Steam-parent

Valve

has recently removed the game PirateFi from the store. This move came after discovering that the game contained malware. Security researchers analysing the malware found it was designed to distribute an info-stealing program called

Vidar

. Hackers achieved this by modifying an existing video game to deceive players.

In a statement to TechCrunch,

Marius Genheimer

, a SecuInfra Falcon Team researcher who analysed the malware said that based on the command and control servers linked to the malware and its configuration, “we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse.”
“It is highly likely that it never was a legitimate, running game that was altered after first publication,” Genheimer added.
Genheimer and his team also discovered that PirateFi was created by modifying an existing Easy Survival RPG game template. This game-making app, which claims to provide “everything you need to develop your own singleplayer or multiplayer” game, is available for licensing at prices ranging from $399 to $1,099.

The researcher said that PirateFi was used to spread

infostealer malware

. Infostealers are a common type of malware designed to extract data from victims’ computers. Often sold through a malware-as-a-service model, they can be purchased and used even by inexperienced hackers.
“Vidar is widely adopted by many cybercriminals,” Genheimer noted, making it “very difficult” to determine who was behind the attack. This makes tracking the origins of PirateFi particularly challenging.

The researcher also explained that the Vidar infostealing malware can extract and transmit various types of sensitive data from infected computers. This includes passwords stored in web browser autofill, session cookies that allow attackers to log in without a password, browsing history, cryptocurrency wallet details, screenshots, two-factor authentication codes from specific token generators, and other files stored on the device.
Vidar has been used in multiple hacking campaigns, including an attempt to steal hotel credentials from Booking.com, efforts to deploy ransomware, and a scheme to plant malicious ads in Google search results.
In 2024, the Health Sector Cybersecurity Coordination Center (HC3) reported that Vidar, first discovered in 2018, has “grown to be one of the most successful infostealers.”