Steam Users Targeted by Malicious PirateFi Game Delivering Vidar Malware

The world of gaming has once again been hit by a cybersecurity threat, as a seemingly innocent game on Steam turned out to be a delivery vehicle for malicious software. A free-to-play game named PirateFi was discovered to be distributing the Vidar infostealing malware, compromising the security of up to 1,500 unsuspecting users. The game was available on the Steam store for nearly a week, from February 6th to February 12th, before it was taken down.

Malware on Steam: How PirateFi Became a Cyber Threat

The game, developed by Seaworth Interactive, was presented as a survival title with base-building, weapon crafting, and food-gathering mechanics. It even garnered positive reviews before its malicious nature was uncovered. The game’s listing on the Steam store appeared legitimate, further adding to the deception.

Earlier this week, Steam detected the presence of malware within PirateFi and promptly removed it from the platform. While Steam did not initially disclose the specific type of malware, affected users received notifications warning them about the infection risk.

“The Steam account of the developer for this game uploaded builds to Steam that contained suspected malware,” read the official Steam notification.

“You played PirateFi (3476470) on Steam while these builds were active, so it is likely that these malicious files launched on your computer.”

In response, Steam recommended users conduct full system scans using up-to-date antivirus software, check for unfamiliar installed applications, and consider reinstalling Windows as a precautionary measure. Given the severity of the compromise, these steps were deemed necessary to prevent further data theft or security breaches.

Understanding the Vidar Infostealer

The malware was analyzed by cybersecurity researchers, including Marius Genheimer from SECUINFRA Falcon Team, who identified it as a variant of the Vidar infostealer.

Vidar is a well-known malware designed to steal sensitive data, including credentials, session cookies, cryptocurrency wallets, and email accounts. Once executed on an infected device, it exfiltrates this information to command-and-control (C2) servers operated by the attackers.

“If you are one of the players who downloaded this game, consider the credentials, session cookies, and secrets saved in your browser, email client, cryptocurrency wallets, etc., compromised,” warned SECUINFRA.

Users were advised to immediately change passwords for all affected accounts and enable multi-factor authentication (MFA) wherever possible to mitigate damage.

Technical Details of the Malware Infection

The malware payload was disguised within the game’s executable file (Pirate.exe), with the actual malware (Howard.exe) being packed inside an InnoSetup installer. The attacker modified the game files multiple times, employing various obfuscation techniques to evade detection and continuously updating the C2 servers used for data exfiltration.

Given the name PirateFi, which includes references to Web3, blockchain, and cryptocurrency, some experts believe that the game specifically targeted users interested in digital assets. This demographic is often a prime target for cybercriminals due to their potential to hold valuable crypto funds.

Impact and Steam’s Response

Although Steam has not disclosed the exact number of affected users, statistics indicate that up to 1,500 individuals may have downloaded PirateFi before it was taken down. Impacted players took to the game’s Steam Community page to issue warnings, reporting that their antivirus software flagged the game as malware.

This is not the first time malware has infiltrated Steam. In February 2023, malicious game modes in Dota 2 exploited a Chrome vulnerability to execute remote code on players’ computers. Later that year, in December, hackers compromised a mod for Slay the Spire, injecting an ‘Epsilon’ infostealer dropper into the game.

In an effort to combat such threats, Steam has implemented additional security measures, such as SMS-based verification for developers updating their games. However, the PirateFi incident demonstrates that these safeguards are not always sufficient in preventing the distribution of malicious software.

Preventing Future Malware Infections on Steam

The PirateFi incident highlights a growing cybersecurity concern within the gaming industry. As digital marketplaces like Steam continue to expand, they become increasingly attractive targets for cybercriminals. To prevent similar incidents in the future, users and platforms alike must take additional precautions:

For Gamers:

• Verify the Credibility of Developers — Before downloading a game, check the developer’s history and reputation on Steam and other platforms.
• Use Reliable Antivirus Software — Keep security tools updated and run regular scans to detect potential threats.
• Be Cautious with New Titles — Avoid downloading lesser-known games immediately after release. Wait for user feedback and independent reviews.
• Enable Multi-Factor Authentication — Secure all accounts, especially those related to gaming and financial transactions, with MFA.
• Monitor for Unusual Activity — Keep an eye on login attempts, changes in game files, or unexpected software installations.
• For Steam and Other Gaming Platforms:
• Enhance Vetting Processes — Implement stricter verification for new developers, especially those publishing free-to-play games.
• Improve Malware Detection — Utilize AI-driven security tools to scan new uploads for suspicious activity.
• Increase Community Reporting Features — Make it easier for users to report suspicious games, leading to faster investigations.
• Implement Sandboxing for New Titles — Run new games in a restricted environment before allowing full distribution.
• Provide Better Transparency — Clearly communicate with users regarding security threats and remediation steps.

Conclusion

The PirateFi malware incident serves as a stark reminder that even reputable gaming platforms like Steam are not immune to cyber threats. While immediate action has been taken to remove the game and warn affected users, the breach underscores the need for stronger security measures across the industry.

As cybercriminals continue to evolve their tactics, gamers must remain vigilant when downloading and playing new titles. Likewise, digital storefronts must bolster their defenses to prevent similar threats from resurfacing in the future. By adopting proactive security measures, both players and platforms can better safeguard their data and gaming experiences from malicious actors.