Since its release in October, Battlefield 6 has become one of the year’s most anticipated game launches. However, cybercriminals have quickly seized on this popularity to distribute malicious software.
Attackers have created fake cracked versions of the game and fraudulent game trainers, spreading them across torrent websites and underground forums to target unsuspecting players and individuals searching for game modifications.
The malicious campaigns impersonate well-known game cracking groups like InsaneRamZes and RUNE, using their legitimate names to gain user trust and credibility. This tactic mirrors common brand impersonation attacks used in other sectors.
The criminals have developed three distinct types of malware, each serving different objectives ranging from stealing browser data and cryptocurrency wallet credentials to establishing persistent remote control over infected systems.
Bitdefender Labs security researchers identified these malware campaigns after analyzing multiple samples.
The investigation revealed that none of the malicious files contain actual Battlefield 6 functionality, and they likely originate from different threat groups based on their varying technical approaches.
The first malware sample operates as a simple but aggressive information stealer disguised as a “Battlefield 6 Trainer Installer.” Users can easily discover it on Google’s second search results page, making it highly accessible to potential victims.
Once executed, the malware scans local directories and browser profiles to extract sensitive data, including crypto wallet information, cookie sessions from browsers like Chrome, Edge, and Firefox, Discord session tokens and credentials, and cryptocurrency wallet extension data from Chrome plugins such as iWallet and Yoroi.
.webp "Hackers Exploiting Fake Battlefield 6 Popularity to Deploy Stealers and C2 Agents 3")
The stolen information travels to server 198.251.84.9 over unencrypted HTTP without any obfuscation attempts.
The second variant, distributed as “Battlefield 6.GOG-InsaneRamZes,” demonstrates significantly more sophistication through advanced evasion tactics.
The malware implements regional execution blocking that stops operation when it detects Russian or CIS country settings, a common self-protection measure used by groups based in those regions.
.webp "Hackers Exploiting Fake Battlefield 6 Popularity to Deploy Stealers and C2 Agents 4")
It employs Windows API hashing to obscure its operations and runs anti-sandbox detection checks using timing analysis to determine system uptime.
Additionally, memory analysis revealed references to development tools like Postman and BitBucket, suggesting the malware targets developer credentials and API keys for further exploitation.
The third sample, disguised as a Battlefield 6 ISO image, delivers a persistent command-and-control agent. The 25MB executable contains compressed data that unpacks and creates a file named “2GreenYellow.dat” in the user directory, then silently executes it using regsvr32.exe.
The installed DLL repeatedly attempts contact with ei-in-f101.1e100.net, appearing to use Google’s infrastructure as a relay or communication disguise. The C2 structure indicates capability for remote command execution or future data theft.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
