A sophisticated malware distribution campaign was discovered on the Steam gaming distribution platform, when the survival game “Chemia” was inserted with malware to steal user’s personal information. What is worrying is that the player can barely detect anything unusual, as the malicious code does not disrupt the gaming experience.

steam-header-new.jpg

The hacker group EncryptHub (also known as Larva-208) is believed to be behind the attack. The group is known for its large-scale and distinctive scam campaigns…with a history of both exploiting the zero-day vulnerability in Windows and sending security reports to Microsoft, in a ” half-beneficial ” manner.

According to cybersecurity firm Prodaft, on July 22 EncryptHub inserted malicious code into Chemia’s installation file on Steam. The game is being released as an “early access”, has not been officially launched, and is less heavily censored than the complete releases.

Specifically:

  • The first malicious code was HijackLoader (CVKRUTNP.exe), which was used to create “leg” in the victim machine, downloading the main malicious code.
  • The second is Vidar infostealer (v9d9d.exe), which specializes in stealing data such as passwords, browser cookies, and crypto wallets.
  • Then, within 3 hours, the team continued to install Fickle Stealer through a PowerShell – controlled DLL (cclib.dll) that connected to the server from the soft – gets[.]com site.

Both types of malicious code work in the background, without affecting the game’s performance, leaving the player without question.

Mechanism of action: Sophisticated and difficult to detect

  • Vidar and Fickle Stealer are both infostealers who steal information from the browser such as passwords, automated forms, cookies, and encrypted wallets.
  • The code was commanded by Telegram, showing real-time flexible control.
  • Since the game was downloaded from Steam’s own servers, the players were completely trusting and unquestioned, making this a platform trust scam – no sophisticated trickery, just… players clicking “Install”.

Early Access titles such as Chemia are generally less well-censored. In 2025, there were at least three similar hacks on Steam, including Sniper: Phantom’s Resolution and PirateFi. This raises questions about Steam’s content control mechanism, especially with games in development.

The insertion of malicious code may also involve internal leaks, or the developer’s account is hijacked.

Recommendations from experts:

  • Users are restricted to installing low-play, unofficial games, especially free games that are recommended for playtesting. Be wary of any unusual behavior after installing.
  • Steam and publishers: There is a need to improve the censorship mechanism for Early Access titles, especially checking executables and the accompanying library.
  • Corporate and system administrators: Monitor the campaign-related IOCs, isolate and screen the computer if a member has chemia installed or is suspected of having malicious code.

The Chemia malware campaign is a reminder that not all free stuff is safe, even when distributed through reputable platforms such as Steam. When hackers take advantage of trust and censorship holes, it’s easy for ordinary users to fall victim to them without realizing it. Until official announcements from Valve or the developers arrive, it is best not to download or play Chemia during this time.

According to Bleeping Computer