\nA cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers.<\/p>\n
EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in a world ravaged by a catastrophic natural disaster\u2026 which is nothing compared to the real-world disasters that can be caused by information stealers.<\/p>\n
Chemia has not been publicly released yet, but was available as an early access on Steam. Steam offers Early Access to certain games primarily as a development model that allows players to purchase and play games while they are still in progress, rather than waiting for a full official release. It helps developers to receive direct, ongoing feedback from the community which they can use to find bugs, balance gameplay, and improve features.<\/p>\n
According to security researchers at the Proactive Defense Against Future Threats (PRODAFT), the initial compromise took place on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application.<\/p>\n
The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.<\/p>\n
Vidar is a Malware-as-a-Service information stealer which uses public networks such as social media, communication platforms\u2014and Steam\u2014as parts of its Command & Control infrastructure.<\/p>\n
HijackLoader is a malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.<\/p>\n
The Fickle stealer is a relatively new information stealer which uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.<\/p>\n
As we explained many times before, information stealers can turn your life upside down. Depending on what is stored on the infected device the consequences can range from financial damage to identity theft.<\/p>\n
In another case of abuse of the Steam platform, we saw a cybercriminal use a sniper video game to distribute malware to unsuspecting gamers. But that criminal didn\u2019t circulate the malicious demo on Steam directly. Instead, the game\u2019s Steam page featured a link to the developer\u2019s external website promoting a demo that turned out to be malware.<\/p>\n
A month before that, a game called PirateFi was released on Steam, but turned out to be circulating malware amongst gamers.<\/p>\n
With Steam\u2019s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to get hold of valuable digital assets, direct financial information, and personal information.<\/p>\n
## How to stay safe<\/p>\n
Some tips to help gamers stay clear of downloading malicious software:<\/p>\n
* Do not act on direct messages and other unsolicited ways to try out some game. Random people asking you to download something should be treated as suspicious.
* Verify invitations from \u201cfriends\u201d through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
* Make sure to run an up-to-date and active anti-malware solution on your computer.<\/p>\n
_Malwarebytes blocking the domain hosting the Powershell script_<\/p>\n
If you have tried the Chemia game, run a full system anti-malware scan.<\/p>\n
## Indicators of compromise<\/p>\n
**Domains:**<\/p>\n
soft-gets[.]com<\/p>\n
reaitek[.]com<\/p>\n
safesurf.fastdomain-uoemathhvq.workers[.]dev<\/p>\n
**Fickle downloader hash:**
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b<\/p>\n
**Fickle Stealer hash:**<\/p>\n
6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825<\/p>\n
**Vidar Stealer has:**<\/p>\n
2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481<\/p>\n
**HijackLoader hashes:**<\/p>\n
9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4<\/p>\n
12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227<\/p>\n
* * *<\/p>\n
**We don\u2019t just report on threats\u2014we remove them**<\/p>\n
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Steam games abused to deliver malware once again Update ID MALWAREBYTES:0FA1A58F8C695A8CCB88A23F3AD618F0 Type malwarebytes Published 2025-07-25T16:41:30 Last Updated 2025-07-25T16:41:30 Security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-8981","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Steam games abused to deliver malware once again - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8981\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Steam games abused to deliver malware once again - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Steam games abused to deliver malware once again Update ID MALWAREBYTES:0FA1A58F8C695A8CCB88A23F3AD618F0 Type malwarebytes Published 2025-07-25T16:41:30 Last Updated 2025-07-25T16:41:30 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8981\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-25T14:50:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Steam games abused to deliver malware once again\",\"datePublished\":\"2025-07-25T14:50:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981\"},\"wordCount\":712,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"malwarebytes\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8981#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981\",\"name\":\"Steam games abused to deliver malware once again - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-25T14:50:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8981\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8981#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Steam games abused to deliver malware once again\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Steam games abused to deliver malware once again - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8981","og_locale":"en_US","og_type":"article","og_title":"Steam games abused to deliver malware once again - zero redgem","og_description":"Security Update News Update Information Title Steam games abused to deliver malware once again Update ID MALWAREBYTES:0FA1A58F8C695A8CCB88A23F3AD618F0 Type malwarebytes Published 2025-07-25T16:41:30 Last Updated 2025-07-25T16:41:30 Security...","og_url":"https:\/\/zero.redgem.net\/?p=8981","og_site_name":"zero redgem","article_published_time":"2025-07-25T14:50:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8981#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8981"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Steam games abused to deliver malware once again","datePublished":"2025-07-25T14:50:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8981"},"wordCount":712,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","malwarebytes","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8981#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8981","url":"https:\/\/zero.redgem.net\/?p=8981","name":"Steam games abused to deliver malware once again - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-25T14:50:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8981#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8981"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8981#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Steam games abused to deliver malware once again"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8981"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8981\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}