Popular Slay the Spire mod hacked to deliver malware on Christmas Day

A popular Slay the Spire mod called Downfall was compromised over the holidays, and used to push malware to users via a Steam update. The malware in question is called Epsilon and is used to steal information from infected hardware, and was present in the standalone version of the mod on Steam for around an hour on Christmas Day.

The attackers compromised one of the mod’s developers’ Steam and Discord accounts, allowing access to the mod’s Steam account. The Epsilon malware is frequently used on Discord, often packaged with a game executable, and once installed runs in the background harvesting the hardware’s cookies, and any saved passwords or credit card information on the device or stored by browsers (everything from Google Chrome to Vivaldi).

“Christmas Day, at roughly 12:30 PM Eastern time, we experienced a security breach,” writes developer Michael Mayhem.  “At roughly 1:20 PM, that breach allowed a malicious upload to overtake our game on Steam’s library for a period of roughly one hour. Our Steam and Discord accounts were hijacked, and though the Steam accounts were able to be recovered late in the evening, we were limited in our ability to warn or communicate immediately following the breach. Fortunately, we were able to contain the actual breach much more quickly than the amount of time it took to recover the accounts.”

The breach was contained by roughly 2:30 pm Eastern Time, and only users who launched Downfall within that window were affected (there is a full list of who does and doesn’t need to worry in a Steam update). The main concern is over users who saw a Unity library installer popup

“In your users/[username]/AppData/Local/Temp folder, there will be several files the Trojan creates,” one affected user writes. “One will be called epsilon-[username].zip, which contains everything the Trojan has stolen: Discord info, autocomplete, saved passwords, network info, cookies, saved credit cards, steam info. WARNING: If you go investigating these files for yourself, to do so without being connected to the internet, just in case there is still some possibility of retriggering an event.”

Mayhem says a security professional who’s looked at the breach believes it was a so-called “token hijack” or session hijack, and the damage has been minimal, though added to BleepingComputer that he’s “reluctant to state anything with absolute certainty”.

The mod’s developers have purged all affected hardware on their end, are communicating with users and Valve about the breach, and are putting additional security in place to hopefully prevent something like this happening again.

“I can’t apologize enough to the affected users,” says Mayhem. “The thought that someone would hijack a free passion project for malicious intent is truly vile. If you are an affected user, please contact me and I will do everything I can to help. Downfall is nothing without its players and the joy surrounding it and I am appalled at the attack.”

This follows shortly after Valve announced new security checks on Steam developers pushing any update on their game’s default release branch, after various examples of malicious builds being pushed to players via Steam. At the time Valve told PC Gamer that this “extra friction” for partners is a “necessary tradeoff for keeping Steam users safe and developers aware of any potential compromise to their account”, adding that it has seen “an uptick in sophisticated attacks” targeting dev accounts.

Any users of Downfall are advised to change their passwords, and make sure two-factor authentication is enabled wherever possible.

Leave a Reply

Your email address will not be published. Required fields are marked *