28.07.2025
2 min
562
The Chemia game on Steam was used as a tool to distribute the Vidar and Fickle Stealer infostealers, which steal passwords, cookies, and crypto wallet data. The attacker, who goes by the nickname EncryptHub, placed the malicious code directly into the game files, and unsuspecting users downloaded the Trojans instead of the game.
On July 22, 2025, researchers from Prodaft discovered that a HijackLoader (CVKRUTNP.exe) was added to the Chemia game files on Steam, which provided background activity and downloaded the Vidar infostealer. A few hours later, another infostealer, Fickle Stealer, was added to the game, packaged in a DLL file called cclib.dll, which used a PowerShell script to download the main payload from a malicious domain.
The attack was particularly inconspicuous for the player. The game worked properly, did not cause suspicion, and all the malicious activity took place in the background. The command and control servers were hidden in Telegram channels, and the flow itself could be automated with a script that runs in a second.
This is the third time in a year that attackers have distributed malware through early access games on Steam — vulnerabilities were previously found in “Sniper: Phantom’s Resolution” (March) and “PirateFi” (February). Steam has not yet commented on the situation, and the game is still available for download.
Chemia is a survival game with crafting from Aether Forge, which is currently in early access mode with no full release date. Due to the lack of strict auditing of such games, Steam allows content to be posted with minimal checks, which is what attackers take advantage of. EncryptHub, also known as Larva-208, has a history of spear-phishing attacks, social engineering, and participating in responsible disclosure of Microsoft vulnerabilities.
This case is another alarming sign of the weak security controls on the Steam platform, especially in early access. If even experienced users cannot detect the infection immediately, then beginners are easy prey for attacks. Until there is an official statement from Valve and the developer, downloading Chemia is strongly discouraged.
