaign, exposing hundreds of Steam users to data theft and system compromise.<\/p>\n
The malicious patch, deployed on August 30, 2025, demonstrates how threat actors are increasingly exploiting the gaming ecosystem to distribute information-stealing malware while users remain unaware of the ongoing compromise.<\/p>\n
BlockBlasters, developed by Genesis Interactive and initially released on July 31, 2025, had garnered positive reviews from the gaming community before becoming the latest victim in a growing trend of Steam game infections.<\/p>\n
The malicious Build 19799326 patch contains multiple files that exhibit dangerous behaviors, transforming what appeared to be a routine game update into a multistage attack capable of exfiltrating sensitive user data including cryptocurrency wallet information, browser credentials, and Steam login details.<\/p>\n
G Data analysts identified<\/a> the malware campaign after their MXDR platform flagged the suspicious activities within the game\u2019s patch files.<\/p>\n The security researchers discovered that the threat actors had successfully bypassed Steam\u2019s initial security screening, allowing the deployment of malicious updates that could potentially affect hundreds of players who had the game installed on their systems.<\/p>\n This incident follows a concerning pattern of similar attacks on Steam games, including the notable PirateFi and Chemia cases, highlighting the platform\u2019s ongoing vulnerability to such sophisticated infiltration attempts.<\/p>\n The attack represents a significant escalation in gaming-focused malware campaigns<\/a>, as threat actors continue to refine their techniques for distributing malicious payloads through legitimate software distribution channels.<\/p>\n The incident particularly stands out due to its multistage infection process and the range of sensitive data it targets, making it a comprehensive information theft operation rather than a simple malware installation.<\/p>\n The BlockBlasters malware<\/a> operates through a sophisticated three-stage infection mechanism that begins with the execution of a seemingly benign batch file named This initial payload performs several reconnaissance functions, including collecting IP and location information through queries to legitimate services like \u201cipinfo[.]io\u201d and \u201cip[.]me\u201d, while simultaneously detecting installed antivirus products to assess the target environment\u2019s security posture.<\/p>\n The batch file\u2019s primary function involves collecting Steam login credentials, including SteamID, AccountName, PersonaName, and RememberPassword data, which it then uploads to the command and control server located at The malware employs password-protected ZIP archives with the password \u201c121\u201d to conceal its payloads during download, effectively evading initial detection mechanisms.<\/p>\n Upon successful environment assessment, the malware deploys VBS loader scripts ( The The final stage involves the deployment of two primary payloads: The malware strategically adds its execution directory to Microsoft Defender\u2019s exclusion list using the path The StealC component targets multiple browsers including Google Chrome, Brave Browser, and Microsoft Edge, accessing their respective Local State files to extract stored credentials and sensitive information.<\/p>\n The malware uses deprecated RC4 encryption to obfuscate<\/a> its API calls and key strings, connecting to a secondary C2 server at Find this Story Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Infection Mechanism and Payload Delivery<\/strong><\/h2>\n
game2.bat<\/code>.<\/p>\nhxxp:\/\/203[.]188[.]171[.]156:30815\/upload<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhk6D82qmqjTsDtJtTP1F1BLUrGivhSL4lYhTUei2Eg8jsV20A3a6d5nhHMsgeFKJl89-KiGkPd1PS-SgKilqVO8sSGeyV5rSGBeJFvUEArfm0NpQpd1MsTf5viZEI00A3q5XC464VAOxWBU5-xzxOqQ8PDNw5yNhxnQT5Lt8Z-ZOMlvPFI95r0c-46obk\/s16000\/SteamDB%2520Patch%2520Files%2520from%2520SteamDB%2520%28Source%2520-%2520G%2520Data%29.webp?ssl=1\")
launch1.vbs<\/code> and test.vbs<\/code>) that execute additional batch files while maintaining stealth through hidden console execution.<\/p>\ntest.bat<\/code> component specifically targets browser extensions and cryptocurrency wallet data, demonstrating the campaign\u2019s focus on high-value financial information.<\/p>\nClient-built2.exe<\/code>, a Python-compiled backdoor that establishes persistent communication with the C2 infrastructure, and Block1.exe<\/code>, which contains the StealC information stealer.<\/p>\nDrive:SteamLibrarysteamappscommonBlockBlastersEngineBinariesThirdPartyOggcwe<\/code>, ensuring continued operation without triggering security alerts<\/a>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2iBUy2D5kZxS9P7ODoeLusseQ08yckPSuHv_sdoDlWvT15IvXjU9t4A_c63BQLs6DzVh1AhlPzRhllOJrzc-O2V8Yhlpo69GquF2Tmag4ZC4PVOCjEnxOexUrM7SEmINC10xOwmggRY1eScCfz5aUkOhTKCi24KbrcBC0qU_qRnbp8izYHSPXp60dIV0\/s16000\/Game2.bat%2520unpacking%2520files%2520inside%2520password-protected%2520archives%2520and%2520then%2520executing%2520it%2520%28Source%2520-%2520G%2520Data%29.webp?ssl=1\")
hxxp:\/\/45[.]83[.]28[.]99<\/code> for data exfiltration operations, demonstrating the campaign\u2019s distributed infrastructure approach to maintaining operational security.<\/p>\n