Security researchers expose third malware-laced Steam game this year

According to a new report by cybersecurity firm Prodaft, a threat actor known as EncryptHub has compromised an early access game on Steam to distribute info-stealing malware, exposing players to significant security risks.

The affected game, Chemia, a survival crafting title from indie developer Aether Forge Studios, was modified on July 22 to include malicious binaries.

Double malware deployment

Researchers say EncryptHub, also tracked as Larva-208, injected two separate malware strains into the game within hours of each other.

The first was HijackLoader (CVKRUTNP.exe), a loader that establishes persistence on the victim’s system and downloads the Vidar infostealer (v9d9d.exe). This malware retrieves its command-and-control (C2) address from a Telegram channel, indicating active coordination and dynamic infrastructure use.

Roughly three hours later, a second payload, Fickle Stealer, was added via a DLL file (cclib.dll). This variant uses PowerShell scripts (worker.ps1) to fetch its main payload from soft-gets[.]com.

Fickle Stealer is designed to harvest sensitive data from users’ web browsers, including saved passwords, cookies, autofill data, and cryptocurrency wallet credentials.

A familiar adversary

EncryptHub has previously been linked to a massive spear-phishing and social engineering campaign that compromised over 600 organizations globally. The actor is considered unusual in the cybercrime world due to its dual role: exploiting Windows zero-day vulnerabilities while also submitting responsible disclosures to Microsoft.

Because the malware doesn’t affect gameplay performance, users are unlikely to notice they’ve been compromised, a stealthy approach that may extend the reach and duration of the campaign.

Questions remain

It is still unclear how EncryptHub managed to infiltrate the game’s Steam build. Prodaft suggests an insider threat as a possible explanation. As of publication, Aether Forge Studios has not issued any statements on its Steam page or social media.

Worryingly, Chemia remains available on Steam, and there is no confirmation that the current version is malware-free. Users are strongly advised to avoid downloading the game until Steam or the developers provide further clarification.

Broader trend?

This is the third known instance this year of malware being distributed through early access Steam games. Previous incidents include ‘Sniper: Phantom’s Resolution’ in March and ‘PirateFi’ in February. In each case, the titles were unfinished and not subject to the stricter review processes typically applied to full releases.

The pattern suggests Steam’s early access pipeline may be a vulnerable attack vector, allowing malicious actors to exploit lax oversight.