Video game cheaters are under attack by Blitz, a new Windows malware distributed via backdoored game cheat packages, Unit 42, a security arm of Palo Alto Networks, has warned. Android gamers are lured into gaining an unfair advantage on computers using emulators.
Blitz malware was first detected in 2024, and campaigns with new versions are ongoing to this day.
The Blitz malware should not be confused with Blitz.gg, a widely used game overlay and companion app that provides players with real-time stats and other recommendations.
Blitz malware is disseminated as part of backdoored video game cheats. It operates in two stages: a downloader fetches a bot payload that gives hackers extensive remote access and control over the computer.
Cybercriminals also abuse legitimate code repositories to disseminate their fake cheats. The malware has been hosted on Hugging Face Spaces, an artificial intelligence (AI) code repository. The hackers have also been very active on Telegram and other social media.
“The person behind Blitz malware appears to be a Russian speaker who uses the moniker sw1zzx on social media platforms. This malware operator is likely the developer of Blitz. For the initial infection vector, sw1zzx has used Telegram to distribute these backdoored game cheats,” researchers at Unit 42 explained in a report.
At least two campaigns have distributed Blitz malware. The first one disseminated Blitz through software packages pretending to be cracked installers for legitimate programs. Later, the crooks switched to distribution through game cheat packages.
The hackers mostly targeted players of Standoff 2, a popular mobile multiplayer game with over 100 million downloads.
What happens when you run cheats?
If an unsuspecting gamer downloads the zip archive containing the alleged game cheat, unpacks it, and runs the .exe file, the Blitz downloader will launch behind the scenes.
The package includes the actual cheat, which may be cracked or acquired by hackers. The cheats for Standoff 2 are designed to run on the Windows Android emulator BlueStacks.
The Blitz downloader evades detection by using encryption and an anti-sandbox check. Once the checks are passed, it connects to the remote infrastructure, retrieves the Blitz bot, and installs it.
The blitz bot fully infects the system, maintaining persistent access, allowing remote control of the computer, and enabling several malicious functions, including:
- Keylogging: records keystrokes to steal sensitive data like passwords.
- Screenshots: captures the user’s screen to spy on activities.
- Cryptomining: secretly mines Monero cryptocurrency using the CPU.
- DDoS attacks: turns the infected machine into a botnet node for future distributed denial-of-service attacks.
- Remote Command Execution: gives the attacker full control to run commands or download more malware.
The researchers analyzed 289 registered bot infections retrieved from one of the command-and-control centers. They found that most of the backdoored cheat users were in Russia (166), followed by Ukraine (45), Belarus (23), and Kazakhstan (12).
When Unit 42 detected the malicious activity and included it in its timely threat intelligence, the malware operator posted a goodbye statement on Telegram with a Trojan removal tool.
“We highly recommend that people avoid downloading and using cracked software, including cracked game cheats. Engaging with such software not only violates legal and ethical standards, but this activity also exposes your system to significant security risks, including malware like Blitz,” Unit 42 warns.
Your email address will not be published. Required fields are markedmarked