{“lastseen”:”2025-10-08T10:05:11″,”description”:”You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. \u201cCan you test my game?\u201d they ask. \\n\\nThe webpage they send over a link to looks legit: screenshots, dev blurb, itch.io-style layout, and the download button is right there, waiting to be clicked. \\n\\nThe problem is these lookalike pages don\u2019t give you the real game. Instead they drop a stealthy loader that quietly prepares your PC for follow-up malware. \\n\\nOne lure we\u2019ve seen impersonates the popular 2D platformer Archimoulin (the real game can be found here: nicolasduboc.itch.io\/archimoulin). \\n\\n\\n\\n## How they spread it – social engineering 101 \\n\\nThis scam nails two things gamers trust: friends and downloads. \\n\\n 1. **A trusted delivery channel.** The lure often arrives in a DM from someone in your friends list\u2014usually because the attacker used a compromised account. People are far more likely to click links from friends. \\n\\n\\n 2. **Familiar hosting and UI.** The impersonators use Blogspot subdomains or cloud links and fake itch-style pages so the site looks legitimate. Sometimes downloads are served via Dropbox or similar service people trust. \\n\\n\\n 3. **A convincing****sign-****in page.** Some variants present a fake Discord sign-in page first to harvest credentials. This hands the attacker control of your account, which they can use to spread the link to your contacts. \\n\\n\\n\\nReddit threads from victims show this pattern again and again: an innocuous \u201ctest my game\u201d DM, a convincing page, then account takeover and mass-messaging to the victim\u2019s friends. \\n\\n## What actually happens when you click? \\n\\nHere\u2019s what the user sees, and what the stealth loader is really doing: \\n\\n * Double-click the downloaded `Setup Game.exe` and\u2026 nothing obvious happens. No installer UI, no progress bar. (That\u2019s deliberate \u2013 the attacker wants the install to happen without alarming you.) \\n\\n\\n * The executable spawns PowerShell with a long, encoded command. (Attackers hide commands in encoded strings so the malicious script isn\u2019t obvious at first glance.) \\n\\n\\n * The command decodes another script and runs it directly in memory. (Running in memory means the malware doesn\u2019t leave a neat file on disk for antivirus to find, so it\u2019s harder to detect.) \\n\\n\\n * That inner script hides the PowerShell window using a tiny .NET trick, so there\u2019s no black console popping up to make you suspicious. (With no visible window there\u2019s nothing to make you stop and ask what\u2019s running.) \\n\\n\\n * The code tries to relaunch itself with admin rights (`runAs`) and compiles a small helper on the fly using `csc.exe`. (You\u2019ll see temp folders and `RES*.tmp` files while it runs.) \\n\\n\\n * It unpacks a Node.js runtime and native modules into your user cache (`C:\\\\Users\\\\\\u003cyou\\u003e\\\\.cache\\\\pkg\\\\…`). (The malware is giving itself a toolkit, making it more flexible in what it can do next.) \\n\\n\\n * The installer even runs `taskkill` to force-close major browsers (Chrome, Brave, Firefox, Edge, and Opera). (That stops you from immediately googling what\u2019s happening and then stopping the install.) \\n\\n\\n * In our sandbox run it didn\u2019t phone home right away; instead it performed checks (net session, registry queries, BIOS\/network checks) to confirm it\u2019s on a \u201creal\u201d machine, then waits for the right moment to download the main payload. (Malware often avoids sandboxes, looking for signs it\u2019s on a real user\u2019s computer before unleashing the main payload.) \\n\\n\\n\\n**Bottom line:** The `Setup Game.exe` is a stager\/loader – quiet on purpose, ready to pull down follow-up malware (backdoors, keyloggers, coinminers, or worse) when conditions match what the attacker wants. \\n\\n## What to watch out for \\n\\n * **Unexpected DM with a download link:** If you get a message**** offering an indie game you didn\u2019t expect, verify it with the sender on another channel first. \\n\\n\\n * **N****o installer UI****but strange behavior after running:** If there\u2019s no installer window or progress bar, but your browsers crash or you see temporary compile folders appear, that\u2019s a red flag. \\n\\n\\n * **Unexpected folders appear:** Look for new folders you didn\u2019t create, like `C:\\\\Users\\\\\\u003cyou\\u003e\\\\.cache\\\\pkg\\\\\u2026` or `%TEMP%\\\\xlfvhkx3\\\\\u2026` especially if you haven\u2019t installed developer tools. \\n\\n\\n * **PowerShell showing**`-EncodedCommand`**:** Check running processes logs for signs a hidden script is running. \\n\\n\\n\\n## What to do if you already ran it \\n\\nAct quickly and use a different, clean device for the first steps. \\n\\n * From another device, change your passwords (Discord, email, Steam) and enable 2FA. \\n\\n\\n * Log out all sessions and revoke authorised apps\/tokens. \\n\\n\\n * Disconnect the infected PC and run a full Malwarebytes scan. \\n\\n\\n * Remove obvious new files\/folders (e.g., `C:\\\\Users\\\\\\u003cyou\\u003e\\\\.cache\\\\pkg\\\\\u2026`, `%TEMP%\\\\xlfvhkx3\\\\\u2026`). \\n\\n\\n * Tell your friends not to click links from your account and report the pages to the host (Blogger\/Dropbox) and your platform (Discord\/Steam). \\n\\n\\n * If you see signs of deeper compromise, back up essentials and do a clean reinstall or get professional help. \\n\\n\\n\\n## Final note\u2014indie communities are built on trust \\n\\nArchimoulin is an indie game; the fake pages are not. Scammers are exploiting the goodwill between players and creators. That\u2019s the worst bit of all: it weaponizes the community itself. \\n\\nA quick sanity check\u2014to pause, verify the URL, and ask the sender via another app\u2014is all it takes to avoid the hassle of cleaning up a compromised PC (or losing your account and friends). Share this with your clan: one click is all it takes for an attacker to turn a fun, indie moment into a mess. \\n\\n## Indicators of compromise (IOCs) \\n\\ncakewind[.]blogspot.com \\n\\ncarnagev1[.]blogspot.com \\n\\nkelarigame[.]blogspot.com \\n\\nklorigame[.]blogspot.com \\n\\nmeraliagame[.]blogspot.com \\n\\nravielchy[.]blogspot.com \\n\\nravielchygame[.]blogspot.com \\n\\ntamunagame[.]blogspot.com \\n\\nveriliagame[.]blogspot.com \\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2025-10-08T09:17:20″,”modified”:”2025-10-08T09:17:20″,”type”:”malwarebytes”,”title”:”\u201cCan you test my game?\u201d Fake itch.io pages spread hidden malware to gamers”,”source”:””,”references”:””,”id”:”MALWAREBYTES:6E8AF93E2C3863E99B98163AED822066″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2025\/10\/can-you-test-my-game-fake-itch-io-pages-spread-hidden-malware-to-gamers”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-08T10:05:11″,”description”:”You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. \u201cCan you test my game?\u201d they ask….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-20639","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n