BlockBlasters Steam Game Disguises Malware as Patch for Computer Download

BlockBlasters, a vibrant 2D platformer/shooter from Genesis Interactive, launched on July 31, 2025 to wide acclaim. However, on August 30, 2025, the developers released Build 19799326, ostensibly a routine patch.

Security analysts at G DATA MXDR discovered that this update carries multiple malicious components capable of harvesting sensitive data from players’ PCs—including cryptocurrency wallet credentials—making this one of the most insidious Steam‐based malware campaigns to date.

Historical logs on SteamDB reveal that Build 19799326 installed several new files alongside the game’s legitimate assets.

Within hours, hundreds of BlockBlasters players reported unusual system behavior: unexpected network queries, audio glitches, and spikes in disk activity. G DATA’s analysis determined that “game2.bat,” the batch file at the heart of the patch, initiates an information‐stealing routine as soon as the user launches the game.

The script queries IP information from “ipinfo[.]io” and “ip[.]me,” scans for running antivirus processes beyond Windows Defender, and captures Steam login credentials including SteamID, AccountName, PersonaName, and any stored passwords before uploading them to hxxp://203[.]188[.]171[.]156:30815/upload .

How the Malware Operates

Once “game2.bat” completes its reconnaissance, it executes two Visual Basic Script loaders—“launch1.vbs” and “test.vbs”—which in turn silently invoke additional batch files.

“launch1.vbs” runs “1.bat,” which configures Microsoft Defender exclusions for the game’s installation directory, unpacks a password‐protected archive (v3.zip), and launches the payload executables while masking their activity by starting the legitimate game binary.

Two key payload executables then deploy: Client‐built2.exe, a Python‐based backdoor providing remote control via the RemoteControlClient class, and Block1.exe—a Win64 C++ stealer known as StealC.

After unpacking, StealC decrypts its API calls using outdated RC4 routines and exfiltrates browser data to hxxp://45[.]83[.]28[.]99, including local state files holding autofill data and saved passwords.

Notably, this mirrors earlier Steam malware incidents: the PirateFi infostealer campaign that hit Free-to-Play titles , and the Chemia early access compromise by EncryptHub .

Community Fallout and Response

Telemetry from SteamDB and Gamalytic indicates that BlockBlasters maintains an active player base of 1–4 users at any given moment, with over 100 downloads since the malicious patch went live.

Concurrently, “test.vbs” executes “test.bat,” which cripples local defenses further and harvests browser extensions and cryptocurrency wallet information from Chrome, Brave, and Edge user data folders before transmitting it back to the same command‐and‐control server .

Valve has since flagged the game as “suspicious” on SteamDB, and removed it from the Steam store just prior to this article’s publication.

Despite these measures, at least one streamer inadvertently infected their PC during a live fundraiser, transmitting the malware live to an audience and underscoring the real‐world consequences of such campaigns.

The emotional response of both the streamer and viewers illustrates the tangible harm inflicted by these attacks and highlights the critical importance of stringent security screening for game updates.

As threat actors continue to evade Valve’s vetting process, this BlockBlasters incident serves as a stark reminder: even well‐regarded indie titles can become vectors for complex malware.

Gamers and developers alike must remain vigilant—verifying patch authenticity, monitoring outbound network connections, and employing robust endpoint protection—to safeguard against the evolving threat landscape.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.