Threat Research

BlockBlasters: Infected Steam game downloads malware disguised as patch

GDataSecurity
BlockBlasters: Infected Steam game downloads malware disguised as patch

A recent patch (Build 19799326) for the Steam game BlockBlasters deployed on August 30, 2025, contained multiple malicious files that exfiltrate system and crypto wallet data to remote C2 servers, potentially impacting hundreds of players. The campaign uses batch/VBS loaders, password-protected archives, Defender exclusion, and two payloads (Client-built2.exe backdoor and Block1.exe StealC stealer) communicating with hxxp://203[.]188[.]171[.]156 and hxxp://45[.]83[.]28[.]99. #StealC #Client-built2.exe

Keypoints

  • The BlockBlasters patch (Build 19799326) released on August 30, 2025, included files exhibiting malicious behavior flagged by G DATA MXDR.
  • A staged infection deploys a trojan stealer batch (game2.bat) that gathers IP/location, detects AV, harvests Steam login data, and uploads to hxxp://203[.]188[.]171[.]156:30815/upload.
  • game2.bat executes VBS loaders (launch1.vbs, test.vbs) which run additional batch payloads (1.bat, test.bat) hidden via cmd.exe without a console.

    • <li)test.bat collects browser extensions and crypto wallet information and sends it to the attacker C2; archives are password-protected with password “121” to avoid detection.

  • 1.bat sets a Microsoft Defender exclusion for the game executable directory, unpacks v3.zip, executes payloads, and checks for Steam to mask malicious activity.
  • Two final payloads are deployed: Client-built2.exe (Python-based backdoor connecting to hxxp://203[.]188[.]171[.]156) and Block1.exe (StealC stealer contacting hxxp://45[.]83[.]28[.]99 to harvest browser and wallet data).
  • Telemetry shows 100+ downloads and active players; SteamDB flagged the game as “suspicious” and the title was removed from Steam after the incident.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Batch and VBS scripts (game2.bat, launch1.vbs, test.vbs) used to execute payloads and run commands: ‘…unpacks and executes other files… executes the batch files via cmd.exe with the console hidden…’.
  • [T1071] Application Layer Protocol – C2 communication over HTTP to exfiltrate collected data: ‘…Uploading the data collected to their C2 server – hxxp://203[.]188[.]171[.]156:30815/upload’.
  • [T1027] Obfuscated Files or Information – Password-protected archives (password “121”) used to hide payloads during download: ‘…unpacks the contents of the archive “v1.zip” … password protected to prevent detection of the payloads during download.’
  • [T1140] Deobfuscate/Decode Files or Information – StealC uses RC4 encryption to hide APIs and key strings which are decrypted during execution: ‘…uses RC4 encryption … After decryption, we found it connects to a different C2 channel (hxxp://45[.]83[.]28[.]99)’.
  • [T1107] File Deletion – (Implied) Scripts run and then continue without waiting, hiding execution and cleanup via hidden cmd execution: ‘…launch the batch files via cmd.exe with the console hidden and immediately continues without waiting for the script to finish.’
  • [T1547] Boot or Logon Autostart Execution – Persistence via installation in game directory and execution when the game runs to mask behavior: ‘…then run the game executable to mask its malicious behavior’ and checks for running Steam process before actions.
  • [T1083] File and Directory Discovery – Malware searches for browser and wallet files across known user data paths to harvest credentials: ‘…tries to search for and steal information from: Google Chrome – “GoogleChromeUser DataLocal State” … Brave … Microsoft Edge …’.
  • [T1112] Modify Registry (Defender Exclusion) – Adding Defender exclusion for payload directory to evade detection: ‘…adds the destination folder … to the exemption list for Microsoft Defender Antivirus.’

Indicators of Compromise

  • [File Hash] Malicious payload hashes – v1.zip: cd817345f9e62fa8e9b66e47b645278e74f2a2cf59b8a81b88d1b2ec54b9933d; v3.zip: 58a97ab524b704172a8f68fda92daa802b706e397adede410b6475a4eb229c9b.
  • [File Hash] Malicious binaries and scripts – Client-built2.exe: 17c3d4c216b2cde74b143bfc2f0c73279f2a007f627e3a764036baf272b4971a; Block1.exe: 59f80ca5386ed29eda3efb01a92fa31fb7b73168e84456ac06f88fdb4cd82e9e.
  • [File Name] Malicious scripts in patch – game2.bat (aa1a1328e…), launch1.vbs (c3404f76…), test.vbs (b2f84d59…), 1.bat (e4cae16e…), test.bat (3766a865…) used to stage infection and data collection.
  • [C2 Domains/IPs] Command-and-control endpoints – hxxp://203[.]188[.]171[.]156 (data upload and backdoor C2), hxxp://45[.]83[.]28[.]99 (StealC stealer C2).
  • [File Paths] Targeted browser data locations – Chrome Local State: GoogleChromeUser DataLocal State; Brave: BraveSoftwareBrave-BrowserUser DataLocal State (used to harvest browser and wallet data).

Read more: https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware