Steam Serves Gamers Malware Disguised as “Early Access”
This marks the third case of game-based malware on the platform in just six months.
This marks the third case of game-based malware on the platform in just six months.
A hacker group known as EncryptHub (aka Larva-208) has injected malicious code into a Steam game, turning it into a vehicle for mass infection of unsuspecting users.
The target of the attack was Chemia, a survival crafting game from Aether Forge Studios, currently in Early Access with no official release date. A few days ago, attackers embedded malicious components into the game files — invisible to players and not interfering with normal gameplay.
According to cybersecurity firm Prodaft, on July 22, a malicious executable named CVKRUTNP.exe was added to the Chemia distribution. This file acts as a HijackLoader dropper, activated when the game launches. It ensures persistent malicious activity and fetches the next stage: the spyware Vidar (v9d9d.exe), known for collecting sensitive data. Commands for the malware come from a remote server, the address of which is distributed via a Telegram channel.
Three hours after the initial infection, another malicious component was added — a DLL file named cclib.dll. This triggers a PowerShell script (worker.ps1), which connects to the domain soft-gets[.]com to download the primary payload: Fickle Stealer. This advanced spyware steals passwords, autofill data, cookies, and cryptocurrency wallets stored in browsers on the infected machine.
EncryptHub previously used the same malware chain in a major social engineering campaign that affected over 600 organizations globally. The group is particularly notable for its dual strategy: exploiting zero-day Windows vulnerabilities while simultaneously engaging in responsible disclosure of critical Microsoft flaws.
Prodaft researchers emphasize that clicking the "Playtest" button — found in Steam's free games section — launches a fully functional trojan disguised as a legitimate game file. Users, trusting the safety of Steam, remain unaware they’re executing malware since the game loads and runs normally.
The injected code does not affect performance and shows no visible signs during gameplay, making the attack especially deceptive. It's still unclear how EncryptHub gained access to Chemia's Steam build — insider involvement is one possibility. Neither the developers of Chemia nor Valve have issued official statements, despite inquiries from journalists.
Chemia remains available for download, and it's unknown whether the latest version has been cleaned of malicious components. Until official confirmation from Valve or the developer, users are strongly advised not to download the game.
This incident marks the third malware injection into an Early Access Steam game in 2025. Previous cases involved “Sniper: Phantom’s Resolution” in March and “PirateFi” in February. All three incidents share one factor: Early Access status, which suggests a less rigorous auditing process for such titles. Users should exercise extreme caution when installing unfinished or free-to-play games.
