The popular 2D platformer-shooter BlockBlasters has been removed from Steam following alarming revelations about a late-August patch that contained harmful components capable of compromising players’ sensitive information. Developed by Genesis Interactive, the game initially received positive reviews upon its July release. However, the update rolled out on August 30 (Build 19799326) introduced malware that jeopardized the security of hundreds of users.
Security firm G DATA identified the threat, confirming that the patch was not merely a routine bug fix but rather a sophisticated multi-stage operation aimed at stealing personal information.
Trojan Batch Scripts and Stealer Malware
According to the analysis, the malicious sequence is initiated by a file named game2.bat. This script exploits Windows commands to gather data, including IP location, Steam login credentials (SteamID, AccountName, PersonaName, RememberPassword), and information about installed antivirus software.
The gathered data is subsequently transmitted to a command-and-control (C2) server located at 203[.]188[.]171[.]156:30815/upload. In a clever evasion tactic, the malware checks for the presence of only Windows Defender; if detected, it unpacks password-protected archives containing additional payloads.
The batch file then executes two Visual Basic scripts, launch1.vbs and test.vbs, which trigger further payload batches. These scripts are designed to collect browser extensions and extract data from locally installed cryptocurrency wallets, a growing target for infostealer campaigns. Evidence suggests that the harvested information is sent back to the same C2 server.
The infection escalates when 1.bat alters Microsoft Defender settings to exclude the game’s binary subdirectory from scans, allowing the malicious executables to operate without detection. Once these exclusions are established, the malware launches additional payloads while simultaneously executing the game process to disguise its activities.
The key binaries involved include Client-built2.exe and Block1.exe. The former serves as a backdoor, written in compiled Python, granting remote operators ongoing access. The latter is a variant of the StealC malware family, crafted in C++, which collects user data from browsers such as Google Chrome, Microsoft Edge, and Brave.
Notably, StealC employs outdated RC4 encryption to obscure its strings and connects to a secondary C2 server at 45[.]83[.]28[.]99 for data exfiltration.
Steam Removes Game Amid Player Backlash
Telemetry from SteamDB and Gamalytic indicates that over 100 players downloaded the compromised build, with 1–4 players actively engaged at any given time in early September. Reports surfaced of at least one streamer becoming infected during a charity livestream, underscoring the tangible repercussions of such cyber threats.
In light of these developments, BlockBlasters has been flagged as “suspicious” and subsequently removed from Steam. This incident reflects a concerning trend of malicious games infiltrating the platform, reminiscent of previous infections from titles like PirateFi and Chemia.
Security experts caution that this trend highlights how threat actors are capitalizing on the trust gamers place in digital distribution platforms. Players are advised to uninstall BlockBlasters from their systems immediately, conduct thorough antivirus scans, and vigilantly monitor their cryptocurrency wallets and accounts for any unusual activity.
Indicators of Compromise
- [1] Game2.bat
aa1a1328e0d0042d071bca13ff9a13116d8f3cf77e6e9769293e2b144c9b73b3
BAT.Trojan-Stealer.StimBlaster.F - [2] Launch1.vbs
c3404f768f436924e954e48d35c27a9d44c02b7a346096929a1b26a1693b20b3
Script.Malware.BatchRunner.A@ioc - [3] Test.vbs
b2f84d595e8abf3b7aa744c737cacc2cc34c9afd6e7167e55369161bc5372a9b
Script.Malware.BatchRunner.A@ioc - [4] 1.bat
e4cae16e643a03eec4e68f7d727224e0bbf5415ebb0a831eb72cb7ff31027605
BAT.Trojan-Stealer.StimBlaster.I@ioc
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
