A game that was infected with malware was taken down from Steam by Valve last week.
Security researchers examined the virus after the game, known as PirateFI, was removed and discovered that the person who planted it altered an already-existing video game in an effort to fool players into installing an info-stealer called Vidar.
Marius Genheimer, a researcher at SECUINFRA Falcon Team who examined the malware, told TechCrunch that based on the malware’s configuration and command and control servers, “we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse.”
READ MORE: Not Just Taylor Swift—Hackers Claims These Tours Are At Risk In Ticketmaster Breach
According to Genheimer, “it is very likely that it was never a legitimate, running game that was changed after first publication.”
To put it another way, PirateFI was created to disseminate malware.
Additionally, Genheimer and associates discovered that PirateFi was constructed by altering an already-existing game template known as Easy Survival RPG, which markets itself as a game-making application that “gives you everything you need to develop your own singleplayer or multiplayer” game. Licenses for the game developer range from $399 to $1,099 in price.
This explains how, with no effort, the hackers were able to ship a working video game with their malware.
READ MORE: Biohacker Who Used Son’s Blood To ‘Reverse Aging’ Offers Unusual Revelation About His ‘Normal Day’
The Vidar infostealing malware can steal and exfiltrate a variety of data from the computers it infects, including: session cookies that allow one to log in as someone else without using their password, web browser history, cryptocurrency wallet information, screenshots, two-factor codes from specific token generators, and other files on the user’s computer, according to Genheimer.
Vidar has been utilized in a number of hacking activities, such as one that sought to install malicious ads on Google search results, another that attempted to deliver ransomware, and one that attempted to steal hotel credentials from Booking.com. The Health Sector Cybersecurity Coordination Center (HC3) stated in 2024 that Vidar, which was initially identified in 2018, had “developed into one of the most prevalent infostealers.”
Common malware variants called infostealers are made to steal data and information from a victim’s PC. Infostealers are frequently offered under the malware-as-a-service business model, which enables even inexperienced hackers to buy and utilize the software. Because Vidar “is widely adopted by many cybercriminals,” Genheimer added, it is also “very difficult” to identify the person responsible for PirateFI.The Vidar infostealing malware can steal and exfiltrate a variety of data from the computers it infects, including: session cookies that allow one to log in as someone else without using their password, web browser history, cryptocurrency wallet information, screenshots, two-factor codes from specific token generators, and other files on the user’s computer, according to Genheimer.
Vidar has been utilized in a number of hacking activities, such as one that sought to install malicious ads on Google search results, another that attempted to deliver ransomware, and one that attempted to steal hotel credentials from Booking.com. The Health Sector Cybersecurity Coordination Center (HC3) stated in 2024 that Vidar, which was initially identified in 2018, had “developed into one of the most prevalent infostealers.”
Common malware variants called infostealers are made to steal data and information from a victim’s PC. Infostealers are frequently offered under the malware-as-a-service business model, which enables even inexperienced hackers to buy and utilize the software. Because Vidar “is widely adopted by many cybercriminals,” Genheimer added, it is also “very difficult” to identify the person responsible for PirateFI.
According to Genheimer, they examined multiple malware samples that were part of PirateFI, one of which they discovered on the online malware repository VirusTotal and which was reportedly submitted by a Russian gamer, and another they discovered via SteamDB, a platform that disseminates data about games stored on Steam. In a threat intelligence database they have access to, the researchers discovered another sample. Genheimer claims that the functionality of all three malware samples is the same.
PirateFI’s alleged developers, Seaworth Interactive, don’t seem to be active online. The game had an X account until last week, but it has already been deleted. A link to the game on Steam was included in the account.
A request to chat via Direct Message was not answered by the account owners prior to its deletion.
Step into the ultimate entertainment experience with Radiant TV! Movies, TV series, exclusive interviews, live events, music, and more—stream anytime, anywhere. Download now on various devices including iPhone, Android, smart TVs, Apple TV, Fire Stick, and more!
