A cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers.
EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in a world ravaged by a catastrophic natural disaster… which is nothing compared to the real-world disasters that can be caused by information stealers.
Chemia has not been publicly released yet, but was available as an early access on Steam. Steam offers Early Access to certain games primarily as a development model that allows players to purchase and play games while they are still in progress, rather than waiting for a full official release. It helps developers to receive direct, ongoing feedback from the community which they can use to find bugs, balance gameplay, and improve features.
According to security researchers at the Proactive Defense Against Future Threats (PRODAFT), the initial compromise took place on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application.
The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.
Vidar is a Malware-as-a-Service information stealer which uses public networks such as social media, communication platforms—and Steam—as parts of its Command & Control infrastructure.
HijackLoader is a malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.
The Fickle stealer is a relatively new information stealer which uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.
As we explained many times before, information stealers can turn your life upside down. Depending on what is stored on the infected device the consequences can range from financial damage to identity theft.
In another case of abuse of the Steam platform, we saw a cybercriminal use a sniper video game to distribute malware to unsuspecting gamers. But that criminal didn’t circulate the malicious demo on Steam directly. Instead, the game’s Steam page featured a link to the developer’s external website promoting a demo that turned out to be malware.
A month before that, a game called PirateFi was released on Steam, but turned out to be circulating malware amongst gamers.
With Steam’s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to get hold of valuable digital assets, direct financial information, and personal information.
How to stay safe
Some tips to help gamers stay clear of downloading malicious software:
- Do not act on direct messages and other unsolicited ways to try out some game. Random people asking you to download something should be treated as suspicious.
- Verify invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
- Make sure to run an up-to-date and active anti-malware solution on your computer.
If you have tried the Chemia game, run a full system anti-malware scan.
Indicators of compromise
Domains:
soft-gets[.]com
reaitek[.]com
safesurf.fastdomain-uoemathhvq.workers[.]dev
Fickle downloader hash:
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b
Fickle Stealer hash:
6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825
Vidar Stealer has:
2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481
HijackLoader hashes:
9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4
12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
