Steam game mod delivered malware on Christmas Day - Epsilon Information Stealer was hidden in a Slay the Spire expansion

"Downfall" Community mod for Slay the Spire on Steam
(Image credit: Dowfall via Steam)

Over Christmas, attackers gained access to the Downfall developer's Steam account and compromised game downloads with a piece of malware called Epsilon Information Stealer. Downfall is a free fan-made mod available on Steam for an indie game called Slay the Spire. The malware only infected the prepackaged standalone modified version of Downfall, not the mod installed via Steam Workshop. We also note that the malware-laced download was only available for one hour before being caught.

Epsilon Information Stealer malware can be used to steal the infected user's passwords from installed internet browsers, cookies, Discord, Steam, and information stored by Telegram. The developer of Downfall told Bleeping Computer "One of our devices was hit with malware that did not get flagged or blocked by the security we had running on it. As far as I currently know, it was not a password-stealing malware as 2FA did not trigger or stop this, and of the accounts compromised, all were under different e-mail addresses (and none of those addresses themselves were stolen)," but quickly added they couldn't be sure until a professional assessment of the breach has been completed. 

The developer posted an update in Steam about this breach, recommending that if players saw a Unity popup over Christmas, they should change passwords, especially users without two-factor authentification. They added, "Any account that is set up for mobile 2FA should be immune. You should also be sure your live protection is active and run scans. Though, for full peace of mind, I am electing to reset and wipe all of my drives from my affected hardware." The developer also said they can be contacted via Discord should an affected user need any help. It's always a good idea to use a two-authentication system for security by default. 

Epsilon Information Stealer is commonly used for attacks via game community mods. Typically gamers on Discord have been tricked into installing this malware a threat actor pretending the download is an add-on or test build of a game, and they want help to find bugs. 

Using standalone and third-party mods to spread information-stealing malware has been on the rise of late. Minecraft mods were previously favored by attackers to deploy Bleeding Pipe malware to unsuspecting users, for example. Steam has required developers to use an SMS-based security verification system since October to prevent compromised files from being uploaded. We are curious to see the eventual "professional assessment," to find out how this dose of Epsilon Information Stealer got through.

Freelance News Writer
  • ezst036
    Would this affect both Windows and Linux? I honestly do not know.
  • MiniITXEconomy
    "It's always a good idea to use two-factor authentication," especially when Valve doesn't give two figs if your account is compromised, or not, they'll perma-ban it if they catch ANYONE doing shady crap with it. Enabling that should've been something you did, yesterday.

    sigh we give these store fronts entirely too much power.
  • Sleepy_Hollowed
    I don't have a store on their system, but I'm amazed they don't have an option of proactive scanning for malware.

    I'm almost certain they don't because the big 3 of cloud don't have that option on their storage that you can just switch on (they have a tutorial for you deploying your own with ClamAV of all things which is hard to configure).

    I'm guessing that if you use an OS for gaming, you might not want to put valuable data there and treat it as a dumb console, and it's a nice use case for the game wallets using a safe transfer method.
  • USAFRet
    Sleepy_Hollowed said:
    but I'm amazed they don't have an option of proactive scanning for malware.
    They almost certainly do.

    But no identification, detection, eradication, prevention is 100% correct, all the time.
    Unfortunately, things do slip through.
  • z0d
    First time I've heard of this, been gaming in Steam for 15 yrs now.
  • punkncat
    I will happily admit a sense of relief that more downloads weren't compromised. With the sales that Steam and other launchers have been running, I have downloaded more in this December past than many years prior.
  • Heat_Fan89
    This is the reason why I don't save my credit card info with Steam, Epic or with Sony and Nintendo. I also don't use a Microsoft sign in with my gaming rigs.