Full Report
Cybercriminals are exploiting major e-sports tournaments to target players of the popular video game Counter-Strike 2 (CS2), researchers have found.
Analysis Summary
# Tool/Technique: XMRig Cryptominer
## Overview
XMRig is a publicly available, open-source CPU-based cryptomining software initially created for Monero (XMR). In this context, malicious actors are using modified or compromised versions of popular pirated video games to clandestinely install and execute the XMRig software on victims' devices for the purpose of cryptocurrency mining.
## Technical Details
- Type: Malware (Cryptomining Software utilized via Pirated Software Distribution)
- Platform: Likely Windows (implied by common video game piracy ecosystem), but XMRig supports multiple platforms.
- Capabilities: Stealthily mines cryptocurrency (likely Monero) using the victim's CPU resources.
- First Seen: XMRig itself has been in use for years; the specific distribution method via pirated games mentioned here was discovered in early [Current Year - 1].
## MITRE ATT&CK Mapping
The deployment and execution described falls under the Persistence and Execution tactics:
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Likely persistence mechanism used by embedded malware)
- **TA0005 - Defense Evasion**
- T1070.004 - File Deletion (To cover tracks)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (For connecting to mining pools)
## Functionality
### Core Capabilities
- Utilizing the victim's CPU cycles to mine specified cryptocurrencies.
- Operating in conjunction with legitimate (but pirated) game executables or being bundled within them.
### Advanced Features
- The threat actor is leveraging the distribution vector of pirated games (e.g., hosting on torrent sites) to achieve widespread, unsuspicious initial deployment.
- Likely configured to run minimized or attempt to avoid detection by common security software.
## Indicators of Compromise
- File Hashes: [Not disclosed in the article]
- File Names: Malicious versions of games such as *BeamNG.drive*, *Garry’s Mod*, *Dyson Sphere Program*, *Universe Sandbox*, and *Plutocracy*.
- Registry Keys: [Not disclosed in the article, but expected for persistence]
- Network Indicators: Connections to cryptocurrency mining pools (defanged example: `pool[.]support[.]org`).
- Behavioral Indicators: High, sustained CPU utilization when no legitimate application (like the pirated game) is actively in the foreground or under heavy load.
## Associated Threat Actors
- Suspected Russian-speaking hackers (as discovered by Kaspersky).
## Detection Methods
- Signature-based detection: Signatures for known XMRig binaries or packers used to conceal them.
- Behavioral detection: Monitoring for processes exhibiting high CPU usage characteristic of known miners, particularly those masquerading as game executables.
- YARA rules: Rules targeting code segments or strings unique to the deployed XMRig payload.
## Mitigation Strategies
- Prevention: Never download or execute software, especially games, from untrusted sources such as torrent sites.
- Hardening recommendations: Implement application whitelisting where possible, and ensure comprehensive endpoint detection and response (EDR) solutions are monitoring resource utilization spikes.
## Related Tools/Techniques
- Malware using compromised video games for distribution (similar to the **Wannacry phishing campaign** targeting Enlisted).
- Other resource abuse malware like other cryptominers (e.g., Gh0st Miner).
***
# Tool/Technique: Streamjacking Scams (Impersonation on YouTube)
## Overview
A social engineering technique where attackers compromise legitimate YouTube accounts (usually belonging to professional esports players), rebrand them, and launch fake, looping livestreams to impersonate popular figures (e.g., s1mple, NiKo, donk) during major tournaments (e.g., IEM Katowice 2025). The goal is to defraud viewers by directing them to fraudulent external sites promising cryptocurrency, CS2 skins, or cases.
## Technical Details
- Type: Technique (Social Engineering/Impersonation Scam)
- Platform: YouTube and associated streaming infrastructure.
- Capabilities: Account hijacking, video looping, real-time display of malicious links/QR codes, convincing impersonation leveraging follower trust.
- First Seen: Specific campaigns targeting CS2 tournaments coincide with event dates (e.g., IEM Katowice 2025, PGL Cluj-Napoca 2025).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access** (via compromise of the YouTube account)
- **TA0006 - Credential Access** (to gain control of the account)
- **TA0011 - Command and Control** (via directing users to external malicious sites)
- **TA0009 - Collection** (if user data is exfiltrated from landing pages)
- [T1562.008 - Impersonation: Visual Impersonation] (Video looping and channel branding)
- [T1566.001 - Phishing: Spearphishing Attachment/Link] (Directing users via stream overlay)
## Functionality
### Core Capabilities
- Hiding malicious activity (scam links) within high-traffic live events.
- Exploiting the trust viewers place in established professional gamers.
- Using pre-recorded or old gameplay footage to give the appearance of live interaction.
### Advanced Features
- Targeting viewers during peak viewership times around major esports events to maximize fraudulent click-through rates.
- Utilizing QR codes as an additional vector for mobile users to access malicious landing pages.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Malicious domains/URLs displayed on screen promising free rewards (defanged example: `csgo-giveaway[.]net`, `crypto-claim[.]io`).
- Behavioral Indicators: YouTube channels suddenly changing branding to mimic known high-profile players immediately before or during major tournaments.
## Associated Threat Actors
- Unspecified cybercriminals running impersonation scams.
## Detection Methods
- Signature-based detection: None specific to the stream content, but platform moderation is key.
- Behavioral detection: Monitoring links posted in stream chats or overlays that lead to known high-risk or newly registered domains.
- YARA rules: [N/A]
## Mitigation Strategies
- Prevention: Users should never trust unsolicited links or QR codes embedded in streams, especially when "too good to be true" offers (free skins/crypto) are presented.
- Hardening recommendations: YouTube account owners should utilize strong MFA and review account access logs frequently.
## Related Tools/Techniques
- General account takeover techniques.
- Traditional phishing/scam campaigns targeting gamers for in-game items.
***
# Tool/Technique: Distributed Denial of Service (DDoS) Attack
## Overview
A large-scale attack aimed at crippling the service availability of major gaming platforms. In one mentioned incident, a DDoS attack targeted Activision Blizzard systems responsible for user authentication and connectivity, preventing users from accessing games like *Diablo IV*, *World of Warcraft*, and *Call of Duty*.
## Technical Details
- Type: Technique (Service Disruption)
- Platform: Game servers and authentication infrastructure (e.g., Activision Blizzard services).
- Capabilities: Overwhelming target servers and network resources with massive traffic volume, leading to denial of service.
- First Seen: Incident mentioned occurred in [Year - 1].
## MITRE ATT&CK Mapping
- **TA0010 - Impact**
- T1499.001 - Resource Hijacking: Network Service
## Functionality
### Core Capabilities
- Flooding network resources to exhaust bandwidth or processing power.
- Causing widespread service outages for legitimate users.
### Advanced Features
- [N/A - DDoS is a blunt force technique described.]
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Spikes in malicious traffic volume directed at game login or service endpoints (defanged example: `auth[.]activisionblizzard[.]com`).
- Behavioral Indicators: Inability to authenticate or connect to online services.
## Associated Threat Actors
- Unspecified actors, though large-scale DDoS attacks targeting gaming companies are common.
## Detection Methods
- Signature-based detection: Rate-limiting, specific flood signatures (SYN floods, UDP floods).
- Behavioral detection: Anomaly detection systems flagging abnormal ingress traffic volumes against established baselines.
- YARA rules: [N/A]
## Mitigation Strategies
- Prevention: Employing robust DDoS mitigation services (cloud-based protection).
- Hardening recommendations: Traffic shaping, rate limiting, and maintaining geographically distributed infrastructure.
## Related Tools/Techniques
- Other attacks targeting game integrity or availability.