
Growing Scam Targeting Itch.io Users
Recent reports from Malwarebytes have brought attention to a disturbing scam affecting the gaming community on the indie platform Itch.io. The perpetrators of this scam are exploiting the trust that exists between fellow gamers and indie developers by pretending to be popular titles, such as the game Archimoulin.
How the Scam Operates
The process begins with the scammers using compromised accounts on trusted communication platforms like Discord. This tactic increases the likelihood that potential victims will trust and click on the provided malicious links.
Upon clicking, users are redirected to a deceptive webpage that mimics Itch.io’s design, often hosted on Blogspot subdomains or cloud link services. In more advanced variations of the scam, victims may be presented with a fake Discord sign-in page to capture their login credentials. This not only compromises the victim’s account but also allows the scammers to send out further malicious messages.
Malicious Downloads and Evasion Tactics
Victims encountering the fraudulent game page will see a download button, but rather than downloading the intended game, they inadvertently receive a file typically named Setup Game.exe
. This executable is designed to operate without any visible user interface, such as an installation wizard or progress bar, making it easily overlooked.
This malicious program activates PowerShell and runs an encoded command, concealing the harmful scripts from immediate detection. By executing the code directly in memory, it becomes more challenging for traditional antivirus software to identify the threat. Furthermore, the use of a. NET trick allows the PowerShell window to remain hidden from the user.
To further impede users’ attempts to intervene, the malware employs a taskkill
command to forcibly close popular web browsers like Chrome, Firefox, Brave, Edge, and Opera. This prevents users from quickly searching for information or halting the installation process.
The Threat Level and Recommended Actions
This malware acts as a stager or loader that does not immediately communicate with external servers. Instead, it conducts checks, such as examining registry entries and the BIOS or network configurations, to ascertain that it is operating on a legitimate machine, not within a controlled sandbox environment. When the conditions are deemed favorable, this stealthy component will download additional malicious payloads, which could include backdoors, keyloggers, or cryptocurrency miners.
Malwarebytes advises anyone who executes the malicious file to take immediate action. It is crucial to:
- Change passwords for Discord, email, and Steam accounts.
- Enable two-factor authentication from a secure device.
- Log out from all active sessions.
- Revoke any authorized third-party applications or tokens.
- Disconnect the affected machine from the internet.
Stay Vigilant Against Unsolicited Links
If you have concerns about this ongoing threat, remain alert for unexpected direct messages that contain dubious game download links, as well as any strange browser behavior, such as crashes or the sudden appearance of new folders. In the unfortunate event that your system is compromised, a complete Windows reinstall is highly advised.
For further details, visit the complete report on the Neowin website.
Leave a Reply