What began as a promising indie platformer has turned into one of the most alarming cases of malware-laced games on Steam in 2025. According to G DATA Security Lab, the 2D shooter BlockBlasters released a patch on August 30, 2025 (Build 19799326) that introduced malicious files capable of stealing credentials, browser data, and even crypto wallet information.
BlockBlasters launched on July 31, 2025, receiving positive reviews and building a modest player base. But just a month later, the update began siphoning sensitive data from unsuspecting users.
As the report explains, “while the user is playing the game, various bits of information are lifted from the PC the game is running on – including crypto wallet data. Hundreds of users are potentially affected.”
This incident echoes a rising trend of malware hidden in Steam titles, following previous cases like PirateFi and Chemia, where attackers injected malicious binaries into early access or free-to-play games.
The infection chain starts with a suspicious batch file named game2.bat, which performs several malicious functions uncommon for legitimate game processes:
- Collects IP and geolocation via ipinfo[.]io and ip[.]me.
- Detects antivirus software processes.
- Steals Steam login details including SteamID, AccountName, and PersonaName.
- Uploads stolen data to a C2 server at hxxp://203[.]188[.]171[.]156:30815/upload`.
- Executes hidden VBS launcher scripts (launch1.vbs and test.vbs)
The script then unpacks password-protected archives (v1.zip) if only Windows Defender is active—an evasion trick designed to bypass detection.
The VBS scripts function as loaders, running additional batch files (1.bat and test.bat) silently.
The test.bat script harvests browser extensions and crypto wallet information, exfiltrating the data to the attacker’s C2 server.
The main batch file, 1.bat, takes an extra step to disable protections: “It adds the destination folder of the executables found inside the v3.zip archive to the exemption list for Microsoft Defender Antivirus. This will ignore the destination folder during security scans and behavior checks.”
Two critical payloads are then deployed:
- Client-built2.exe – a Python-based backdoor connecting back to the same C2.
- Block1.exe – a StealC malware variant, capable of extracting stored data from Chrome, Brave, and Edge browsers.
G DATA observed that “this StealC malware uses RC4 encryption (which has been deprecated years ago) to hide its APIs and key strings… it connects to a different C2 channel hxxp://45[.]83[.]28[.]99.”
Telemetry shows 100+ downloads of BlockBlasters since the infected patch was deployed, with only a handful of active players remaining after the discovery.
The human cost, however, is more sobering. During a charity livestream for cancer treatment, one streamer had their system infected live on-air, as reported by vx-underground.
The BlockBlasters case underscores a critical security challenge: gamers now face supply chain-style threats within entertainment platforms. With malware slipping past Valve’s initial security screening, the trust players place in legitimate game updates is being exploited.
As G DATA concludes, the removal of BlockBlasters from Steam came too late for those already infected—but it is a stark reminder that malware is no longer confined to shady downloads; it’s infiltrating mainstream platforms.
