A sophisticated cybersecurity incident has compromised the trusted Steam gaming platform, with cybercriminal EncryptHub successfully embedding malicious software into the early access game Chemia. This attack exploits user trust in the official gaming platform to distribute dangerous information-stealing malware, marking a concerning escalation in gaming-focused cyber threats.
Technical Analysis of the Chemia Malware Attack
Cybersecurity researchers at Prodaft documented the compromise of indie game Chemia, developed by Aether Forge Studios, which occurred on July 22, 2025. The attacker, operating under aliases LARVA-208 and Water Gamayun, implemented a sophisticated multi-stage infection process designed to evade detection.
The initial payload consisted of HijackLoader malware (CVKRUTNP.exe), functioning as a first-stage loader for the primary malicious components. This trojan establishes persistence within victim systems and facilitates the deployment of the Vidar infostealer through the secondary executable v9d9d.exe.
Multi-Stage Infection Methodology
Three hours after the initial compromise, the attacker introduced an additional component: a DLL file named cclib.dll containing the Fickle Stealer infostealer. This module leverages a PowerShell script (worker.ps1) to retrieve the main payload from the compromised resource soft-gets[.]com.
The malware employs an innovative command and control infrastructure, obtaining server addresses through Telegram channels. This approach significantly complicates detection and disruption efforts by cybersecurity professionals and law enforcement agencies.
Malware Capabilities and Data Theft Operations
The Fickle Stealer component targets a comprehensive range of sensitive browser data, including:
• Authentication credentials and stored passwords
• Form autofill information and personal data
• Session cookies and authentication tokens
• Cryptocurrency wallet information and keys
The malware operates as a background process without impacting game performance, allowing victims to continue playing while their systems remain compromised. This stealth approach maximizes data collection time and reduces the likelihood of discovery by users.
Social Engineering Tactics and Platform Trust Exploitation
Prodaft researchers emphasize that this attack leverages sophisticated social engineering principles by exploiting user confidence in Steam’s official distribution platform. When gamers click the “Playtest” button for free games, they reasonably expect secure, verified content from the trusted source.
This incident represents a continuation of EncryptHub’s established attack patterns. Previous campaigns by this threat actor resulted in over 600 organizational compromises globally, demonstrating the persistent and evolving nature of this cybercriminal’s operations.
Threat Actor Profile: The Dual Nature of EncryptHub
Research conducted by Outpost24 KrakenLabs reveals EncryptHub’s unusual position within the cybersecurity landscape. This individual maintains simultaneous roles as both cybercriminal and legitimate security researcher, creating a complex threat profile that challenges traditional categorization.
Paradoxically, EncryptHub recently disclosed two zero-day vulnerabilities in Windows to Microsoft through responsible disclosure processes, demonstrating advanced technical capabilities while maintaining criminal activities. This duality highlights the blurred lines between legitimate security research and malicious exploitation.
Gaming Platform Security Trends and Implications
The Chemia incident represents the third confirmed malware distribution case through Steam in the current year. Previous incidents involved the removal of infected games Sniper: Phantom’s Resolution and PirateFi, indicating an emerging trend targeting gaming distribution platforms.
Analysis reveals that all compromised projects maintained early access status, suggesting threat actors deliberately target less scrutinized development phases. This pattern indicates a systematic approach to identifying and exploiting platform security gaps.
This security breach underscores the critical need for enhanced verification protocols across gaming platforms and emphasizes the importance of multi-layered defense strategies. Users should implement comprehensive endpoint protection solutions, maintain updated security software, and exercise caution even when downloading content from trusted platforms. The gaming industry must strengthen verification procedures and continuous monitoring systems to prevent similar incidents and protect the millions of users who rely on these platforms for entertainment and social interaction.
