A seemingly innocent patch update for the popular 2D platformer game BlockBlasters has transformed into a sophisticated malware campaign, exposing hundreds of Steam users to data theft and system compromise.
The malicious patch, deployed on August 30, 2025, demonstrates how threat actors are increasingly exploiting the gaming ecosystem to distribute information-stealing malware while users remain unaware of the ongoing compromise.
BlockBlasters, developed by Genesis Interactive and initially released on July 31, 2025, had garnered positive reviews from the gaming community before becoming the latest victim in a growing trend of Steam game infections.
The malicious Build 19799326 patch contains multiple files that exhibit dangerous behaviors, transforming what appeared to be a routine game update into a multistage attack capable of exfiltrating sensitive user data including cryptocurrency wallet information, browser credentials, and Steam login details.
G Data analysts identified the malware campaign after their MXDR platform flagged the suspicious activities within the game’s patch files.
The security researchers discovered that the threat actors had successfully bypassed Steam’s initial security screening, allowing the deployment of malicious updates that could potentially affect hundreds of players who had the game installed on their systems.
This incident follows a concerning pattern of similar attacks on Steam games, including the notable PirateFi and Chemia cases, highlighting the platform’s ongoing vulnerability to such sophisticated infiltration attempts.
The attack represents a significant escalation in gaming-focused malware campaigns, as threat actors continue to refine their techniques for distributing malicious payloads through legitimate software distribution channels.
The incident particularly stands out due to its multistage infection process and the range of sensitive data it targets, making it a comprehensive information theft operation rather than a simple malware installation.
Technical Infection Mechanism and Payload Delivery
The BlockBlasters malware operates through a sophisticated three-stage infection mechanism that begins with the execution of a seemingly benign batch file named game2.bat.
This initial payload performs several reconnaissance functions, including collecting IP and location information through queries to legitimate services like “ipinfo[.]io” and “ip[.]me”, while simultaneously detecting installed antivirus products to assess the target environment’s security posture.
The batch file’s primary function involves collecting Steam login credentials, including SteamID, AccountName, PersonaName, and RememberPassword data, which it then uploads to the command and control server located at hxxp://203[.]188[.]171[.]156:30815/upload.
The malware employs password-protected ZIP archives with the password “121” to conceal its payloads during download, effectively evading initial detection mechanisms.
.webp "BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch 3")
Upon successful environment assessment, the malware deploys VBS loader scripts (launch1.vbs and test.vbs) that execute additional batch files while maintaining stealth through hidden console execution.
The test.bat component specifically targets browser extensions and cryptocurrency wallet data, demonstrating the campaign’s focus on high-value financial information.
The final stage involves the deployment of two primary payloads: Client-built2.exe, a Python-compiled backdoor that establishes persistent communication with the C2 infrastructure, and Block1.exe, which contains the StealC information stealer.
The malware strategically adds its execution directory to Microsoft Defender’s exclusion list using the path Drive:SteamLibrarysteamappscommonBlockBlastersEngineBinariesThirdPartyOggcwe, ensuring continued operation without triggering security alerts.
.webp "BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch 4")
The StealC component targets multiple browsers including Google Chrome, Brave Browser, and Microsoft Edge, accessing their respective Local State files to extract stored credentials and sensitive information.
The malware uses deprecated RC4 encryption to obfuscate its API calls and key strings, connecting to a secondary C2 server at hxxp://45[.]83[.]28[.]99 for data exfiltration operations, demonstrating the campaign’s distributed infrastructure approach to maintaining operational security.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
