Hundreds of GitHub Repositories Spread Malware Masquerading as Free Game Cheats, Acronis TRU Reports
In a striking revelation from the Acronis Threat Research Unit (TRU), it has been discovered that hundreds of GitHub repositories, which appear to offer “free game cheats,” are, in fact, distributing malware. Prominent among the malicious software is the Vidar infostealer, a sophisticated tool designed for data theft. Researchers have identified that the repositories target nearly every major online game title, and they suspect the actual number of infected repositories could soar into the thousands.
The alarming report, published on March 17, not only outlines the extensive reach of these malicious repositories but also highlights an alarming trend — the use of Reddit posts promoting game cheats for popular titles, like Counter-Strike 2, which mislead users to fake websites offering downloads for the Vidar 2.0 malware. These posts are cleverly disguised, drawing the unwary gamer into a trap that compromises their systems.
The Acronis TRU researchers explained that the campaigns delivering the infostealer often originate in Discord chat rooms or Reddit communities dedicated to various online games, where cheating is commonplace. “In their simplest form, campaigns take the shape of an offer for a ‘free’ cheating tool,” the researchers elaborated, underscoring the deceptive nature of these propositions.
Gaming enthusiasts seeking cheats might consider themselves “the perfect victims,” as they actively pursue software that operates outside of legitimate platforms. This quest can lead them to ignore security warnings and be less forthcoming about anomalies in their systems, as they may be well aware that their activities are questionable.
Compounding the problem is the technical nature of cheats, which often require profound access to a user’s system. This makes it easier for cybercriminals to lure unsuspecting users into downloading malware that can bypass traditional security measures. Researchers have traced the distribution chain of the Vidar 2.0 infostealer, discovering various fake GitHub repositories that conceal the malware under the guise of game cheats or hardware ID ban bypass software.
One troubling aspect of this malware delivery method involves executing deceptively named files such as TempSpoofer.exe, Monotone.exe, or CFXBypass.exe. These initial payloads are cleverly disguised as legitimate applications but are, in fact, PowerShell scripts compiled into .NET executables. This allows them to evade standard script-based detections, masking their malicious intent.
The infection process is carefully orchestrated and multi-staged. Initially, the malware installs itself by adding exclusions to Windows Defender, essentially shielding subsequent malicious payloads from scrutiny. It then retrieves further instructions through hard-coded Pastebin links, leading to the download of secondary payloads from GitHub-hosted executables. The overall architecture of the attack resembles a malicious cascade, leading to the eventual deployment of the Vidar 2.0 payload, which stealthily infiltrates user systems.
Once the Vidar Stealer 2.0 payload activates, it establishes a hidden directory designed to store stolen data and exfiltrates sensitive information back to command-and-control servers disguised through Telegram bots and Steam profiles. This enables cybercriminals to siphon off a wide array of essential data including browser credentials, cookies, autofill data, cryptocurrency wallets, FTP/SSH credentials, and data stored in applications like Discord and Telegram.
Additional campaigns have been observed employing similar tactics through Reddit posts advertising counterfeit game cheats, further amplifying the threat landscape. For example, one such campaign led users to a malicious site that offered an archive titled EzFrags_Private.zip, containing a self-extracting executable with an invalid digital signature. The execution of this file initiated a chain of commands that obscured the malware, complicating analyst efforts to dissect the malware’s behavior.
A noteworthy aspect of the current threat is the enhanced capabilities of Vidar 2.0. Researchers illustrated how the new version has evolved technically, adopting mechanisms like polymorphic builds and advanced obfuscation techniques designed to confound detection and improve execution speed while concealing its activities. Moreover, the infrastructure supporting Vidar 2.0 is adept at utilizing Telegram and Steam as dead-drop resolvers, significantly enhancing its stealth.
In summary, as malicious software like Vidar 2.0 continues to proliferate amid gaming communities, the implications for cybersecurity are dire. The researchers at Acronis TRU emphasized that the enforcement actions against established infostealers, like Lumma and Rhadamanthys, serve to illustrate how criminal behavior adapts in response to law enforcement. This creates a continuous cycle in the threat landscape, necessitating that defenders remain ever-vigilant and informed about emerging risks.