Steam game mod delivered malware on Christmas Day – Epsilon Information Stealer was hidden in a Slay the Spire expansion

Over Christmas, attackers gained access to the Downfall developer’s Steam account and compromised game downloads with a piece of malware called Epsilon Information Stealer. Downfall is a free fan-made mod available on Steam for an indie game called Slay the Spire. The malware only infected the prepackaged standalone modified version of Downfall, not the mod installed via Steam Workshop. We also note that the malware-laced download was only available for one hour before being caught.

Epsilon Information Stealer malware can be used to steal the infected user’s passwords from installed internet browsers, cookies, Discord, Steam, and information stored by Telegram. The developer of Downfall told Bleeping Computer “One of our devices was hit with malware that did not get flagged or blocked by the security we had running on it. As far as I currently know, it was not a password-stealing malware as 2FA did not trigger or stop this, and of the accounts compromised, all were under different e-mail addresses (and none of those addresses themselves were stolen),” but quickly added they couldn’t be sure until a professional assessment of the breach has been completed. 

The developer posted an update in Steam about this breach, recommending that if players saw a Unity popup over Christmas, they should change passwords, especially users without two-factor authentification. They added, “Any account that is set up for mobile 2FA should be immune. You should also be sure your live protection is active and run scans. Though, for full peace of mind, I am electing to reset and wipe all of my drives from my affected hardware.” The developer also said they can be contacted via Discord should an affected user need any help. It’s always a good idea to use a two-authentication system for security by default. 

Epsilon Information Stealer is commonly used for attacks via game community mods. Typically gamers on Discord have been tricked into installing this malware a threat actor pretending the download is an add-on or test build of a game, and they want help to find bugs. 

Using standalone and third-party mods to spread information-stealing malware has been on the rise of late. Minecraft mods were previously favored by attackers to deploy Bleeding Pipe malware to unsuspecting users, for example. Steam has required developers to use an SMS-based security verification system since October to prevent compromised files from being uploaded. We are curious to see the eventual “professional assessment,” to find out how this dose of Epsilon Information Stealer got through.