EncryptHub compromises Chemia survival game on Steam, deploying HijackLoader and Fickle Stealer malware via Telegram C2 to harvest user data.

Continue reading
The notorious cybercriminal group EncryptHub has successfully infiltrated Steam's gaming ecosystem by compromising the early access survival game "Chemia," marking the third malware incident to plague the platform in 2025. This sophisticated attack, discovered by threat intelligence firm Prodaft, represents a significant escalation in the group's tactics as they pivot from targeting traditional enterprises to consumer-facing gaming platforms with millions of active users.
The July 22, 2025 compromise of Chemia—developed by Aether Forge Studios—demonstrates how gaming platforms have become attractive vectors for malware distribution, exploiting the trust users place in legitimate game downloads to deliver dangerous infostealers capable of harvesting sensitive personal and financial data.
The EncryptHub attack unfolded in a carefully orchestrated sequence designed to maximize stealth and data extraction capabilities:
July 22, 2025 - Initial Injection EncryptHub successfully injected HijackLoader malware (CVKRUTNP.exe) into network. This sophisticated loader establishes persistence on victim devices and serves as a conduit for downloading secondary payloads.
Three Hours Later - Second Wave The threat actor deployed Fickle Stealer through a malicious DLL file (cclib.dll), which utilizes PowerShell scripts ('worker.ps1') to retrieve the main payload from the compromised domain soft-gets[.]com.
| Component | Function | Capabilities |
|---|---|---|
| HijackLoader | Initial access & persistence | Downloads Vidar infostealer, establishes C2 communication |
| Vidar Infostealer | Data extraction | Browser credentials, autofill data, cryptocurrency wallets |
| Fickle Stealer | Secondary harvesting | Session cookies, browser data, financial information |
| C2 Infrastructure | Command & control | Telegram channels for instruction delivery |
The malware demonstrates sophisticated anti-detection capabilities that allow it to operate undetected during gameplay:
EncryptHub, also tracked as Larva-208, has emerged as one of the most prolific cybercriminal organizations of 2025, with confirmed compromises exceeding 600 organizations worldwide since initiating operations in June 2024. The group's expansion into gaming platforms represents a strategic shift toward targeting consumer endpoints with valuable personal data.
Key EncryptHub Characteristics:
The Steam compromise follows EncryptHub's established methodology of exploiting trust relationships and legitimate platforms:
The Chemia compromise represents the third malware incident affecting Steam in 2025, highlighting systematic vulnerabilities in the platform's security architecture:
2025 Steam Malware Timeline:
Security researchers have identified concerning patterns in Steam's early access review process:
The concentration of malware incidents in early access titles suggests attackers specifically target this category due to perceived lower security barriers and reduced user suspicion.
HijackLoader, also known as IDAT Loader, represents a sophisticated malware-as-a-service offering that has gained significant traction among cybercriminals:
Core Features:
The Vidar payload retrieved by HijackLoader represents one of the most successful information stealers in the current threat landscape:
Stolen Data Categories:
Fickle Stealer, developed in Rust for enhanced performance and stealth, complements Vidar's capabilities:
The EncryptHub Steam attack has broader implications for the gaming industry's security posture:
Consumer Trust Erosion: Each successful platform compromise reduces user confidence in digital game distribution Developer Liability: Independent developers face increased scrutiny and potential legal exposure Platform Accountability: Distribution platforms must enhance security screening and monitoring capabilities
Gaming platforms represent attractive targets for threat actors due to:
Enhanced Security Controls:
Secure Development Practices:
User Protection Strategies:
The EncryptHub Steam compromise signals a significant shift in threat actor targeting:
Traditional Enterprise Focus → Consumer Platform Exploitation
The gaming industry faces unique supply chain risks:
The EncryptHub compromise of Steam's Chemia game represents more than an isolated incident—it demonstrates the gaming industry's emergence as a primary battleground in the ongoing cybersecurity war. As threat actors like EncryptHub expand their operations from traditional enterprise targets to consumer-facing platforms, the stakes for both individual users and the gaming ecosystem continue to rise.
The sophistication of this attack, combining advanced malware families with legitimate platform exploitation, showcases how cybercriminals are evolving their tactics to capitalize on the trust relationships inherent in gaming ecosystems. The dual-payload approach using both HijackLoader and Fickle Stealer demonstrates a level of operational complexity previously reserved for high-value enterprise targets.
For the gaming industry, this incident serves as a critical wake-up call. Platforms must implement enhanced security measures that balance user experience with comprehensive threat protection. Developers, particularly in the early access space, need robust security practices to protect their accounts and distribution channels from compromise.
As EncryptHub and similar groups continue to evolve their tactics, the gaming community must adapt its defenses accordingly. The future of gaming security depends on collaborative efforts between platforms, developers, security researchers, and users to create resilient ecosystems capable of withstanding these sophisticated threats.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation