EXECUTIVE SUMMARY:
BlockBlasters has been identified as a vector for malware following the release of a patch. While the game initially received positive reviews and attracted hundreds of players, the patch introduces malicious functionality that compromises the security and privacy of users systems. The malware can harvest sensitive information, including system details, login credentials, and cryptocurrency wallet data, potentially affecting all users who installed the update. This incident highlights a growing trend of malware infections in games distributed through popular platforms, emphasizing the ongoing risks to gamers worldwide.
The malicious patch contains multiple files designed to perform information-stealing and backdoor operations. A batch file within the patch collects IP and location data, detects installed antivirus products, and harvests Steam login information. It subsequently unpacks password-protected archives to evade detection, executes additional batch and VBS scripts, and hides console activity while delivering payloads. The campaign deploys two primary malicious payloads: Client-built2.exe, a Python-based backdoor connecting to a command-and-control (C2) server, and Block1.exe, a stealer malware targeting browsers and crypto wallets using RC4 encryption to obscure its APIs and strings. The malware also manipulates system defenses, bypassing antivirus detection and ensuring proper execution of the game to conceal its activities, while continuously updating the threat actor with the infected systems status.
The BlockBlasters demonstrates the serious risks posed by malware delivered through legitimate game updates. Players who installed the affected patch are vulnerable to data theft and unauthorized access to sensitive accounts. The game has been removed from the platform, but this case serves as a reminder that malware campaigns can have real-world impacts. Users are advised to check their systems for infections, reset affected accounts, and maintain up-to-date security measures.
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| T1059.003 | Windows Command Shell | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Discovery | T1082 | System Information Discovery | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1486 | Data Encrypted for Impact | – |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | B0028 | Cryptocurrency |
| E1056 | Input Capture | |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| B0031 | Domain Name Generation | |
| Credential Access | F0002 | Keylogging |
| Defense Evasion | B0025 | Conditional Execution |
| F0001 | Software Packing | |
| F0004 | Disable or Evade Security Tools | |
| E1027 | Obfuscated Files or Information | |
| Discovery | B0013 | Analysis Tool Discovery |
| E1082 | System Information Discovery | |
| Execution | B0011 | Remote Commands |
| E1059 | Command and Scripting Interpreter | |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: