Cybercriminals exploited Steam’s Early Access program to distribute malware through Chemia, a survival crafting game that served as a trojan horse for multiple information-stealing programs. The attack, coordinated by the EncryptHub group also known as Larva-208, began on July 22, 2025, when malicious binaries were injected directly into the game files hosted on Steam’s platform.
Cybercriminals weaponized Steam’s Early Access program, using the survival game Chemia to deploy sophisticated information-stealing malware targeting unsuspecting gamers.
The sophisticated operation deployed three distinct malware strains targeting unsuspecting gamers who downloaded the compromised title. HijackLoader, operating as CVKRUTNP.exe, established persistence on infected systems during its role as a dropper for additional payloads. Vidar Stealer, executing as v9d9d.exe, particularly targeted cryptocurrency wallets, web browsers, and password managers to extract valuable financial data. The third component, Fickle Stealer, operated through cclib.dll and was deployed via a PowerShell script called worker.ps1, downloading its payload from the external domain soft-gets[.]com.
The malware campaign focused on harvesting web browser credentials, autofill information, cookies, and cryptocurrency wallet data from infected machines. Compromised information included Steam accounts, email credentials, and financial service logins, with some strains capable of extracting stored data from password managers and digital wallets. Man-in-the-middle attacks were particularly effective in intercepting sensitive data during transmission between game clients and servers.
The attackers utilized Telegram channels to manage command-and-control infrastructure and facilitate data exfiltration, demonstrating their use of malware-as-a-service approaches to increase scalability. Steam’s massive user base of over 100 million monthly active users makes it an attractive target for cybercriminals seeking widespread distribution of malicious software.
Cybersecurity firm Prodaft detected the attack on July 23-24, 2025, after observing suspicious binaries through threat intelligence monitoring. The incident affected only users who accessed Chemia during the particular compromised period through Steam’s Early Access program, which requires playtest requests rather than public distribution.
This limited exposure helped contain the attack’s scope but highlighted significant security concerns. The incident represents a growing threat where legitimate gaming platforms are exploited to distribute malware under the guise of game development.
The attack exposed limitations in validation and security controls for Early Access and indie titles on trusted platforms. Security researchers have advised affected users to check for particular Indicators of Compromise, as Steam reportedly suspended distribution following the revelation. Prodaft shared detailed indicators of compromise through their GitHub repository to help security teams identify and mitigate the malware variants.
The breach signals broader ecosystem risks as cybercriminals increasingly target pre-release gaming content to launder malware through established distribution channels.
