Opening
Hello, world! I’m Assaf, and as always, I’m here to break down the latest in cybersecurity threats. In this article, we’re diving into a recent case of malware hidden inside a Steam game, how it managed to bypass security checks, and what it means for both gamers and enterprises.
On February 6th 2025, a game was released on Steam by the name of PirateFi. On February 10th the game was removed from sale by Valve, a mere four days later.
What happened?
As reported by multiple tech news sites, the game contained info-stealing malware and infected over a thousand computers. In this article I’ll walk you through the incident, and break down the attack that unfolded. I will also explain the special importance of this event.
Steam
Steam is the go-to game storefront and platform for most PC gamers. Made by Valve, Steam is the undisputed champion of PC gaming. With Steam, players can purchase and download digital video games from a vast library containing hundreds of thousands of titles.
For a small fee, any studio (or individual) can publish a game on Steam, provided it passes Valve’s approval process. While the exact details of how Valve filters out malware remain largely unknown to the public, the system is generally considered reliable. However, as we’ll explore in this article, it isn’t foolproof.
As of February 23 2025, Steam reached an all-time peak of approximately 39.9 million concurrent users, while we can’t say for certain on how many computers Steam is installed, it’s safe to say it’s vastly more than that.
If we’d like to dive into the data a bit deeper we’ll see that Steam has approximately 13.7 million users in the US alone. If we’re looking at age distribution, 39% percent of steam users are in the 20-29 age range, this will be relevant later as we discuss the attack’s effect on company domains.
PirateFi
A seemingly simple game, another piece of shovelware in the vast sea of Steam games, turns out to be scheming to loot innocent players. The pirate metaphor is apt.
The only game published by Seaworth Interactive, whov’e had zero online presence since the news broke, was marketed as a survival game with a pirate theme.
One review on the archived Steam page for the game called it “50% minecraft 50% sea of thieves”, sounds fun.
Like an innocent looking ship that hoists the Jolly Roger the moment another vessel approaches, this game revealed itself as malware once it reached players’ computers.
First discovered by Kaspersky antivirus, hidden inside the game was malicious code, cataloged by Kaspersky as Trojan.Win32.Lazzzy.gen. Malware classification for malware that is designed for data exfiltration and browser tokens theft.
The malicious executables in question are Pirate.exe, the game’s main file, which, upon launch, unpacks a second file – Howard.exe, at runtime. This dropped file is a variant of the Vidar malware and is saved to the user’s /AppData/Temp folder.
This is exactly why I game on Linux, by the way.
By consulting VirusTotal, we can see that 48 out of 72 security vendors have flagged Howard.exe as malicious.
If we scroll down the DETECTION list we can see that most antiviruses classify it as a Trojan. We also notice that this file initiates a network connection to Russian addresses, my malware sense is tingling.
Continuing down this rabbit hole, we see under the RELATIONS tab that the malware connects to two hard-coded URLs. The first is a Telegram link, a popular platform for hackers to operate in, due to its anonymity. The second URL is a Steam user profile. While this link is legitimate and holds nothing malicious on its own, it plays a vital part of the attack vector in quite a creative way.
Checking this user’s profile, we are greeted by a barren profile that hasn’t played a single game. However the user’s name does include an IP address.
Using this method, the attackers can mask their traffic with legitimate Steam traffic and get their C2 address dynamically. The attackers can change their username as often as they like without having to change the link. This technique is actually a hallmark of Vidar malware that often uses user profiles on social platforms as part of its C2 campaign.
Using our OSINT knowledge, we can see that the IP in the URL belongs to the Finnish ISP Hetzner Online GmBH, a legitimate ISP that offers web hosting that our attackers probably used.
Once the executable was properly deployed on the victim’s computer and connected to the remote C2 server, it could easily steal the user’s saved passwords, cookies, and other sensitive data.
AI, Crypto and target audience
The technical overview of this attack vector is only half of the intrigue in this operation, the other half lies in how Seaworth Interactive marketed their game to crypto-interested audiences
One of the attackers’ primary targets was crypto wallets. To achieve this, they needed people with crypto wallets to download their game, they employed several tactics to accomplish it.
Firstly The PirateFi Twitter handle was “PirateFiweb3”. Web3 is a concept for a new internet that uses decentralized blockchain technologies, the same basis for cryptocurrency.
Secondly, and more interestingly, the attackers used AI chatbots to try to convince people on telegram to download the (free) game and be paid 17$ an hour (in crypto) to work as an in-game chat moderator. The position of an in-game chat moderator isn’t new, but it’s never this well-paid.
Below is a screenshot from Telegram showing one of these conversations –
The AI falsely claims that the game has over 7,000 players, when in reality, it has sold no more than 1,500 copies. Additionally, it states that payments are made in Solana, a cryptocurrency platform. This allows the attackers to spread their malware to more computers with saved crypto wallet passwords, which are up for grabs once the malware infiltrates the system
Some of the contacted “job candidates” who chatted with the AI noticed that its responses were always sent 21 seconds after their last message, which was a sign of the artificial nature of the other side of the conversation.
Most people won’t assume they’re chatting with an AI, but the use of AI chatbots on this scale isn’t unheard of, although it’s still relatively new. This highlights the growing danger of more and more AIs online that are almost indistinguishable from real people and are deployed with a clear agenda.
Could my domain have been compromised?
It is entirely possible that some rebellious employee decided to play video games on their company computer and downloaded PirateFi, thus compromising his various company login information.
But even if only their home PC was infected, your domain is still in danger of a possible data breach. This is due to the unfortunate reality that people are likely to reuse the same passwords for different accounts.
A Google poll from 2019 showed that 66 percent of Americans use the same password for multiple accounts, while a Forbes article on the subject claims that 54 percent of Americans reuse the same password across at least three accounts.
The potential threat here is that the hacker group behind PirateFi now possesses login details for hundreds of people, and some of these login credentials probably work for those users’ company accounts, giving the hackers access to the company’s domain.
Cyvore and Data protection
The fallout from a breach isn’t just about stolen credentials, it’s about what attackers do with them next. Cyvore operates where others stop. Using its TIAO engine, Cyvore traces stolen data back to its new owners and dissects its movement in the dark corners of the web.
Cyvore TIAO can illuminate hidden risks before they manifest into full-scale breaches. This approach ensures that enterprises aren’t merely reacting to threats but are forewarned with actionable intelligence.
A strategic safeguard, subtly embedded yet forceful in its impact.
Closing remarks
Cybercriminals are only getting better and more cunning. Nowadays, malware can come from any number of sources, in this case it came from a legitimate application that millions of people use and download software from every day. No one can predict where it will come from next time, it could be a file sent in a Zoom call from a hacker posing as a legitimate client, or it can be more old school and come from a phishy email with a link that includes a misspelled company name.
In any case, your domain needs to be prepared for the next attack and practice data security measures. It’s a dangerous world we live in.
Until next time, thank you for reading and stay safe!
Sources and links
pictures credited to steamdb.info
