Last week, Valve removed a game from its online store Steam because the product was laced with malware. 

After the removal of the game, which was called PirateFI, security researchers analyzed the malware and found that whoever planted it modified an existing video game in an attempt to trick gamers into installing an info-stealer called Vidar.

Marius Genheimer, a researcher who analyzed the malware and works at Falcon Team, told TechCrunch that judging by the command and control servers associated with the malware and its configuration, “we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse.”

“It is highly likely that it never was a legitimate, running game that was altered after first publication,” said Genheimer. 

In other words, PirateFI was designed to spread malware. 

Genheimer and colleagues also found that PirateFi was built by modifying an existing game template called Easy Survival RPG, which bills itself as a game-making app that “gives you everything you need to develop your own singleplayer or multiplayer” game. The game maker costs between $399 and $1,099 to license. 

This explains how the hackers were able to ship a functioning video game with their malware with little effort. 

According to Genheimer, the Vidar infostealing malware is capable of stealing and exfiltrating several types of data from the computers it infects, including: passwords from the web browser autofill feature, session cookies that can be used to log in as someone without needing their password, web browser history, cryptocurrency wallet details, screenshots, and two-factor codes from certain token generators, as well as other files on the person’s computer. 

Vidar has been used in several hacking campaigns, including one attempting to steal Booking.com’s hotel credentials, others with the goal of deploying ransomware, and another effort to plant malicious advertisements on Google search results. During 2024, the Health Sector Cybersecurity Coordination Center (HC3) reported that Vidar, which was first discovered in 2018, has “grown to be one of the most successful infostealers.”

Infostealers are common types of malware designed to steal information and data from a victim’s computer. Infostealers are often sold in the malware-as-a-service model, meaning the malware can be purchased and used even by hackers with little skill. This also makes identifying who was behind PirateFI “very difficult,” said Genheimer, as Vidar “is widely adopted by many cybercriminals.”

Genheimer said they analyzed several samples of the malware included in PirateFI, one found on the malware online repository VirusTotal, which was apparently uploaded by a gamer in Russia; another one they identified through SteamDB, a website that publishes information about games hosted on Steam. The researchers found another sample in a threat intelligence database they have access to. All three malware samples have the same functionality, according to Genheimer.

Valve did not respond to TechCrunch’s request for comment.

Seaworth Interactive, the purported developers of PirateFI, has no apparent online presence. Until last week, the game had an X account, which has now been removed. The account included a link to the game on Steam.

The owners of the account did not respond to a request to chat via Direct Message before it was removed.