Malwarebytes has outlined a scam affecting the gaming platform Itch.io that exploits the trust between players and indie developers by impersonating popular games, such as Archimoulin. The scammers begin an attack by sending a direct message from a compromised account on a trusted platform like Discord, which increases the chance that victims will click the link.
The link then sends the victim to a lookalike page on Blogspot subdomains or cloud links with a fake Itch.io-style layout to appear legitimate. Some variants of the scam even include a fake Discord sign-in page to harvest credentials, directly leading to the compromise of the victim’s account for further mass-messaging.
Once a victim is at the fake game page, they’ll see a download button that instead of letting you download the game, instead downloads a file often named Setup Game.exe. This program shows no obvious UI such as installer or progress bar, this is deliberate to hide the process.
The executable spawns PowerShell with an encoded command to hide the malicious script from immediate detection and the code runs the inner script directly in memory. This makes it harder for file-based antivirus solutions to find, and uses a .NET trick to hide the PowerShell window.
To stymie the user’s attempts to find out what’s going on with the installer, it runs taskkill to force-close major browsers like Chrome, Brave, Firefox, Edge, and Opera - stopping the user from immediately googling what’s happening or stopping the installation.
The malware is designed as a stager/loader that doesn’t immediately phone home but performs checks such as registry queries and BIOS/network checks to ensure it’s on a real machine and not in a sandbox. Once the conditions are right, the stager, which is hiding quietly, will download the main follow-up payload, which could be backdoors, keyloggers, or coinminers.
According to Malwarebytes, victims who ran the executable must act fast. Change all passwords on Discord, email, and Steam and enable two-factor authentication from a clean device. It’s also recommended to log out of all sessions, revoke authorized apps/tokens, and disconnect the infected PC from the network.
If you’re concerned about this attack, be on the lookout for unexpected direct messages with a game download link, no installer UI but strange behavior such as your browser crashing, or unexpected folders appearing. If you’re affected by this particular malware, a complete reinstall of Windows is advised.
Source: Malwarebytes