“`html
A patch update that seems harmless for the renowned 2D platformer BlockBlasters has morphed into an intricate malware scheme, leaving numerous Steam users vulnerable to data theft and system breaches.
The harmful patch, released on August 30, 2025, showcases how cybercriminals are progressively exploiting the gaming sector to disseminate information-stealing malware, all while users remain ignorant of the ongoing infiltration.
BlockBlasters, crafted by Genesis Interactive and first launched on July 31, 2025, received favorable feedback from players prior to becoming the most recent target in a rising pattern of infections affecting Steam games.
The malicious Build 19799326 patch incorporates numerous files that display perilous activities, turning what was initially a standard game update into a multi-phase assault capable of exfiltrating confidential user data such as cryptocurrency wallet details, browser credentials, and Steam login information.
G Data analysts detected the malware operation after their MXDR system alerted them to the dubious actions within the patch files of the game.
The cybersecurity experts uncovered that the threat actors had effectively bypassed Steam’s preliminary security checks, thereby facilitating the rollout of harmful updates that could potentially impact hundreds of users with the game installed on their devices.
This incident follows a troubling trend of similar assaults on Steam titles, including the prominent cases of PirateFi and Chemia, underscoring the platform’s persistent susceptibility to such sophisticated breaches.
The attack signifies a notable escalation in malware campaigns focused on gaming, as cybercriminals continuously enhance their methods for distributing malicious payloads via legitimate software distribution pathways.
This incident is particularly remarkable due to its multi-phase infection process and the variety of sensitive information it seeks, classifying it as a thorough information theft operation rather than merely a straightforward malware installation.
Technical Infection Mechanism and Payload Delivery
The BlockBlasters malware operates utilizing an elaborate three-stage infection protocol that commences with the execution of a seemingly innocuous batch file named game2.bat.
This initial payload carries out various reconnaissance tasks, encompassing the collection of IP and geolocation data through queries to legitimate services such as “ipinfo[.]io” and “ip[.]me”, while concurrently identifying installed antivirus software to evaluate the security posture of the target environment.
The primary purpose of the batch file involves gathering Steam login credentials, such as SteamID, AccountName, PersonaName, and RememberPassword information, which it subsequently transmits to the command and control server situated at hxxp://203[.]188[.]171[.]156:30815/upload.
The malware utilizes password-protected ZIP archives with the password “121” to obscure its payloads during download, deftly evading initial detection mechanisms.
.webp)
Upon a successful assessment of the environment, the malware initializes VBS loader scripts (launch1.vbs and test.vbs) that execute additional batch files while preserving stealth through concealed console execution.
The test.bat fragment notably targets browser extensions and cryptocurrency wallet information, illustrating the campaign’s focus on valuable financial data.
The concluding stage entails the deployment of two main payloads: Client-built2.exe, a Python-compiled backdoor establishing ongoing communication with the C2 infrastructure, and Block1.exe, which houses the StealC information theft tool.
The malware strategically adds its execution directory to Microsoft Defender’s exclusion list using the path Drive:SteamLibrarysteamappscommonBlockBlastersEngineBinariesThirdPartyOggcwe, ensuring uninterrupted operation without triggering security alerts.
.webp)
The StealC component focuses on several browsers including Google Chrome, Brave Browser, and Microsoft Edge, retrieving their corresponding Local State files to extract stored credentials and sensitive data.
The malware employs outdated RC4 encryption to obfuscate its API calls and key strings, connecting to a secondary C2 server at hxxp://45[.]83[.]28[.]99 for data exfiltration operations, illustrating the campaign’s distributed infrastructure strategy to uphold operational security.
“`