Hacker Spread Infostealer Malware
Cybersecurity researchers have uncovered a disturbing case of malware hidden inside a legitimate early access Steam game. The threat actor behind the attack, known as EncryptHub (also tracked as Larva-208), used the game Chemia to distribute info-stealing malware to unsuspecting gamers.
Chemia, a survival crafting game by Aether Forge Studios, is currently in early access on Steam, with no official release date.
How the Malware Was Deployed
According to recent report, that uncovered the incident, the initial compromise happened on July 22, when EncryptHub injected a malicious executable named CVKRUTNP.exe into the game files. This file is a variant of HijackLoader, which:
- Establishes persistence on the infected device
- Downloads the Vidar info-stealer (
v9d9d.exe) from a command-and-control (C2) address pulled via Telegram
Just three hours later, a second malware strain, Fickle Stealer, was also added using a tampered DLL file (cclib.dll). It employs a PowerShell script (worker.ps1) to fetch the final payload from the domain soft-gets[.]com.
What the Malware Does
The combined payloads target a wide range of sensitive information, including:
- Stored credentials and auto-fill data in web browsers
- Cookies and session tokens
- Cryptocurrency wallets
- System and clipboard data
These attacks run silently in the background, without affecting the game’s performance, making it virtually impossible for users to notice they’ve been compromised.
Trust Exploited: How Steam Became the Perfect Attack Vector
One of the most dangerous aspects of this campaign is that the malicious file appeared legitimate. Users downloading Chemia through Steam’s Playtest or Free Games sections had no reason to suspect they were installing malware.
“This is a social engineering attack that relies on platform trust instead of fake pop-ups or shady downloads,” security researcher explained.
It’s still unclear how EncryptHub gained access to inject the malware. One theory is insider involvement, though no confirmation exists. Neither the game developer nor Valve (Steam’s parent company) has issued public statements.
History Repeats: Malware in Steam Games Is on the Rise
This isn’t an isolated incident. In fact, it’s the third malware-laced game discovered on Steam in 2025. The previous two were:
- 🕵️ Sniper: Phantom’s Resolution (March)
- 🏴☠️ PirateFi (February)
Each time, the malware was embedded in early access titles, suggesting a potential loophole in Steam’s security review process for work-in-progress games.
About the Hacker: EncryptHub’s Dual Nature
EncryptHub is a well-known cybercriminal who has previously:
- Launched mass spear-phishing attacks affecting over 600 organizations
- Exploited Windows zero-days
- Oddly, also submitted security vulnerability disclosures to Microsoft — making them a strange hybrid of black-hat and white-hat activity
What You Should Do Now
Avoid downloading or launching Chemia. Until there is an official statement from Valve or Aether Forge Studios, do not install or run the game.
If you’ve already played it, check your system for malware:
- Look for suspicious executables like
CVKRUTNP.exeorv9d9d.exe - Monitor browser credential stores and cryptocurrency wallets
- Run a full scan with trusted anti-malware tools
- Consider resetting credentials stored in browsers
Tips for Safer Gaming
- Be skeptical of early access games without a strong development track record
- Use security software that includes real-time protection
- Keep your OS and software updated
- Watch for strange system behavior or browser logouts
This incident is a harsh reminder that even trusted platforms like Steam can be exploited. Early access games, while exciting, are increasingly being used as delivery mechanisms for sophisticated malware campaigns.
Sleep well, we got you covered.
