Retro gaming enthusiasts are advised to exercise caution when exploring GitHub projects that claim to offer tools or plugins for their beloved consoles. Cybercriminals have been known to mask standard computer malware as homebrew software, a tactic that can affect any retro platform boasting an active modding community, not just a single console.
One notable instance targeted PlayStation Vita owners with a deceptive project masquerading as a free audio tool, which, in reality, unleashed Windows malware onto unsuspecting computers. The project, dubbed EQVita, presents itself as a typical homebrew plugin, complete with a polished README, a prominent download button, engaging screenshots, and an aesthetically pleasing layout. However, the downloaded file contains no Vita-compatible content; instead, it harbors three Windows files, one of which—a seemingly innocuous text file—conceals a hidden script that connects to the attacker’s server upon execution.
This incident is not isolated. Researchers have identified a trend where attackers utilize counterfeit GitHub repositories—often enhanced with AI-generated descriptions—to disseminate a type of malware known as SmartLoader. This malware subsequently retrieves additional malicious software designed to steal passwords and cryptocurrency wallets, including notorious variants like Lumma Stealer. The EQVita download employs a similar strategy, cleverly tailored to attract retro gaming aficionados.
Why this targets the Vita community
For those unfamiliar with retro consoles, the PS Vita may seem inconsequential. Yet, for a vibrant and dedicated community, it holds significant value, making it an appealing target for cybercriminals. Personally, I have a fondness for the Vita; I purchased my own second-hand model a decade ago, and it continues to perform admirably. Its extensive library ensures that there’s always something worth revisiting, a sentiment echoed by many others.
Despite Sony ceasing production of the Vita years ago, fans have breathed new life into the device by developing their own software, including emulators, file managers, and plugins. A modified Vita can seamlessly run its own PSP games and emulate classic systems like the SNES, Game Boy Advance, and Sega Genesis, transforming the handheld into a versatile retro machine. As we approach 2026, the modding scene remains robust, with active developers and even homebrew contests offering cash prizes.
This growing interest is reflected in the resale market, where working Vitas have become coveted retro items. With no new units produced since 2019, prices have surged across major marketplaces, particularly for the older OLED model, which is favored by modders for its firmware. Consequently, more individuals are acquiring Vitas specifically for modification, leading to an increased demand for plugins and tools.
Such enthusiasm is precisely what attackers exploit. Homebrew users are accustomed to downloading files from GitHub, placing them into folders, and executing them. This entire hobby hinges on trusting code from individual developers, making a counterfeit “Vita plugin” an effective means for scammers to trick users into running malicious software.
How the scam works
The download file, EQVitav1.3.zip, contains three files:
Launch.batluajit.exex64.txt
The clever aspect of this scam lies in the use of luajit.exe, a legitimate program designed to run scripts. The batch file instructs it to open x64.txt. Despite its .txt extension, this file is not a text document; rather, it conceals a hidden script that LuaJIT executes. This deceptive naming convention allows it to appear harmless and easily overlooked. Researchers have noted a similar setup in the SmartLoader campaign, where the only perilous file is the disguised script, while the surrounding files appear legitimate.
Upon execution, the script first determines the computer’s geographical location before quietly contacting an internet server and transmitting data, using an encoded web address. The server then responds. An audio plugin has no legitimate reason to engage in such behavior; this is characteristic of a malware “loader,” which communicates with the attacker’s server to receive further instructions and download additional malicious components. In this case, the subsequent payload typically includes malware that seeks out cryptocurrency wallets, saved browser passwords, and login credentials.
Fortunately, Malwarebytes effectively blocks this threat, preventing protected users from executing the harmful file.
How to spot the fake
Most Vita plugins are installed directly on the device using tools like VitaShell or Autoplugin, and they typically come in the form of Vita files (with extensions such as .skprx or .vpk). While some legitimate tools in the scene do operate on a PC, the presence of a Windows program does not automatically indicate danger. It is crucial to verify before execution.
Consider the following checks:
- Match the file to the device and verify PC tools. Most Vita plugins are designed for the Vita, not Windows. While some legitimate tools run on a PC, ensure that they are well-known and trusted before proceeding.
- Be wary of “Download Now” polish. Authentic homebrew READMEs are typically crafted for users by developers. In contrast, fake repositories often rely on AI-generated text that resembles marketing material, replete with emojis, friendly language, and prominent download buttons. Projects that rush you to click should raise red flags.
- Stick to trusted sources. Established community hubs and trusted-source lists exist for a reason; always check before downloading.
- Add another layer of protection. Utilizing tools like Malwarebytes Browser Guard can help block known malicious pages and downloads before they reach your device.
What to do if you’ve already run it
If you have inadvertently downloaded and executed EQVitav1.3.zip, it is essential to treat your computer as compromised. Here’s a recommended course of action:
- Conduct a comprehensive malware scan using up-to-date security software.
- Since this campaign delivers information-stealing malware, change your important passwords from a different, secure device, and monitor your accounts for any unauthorized access.
- If you store cryptocurrency on that computer, transfer your funds using a different, clean device, and rotate your keys and seed phrases.
- Review your two-factor authentication (2FA) settings, as stealers can also target 2FA data.
- Finally, delete the three files and report the GitHub repository to facilitate its removal.
Why this scam works
This scam succeeds because it does not exhibit the typical hallmarks of a fraudulent scheme. It resides on GitHub, a platform where homebrew users inherently place their trust. By employing a legitimate, harmless tool to execute its malicious intent and concealing the dangerous component within a file that appears to be plain text, it bypasses the cursory checks most individuals perform.
What makes this particular scam noteworthy is its target audience. Retro communities thrive on goodwill, with volunteers dedicated to preserving old hardware, sharing their work freely, and vouching for one another’s tools. This trust is precisely what the campaign exploits, and each counterfeit repository that evades detection makes it increasingly challenging to trust genuine projects.
The most effective defense lies in the very practices that these communities already uphold: maintaining trusted-source lists, establishing comprehensive wikis, and encouraging individuals to test and report back on tools. Always verify the source of a file before executing it, and when discrepancies arise, voice your concerns. Such vigilance is vital for safeguarding the integrity of the scene for all its participants.
Indicators of Compromise (IOCs)
Domains
https://github.com/Voistace/EQVita
https://voistace.github.io
IP
85.137.52.21 C2
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
