Full Report
A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users. [...]
Analysis Summary
# Incident Report: Vidar Stealer Distributed via "PirateFi" Steam Game
## Executive Summary
The free-to-play game "PirateFi" on the Steam platform was found to be distributing the Vidar infostealing malware to users who downloaded it between February 6th and February 12th, 2025. Up to 1,500 users may have installed the malicious software, leading to potential credential and data theft. The incident was primarily contained by the takedown of the application, but users require immediate forensics and system cleanup.
## Incident Details
- Discovery Date: February 14, 2025
- Incident Date: Occurred between February 6, 2025, and February 12, 2025
- Affected Organization: Unaffiliated with Steam platform vulnerability; related to the software publisher "Seaworth Interactive."
- Sector: Gaming/Software Distribution
- Geography: Global (Steam Platform)
## Timeline of Events
### Initial Access
- Date/Time: On or around February 6, 2025 (Release Date)
- Vector: Malicious software uploaded and distributed via the official Steam store platform.
- Details: The game "PirateFi," developed by Seaworth Interactive, successfully bypassed initial checks and was available for download.
### Lateral Movement
- (No details explicitly provided regarding internal network lateral movement, as the primary attack vector was end-user infection upon installation.)
### Data Exfiltration/Impact
- Impact: Distribution of Vidar infostealer, designed to harvest sensitive information (credentials, financial data, cryptocurrency wallets) from infected user machines upon execution.
### Detection & Response
- Detection: Malware was detected "during its upload process" (implying detection mechanisms flagged the malicious payload before or shortly after distribution).
- Response Actions: The application was removed from the Steam catalog.
## Attack Methodology
- Initial Access: Software Misuse/Distribution via Trusted Vendor (Steam)
- Persistence: N/A (Focus is on immediate data theft via infostealer execution)
- Privilege Escalation: N/A (Primary attack focuses on user-level compromise upon installation)
- Defense Evasion: N/A (Implied capability to hide the Vidar payload from initial platform scanning)
- Credential Access: Vidar Infostealer capabilities (Targeting stored browser credentials, cookies, etc.)
- Discovery: N/A (Direct payload delivery)
- Lateral Movement: N/A
- Collection: Vidar toolset used to gather PII, financial data, and cryptocurrency details.
- Exfiltration: Standard Vidar exfiltration mechanisms (not detailed in summary).
- Impact: Theft of user credentials and sensitive data from infected endpoints.
## Impact Assessment
- Financial: Unknown; potential for individual user financial loss due to credential theft.
- Data Breach: Unknown volume; sensitive user data (credentials, potentially cryptocurrency keys) compromised on infected machines.
- Operational: Minimal operational impact on the main platform (Steam), but significant cleanup required for affected users.
- Reputational: Negative impact on user trust regarding software distributed via established platforms.
## Indicators of Compromise
- **Network indicators:** (Defanged) No specific C2 domains or IPs provided in the summary.
- **File indicators:** Vidar Infostealer Hash/File names (Not specified).
- **Behavioral indicators:** Execution of a game installer that subsequently loads and executes the Vidar malware payload; system scans revealing Vidar components in user directories.
## Response Actions
- **Containment measures:** Removal of the "PirateFi" game listing from the Steam store.
- **Eradication steps:** Users advised to run full system antivirus scans.
- **Recovery actions:** Users advised to check for unrecognized newly installed software and (as a fallback) consider a full OS format.
## Lessons Learned
- Malicious actors are capable of packaging malware within legitimate-seeming applications distributed via major platforms like Steam.
- Platform scanning mechanisms, while effective at detection, still allow a window of opportunity for distribution.
## Recommendations
- Users who installed "PirateFi" *must* immediately run comprehensive antivirus/anti-malware scans on the affected system.
- Users should immediately assume all passwords stored on the compromised machine are compromised and require resets, especially for financial or sensitive accounts.
- Implement stronger post-upload verification checks for new software submissions on distribution platforms.