Malware News Dissecting a GenesisStealer Campaign Hiding Behind Indie Game Branding

[Khushal]

Content source

https://badrulmunir.com/posts/analysing-genesis-stealer/

Someone is distributing malware disguised as a beta invite for a real indie game. The dropper calls itself CyveraVPN. The package.json buried inside it calls itself a “Beta Of Exonautis.” Exonautis is a legitimate space shooter currently in free demo on Steam, developed by a small studio called BaleYc Studios. The game is real, the studio is real, and neither of them have anything to do with this campaign (afaik).

What they do have is obscurity — real enough to be credible as a beta, unknown enough that a victim can’t easily verify it. That’s the angle.

This post covers the full attack chain: from the fake installer, through two layers of JavaScript obfuscation, to the decrypted GenesisStealer payload underneath. We’ll also look at what makes this campaign trackable — a single builder fingerprint that links several different fake software droppers together. Good for hunting this malware family.

Dissecting a GenesisStealer Campaign Hiding Behind Indie Game Branding

badrulmunir.com

VirusTotal

VirusTotal

www.virustotal.com

 

[Bot]

This is a good write-up and it highlights a very common (and effective) social-engineering pattern: using a real, obscure indie title as “cover” for a fake beta invite, then delivering an infostealer via a multi-stage script-based dropper.

What stands out in this campaign

• Legitimacy “borrowed” from a real game/studio: attackers rely on the victim not being able to easily verify a “beta invite” outside official channels.
• Script-heavy, layered unpacking: multiple stages of JavaScript obfuscation and decryption is typical of commodity stealer delivery, and it slows down casual analysis.
• Builder/fingerprint reuse: a consistent “builder” artifact is valuable for defenders because it can link otherwise unrelated-looking droppers and help cluster activity for hunting and detections.

Risk and impact (practical takeaway)
If the final payload is an infostealer (as described in the post), the main risk is credential/session theft rather than “traditional” file encryption. That usually means:

• Browser-stored passwords and cookies (session tokens)
• Saved autofill data
• Crypto wallet data (depending on what’s present on the system)
• App tokens (Discord/Steam/Telegram/etc., depending on the stealer’s modules)

Safety guidance for anyone who may have run this

• Isolate the machine (disconnect from the network) to limit further data exfiltration.
• From a known-clean device, change passwords for email first (primary inbox), then banking/crypto, then everything else; revoke active sessions where the service supports it.
• Enable/verify 2FA and rotate recovery codes if available.
• Run scans with reputable tools (for example: Microsoft Defender, Malwarebytes, ESET Online Scanner). Be aware that infostealers may leave behind persistence or secondary payloads depending on the case.
• If high-value accounts were exposed, the most reliable cleanup is often a clean reinstall of the OS and then re-onboarding accounts with new credentials.

Defender / hunting value
The “single builder fingerprint” point is especially useful: even when payloads or filenames rotate, build artifacts and consistent staging logic can provide durable pivots for:

• EDR hunts (process tree patterns: installer → script host/runtime → decrypt/write → execute)
• Network detections (initial download infrastructure + any repeatable beacon/exfil patterns, if present)
• Repository-wide retro-hunts (matching the same builder characteristics across samples)

If anyone on the forum has additional samples/IoCs related to this cluster, sharing them (safely) can help validate how widespread the builder reuse is and whether multiple “fake software” themes are tied to the same operator.

Sources

• Dissecting a GenesisStealer Campaign Hiding Behind Indie Game Branding
• VirusTotal

 

[ForgottenSeer 123960]

Executive Summary
This analysis details a GenesisStealer campaign that distributes an 84.6 MB NSIS installer disguised as a VPN or an indie game beta ("Exonautis").

Confirmed Facts
The installer drops a bundled Node.js/Electron application which decrypts a JavaScript payload in memory to harvest browser credentials, Discord tokens, crypto wallets, and AWS keys.

Assessment
The use of an identical Imphash (b34f154ec913d2d2c435cbd644e91687) across multiple distinct lures strongly suggests a single builder or operator is actively targeting gaming and developer communities.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1204.002
User Execution: Malicious File

T1027.009
Obfuscated Files or Information: Steganography (Payload base64 encoded and AES-256-CBC encrypted)

T1555.003
Credentials from Web Browsers (Targeting SQLite databases and Chrome DevTools Protocol)

T1552.001
Credentials In Files (Targeting seed.seco for Exodus wallets and ~/.aws/credentials)

T1567
Exfiltration Over Web Service (Cloudflare R2, GoFile, Discord Webhooks)

CVE Profile
N/A (Social Engineering Vector)
CISA KEV Status: Inactive

Telemetry

Dropper SHA256
d24dbda069525134f94904f7a16dbf275abcc0c8d7b0b9c065f39d91d3e2dd7a

Payload SHA256
fa83180ee18c87e91ab920252e77692e7849b03d8220ace614bd4620bc559bb8

Imphash
b34f154ec913d2d2c435cbd644e91687

Network IOCs
hxxps://discord[.]com/api/webhooks/1410035164033323029/DlLUhHp0TRyB1xvzeobaPCYP5ehH93734w9AADTDCeazBJ2m-pzJ-1Jb8wLM3BhPT8t1

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocol for suspected credential compromise; notify Legal and Risk teams if cloud infrastructure (AWS) or customer data is at risk.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM and EDR for PE32 files matching Imphash b34f154ec913d2d2c435cbd644e91687 or anomalous node.exe/electron.exe child processes.

Command
Alert on outbound connections to hxxp://ip-api[.]com/json/ followed by large POST requests to tmpfiles.org, gofile.io, or Discord webhooks.

RESPOND (RS) – Mitigation & Containment

Command
Isolate impacted endpoints from the corporate network immediately.

Command
Revoke and rotate all potentially exposed AWS IAM credentials, source code repository tokens, and internal VPN/access keys.

RECOVER (RC) – Restoration & Trust

Command
Reimage affected developer or user machines; do not attempt to clean the infection as Windows DPAPI master keys have been compromised.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict execution of unsigned NSIS installers and enforce AppLocker/WDAC policies to prevent execution from AppData or Downloads directories.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately to disrupt the data packaging and exfiltration process.

Command
Do not log into banking, crypto, or email accounts from the compromised machine until it is verified clean.

Priority 2: Identity

Command
Reset Discord, Steam, and primary email passwords using a known clean device (e.g., your smartphone on a 5G cellular connection).

Command
Move funds from software crypto wallets (like Exodus) to a cold wallet or safe exchange immediately using the clean device.

Priority 3: Persistence

Command
GenesisStealer focuses heavily on immediate data extraction, but to ensure no secondary persistence (like RATs) remains, run a full offline Antivirus scan. If highly sensitive accounts were exposed, a full Windows reinstallation is recommended.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Enforce SmartScreen and restrict execution of unsigned binaries).

Framework
NIST CSF 2.0 / SP 800-61r3.

Style
The malware targets developers and gamers by exploiting trust. Verifying the legitimacy of software via official developer channels (e.g., the official BaleYc Studios Steam page) rather than third-party Discord links is a critical preventative control.

Source

Badrul Munir - Analysing Genesis Stealer