In a recent cybersecurity incident, the popular 2D platformer game BlockBlasters became the vector for a sophisticated malware campaign, compromising the systems of numerous Steam users. The attack was executed through a deceptive patch update, underscoring the growing trend of cybercriminals exploiting trusted gaming platforms to distribute malicious software.
Background on BlockBlasters and the Malicious Patch
Developed by Genesis Interactive, BlockBlasters was released on July 31, 2025, and quickly gained acclaim within the gaming community for its engaging gameplay. However, on August 30, 2025, a patch labeled Build 19799326 was deployed, which unbeknownst to users, contained a multi-stage malware designed to steal sensitive information.
Discovery and Analysis of the Malware
The malicious activity was identified by G Data analysts after their MXDR platform detected unusual behaviors within the game’s patch files. The malware had successfully bypassed Steam’s initial security screenings, allowing it to be distributed widely among players. This incident is part of a disturbing pattern of similar attacks on Steam games, such as the PirateFi and Chemia cases, highlighting the platform’s vulnerability to sophisticated infiltration attempts.
Technical Breakdown of the Infection Mechanism
The malware operates through a complex three-stage infection process:
1. Initial Execution: The process begins with a seemingly harmless batch file named `game2.bat`. This file performs reconnaissance by collecting the user’s IP and location information through legitimate services like ipinfo.io and ip.me. It also scans for installed antivirus products to assess the system’s security defenses.
2. Credential Harvesting: The batch file extracts Steam login credentials, including SteamID, AccountName, PersonaName, and RememberPassword data. This information is then uploaded to a command and control (C2) server at `hxxp://203.188.171.156:30815/upload`.
3. Payload Deployment: The malware uses password-protected ZIP archives (password: 121) to download additional payloads, evading initial detection mechanisms. It deploys VBS loader scripts (`launch1.vbs` and `test.vbs`) that execute further batch files while maintaining stealth through hidden console execution. The `test.bat` component specifically targets browser extensions and cryptocurrency wallet data, indicating a focus on financial information.
Final Payloads and Data Exfiltration
In the final stage, two primary payloads are deployed:
– Client-built2.exe: A Python-compiled backdoor that establishes persistent communication with the C2 infrastructure.
– Block1.exe: Contains the StealC information stealer, which targets multiple browsers, including Google Chrome, Brave Browser, and Microsoft Edge, to extract stored credentials and sensitive information.
The malware strategically adds its execution directory to Microsoft Defender’s exclusion list using the path `Drive:\SteamLibrary\steamapps\common\BlockBlasters\Engine\Binaries\ThirdParty\Ogg\cwe\`, ensuring continued operation without triggering security alerts.
Implications and Recommendations
This incident represents a significant escalation in gaming-focused malware campaigns, as threat actors continue to refine their techniques for distributing malicious payloads through legitimate software distribution channels. The multistage infection process and the range of sensitive data targeted make it a comprehensive information theft operation rather than a simple malware installation.
To protect against such threats, users are advised to:
– Verify Updates: Always ensure that game updates and patches are downloaded from official and trusted sources.
– Monitor System Behavior: Be vigilant for unusual system behavior following an update, such as unexpected requests for credentials or system slowdowns.
– Maintain Security Software: Keep antivirus and anti-malware software up to date to detect and prevent unauthorized activities.
– Regular Backups: Regularly back up important data to mitigate the impact of potential data loss due to malware infections.
By adopting these practices, users can enhance their security posture and reduce the risk of falling victim to similar malware campaigns.
