Gamers searching for cheat scripts online are falling victim to a new malware campaign that uses Lua-based malicious code to infect their systems. This malware can maintain a presence on the targeted computers and deliver additional harmful software.
A recent report by researchers highlights how cybercriminals exploit the popularity of Lua-based engines within the gaming community, especially targeting student gamers. The malware, found across North America, South America, Europe, Asia, and Australia, uses sophisticated tricks to evade detection.
The campaign was first noted in March 2024, with researchers documenting how users were tricked into downloading a malware loader written in Lua. The attackers exploited vulnerabilities in platforms like GitHub to distribute malicious payloads.
One researcher found that the same method was used to deliver a variant of the RedLine information stealer, with malware-hosting ZIP files embedded within legitimate repositories.
In response, GitHub has disabled user accounts and content that violated its policies and is working on enhanced security measures. According to recent findings, the malware delivery method has evolved, using obfuscated Lua scripts instead of compiled Lua bytecode to avoid suspicion.
However, the infection method remains consistent: users searching for popular cheating engines like Solara and Electron are led to fake websites hosting malware-laden ZIP files on GitHub.
These ZIP files contain multiple components, including a Lua compiler, runtime interpreter, an obfuscated Lua script, and a batch file. Once the script is executed, it communicates with a remote server to download additional malware, such as the Redone Stealer or CypherIT Loader, which can steal information and hide malicious processes.
Infostealer malware is becoming increasingly prominent, with stolen credentials often sold on the dark web. These credentials can be used in more advanced attacks. The recent rise in the RedLine malware market reflects this growing threat.
In a separate but related issue, reports have surfaced of users searching for pirated software being targeted by a cryptocurrency mining malware called SilentCryptoMiner. Distributed through various channels, including YouTube, Telegram, and Yandex search results, this malware mines cryptocurrency while remaining undetected and can perform other harmful tasks, such as hijacking clipboard wallets and taking screenshots.
To protect against these types of attacks, gamers and internet users should be cautious when downloading cheat scripts or other software from unfamiliar websites. Always verify the source of downloads and avoid using unofficial or suspicious platforms.