Valve approved a free-to-play game on Steam that ended up stealing passwords and browser data and emptied accounts. The malware slipped through the security cracks because Steam only checked games when they were first submitted and not their updates.
-
A free-to-play Steam game called Beyond the Dark contained malware that stole passwords, browser data, and cryptocurrency from users.
-
The game appears to be a hijacked 2024 title repurposed by scammers to lure victims and target crypto wallet extensions.
-
Steam only checks games for malware during initial submission, not updates, creating a vulnerability attackers exploit through compromised developer accounts.
According to cybersecurity researcher Eric Parker, who analyzed the attack in a detailed breakdown video, the malware hides inside a tactical survival title called Beyond the Dark.
Public player warnings left on the game’s review page note that the title appears to be a hijacked 2024 game called Rodent Race, which was modified by scammers to become a free-to-play horror game to attract victims.
The campaign uses a sophisticated injection chain to slip past defenses. Rather than dropping conspicuous scripts, attackers modified the legitimate UnityPlayer.dll file. Parker demonstrated that this allows the program to load the actual game to keep up appearances while covertly targeting Chrome-based crypto wallet extensions such as MetaMask.
It then contacts a command-and-control server to deploy secondary payloads to siphon passwords, browser data, and cryptocurrency, and may even compromise Roblox accounts.
Parker also confirmed that the game successfully evaded a fully enabled, up-to-date instance of Windows Defender during execution.
The update loophole
This incident spotlights an ongoing systemic vulnerability in Valve's digital storefront.
Valve currently only subjects titles to malware checks when developers originally submit their game, while subsequent updates receive far less scrutiny.
After hackers compromised several developer accounts in 2023 and used them to push malware updates to live Steam games, Valve introduced mandatory SMS-based two-factor authentication checks for developers publishing updates to released games. Valve described the added friction as a necessary tradeoff to protect users and alert developers to account compromises.
But the measure never fully solved the problem. SMS-based 2FA remains vulnerable, and researchers have repeatedly shown ways attackers can bypass or hijack the protections.
Unsurprisingly, malware-tainted games continue slipping through. In 2024, Valve removed another compromised title after it allegedly stole more than $150,000 worth of cryptocurrency from players.
While the swift removal of Beyond the Dark may shield players in the short term, the larger operational vulnerability remains unresolved. By focusing security scrutiny primarily on a game's initial submission, Valve has effectively left its update pipeline exposed to abuse by attackers who compromise developer accounts and weaponize trusted titles through later patches.
The latest incident adds to growing pressure on Steam to rethink how it vets post-release updates, and whether every patch pushed through the platform should undergo the same malware screening as a newly submitted game. Until then, players remain one automated update away from a potential infection.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked