December 29, 2023 at 11:09AM
The popular Slay the Spire indie game fan expansion, Downfall, was breached on Christmas Day, distributing the Epsilon information stealer malware via a Steam update. The compromised package was a modified version of the game, not a mod. The attackers hijacked the developer’s Steam and Discord accounts to upload the malicious content. Users are advised to change passwords and take security measures, as the malware targets various credentials. Valve has implemented SMS-based security checks following an increase in compromised Steamworks accounts distributing malware.
Based on the meeting notes, the key takeaways are:
1. The Downfall expansion for the game Slay the Spire was breached on Christmas Day, with the Epsilon information stealer malware being pushed through the Steam update system.
2. Developer Michael Mayhem indicated that the compromised package was a standalone modified version of the original game, not a mod installed via Steam Workshop.
3. It is believed that the attackers compromised one of Downfall’s developers’ Steam and Discord accounts, allowing them to gain control of the mod’s Steam account.
4. The breach window was approximately 1:30 PM-2:30 PM Eastern on 12/25.
5. The Epsilon malware targets and harvests credentials for various web browsers, as well as Steam and Discord information.
6. Downfall users are advised to change all important passwords, particularly for accounts not protected by 2FA.
7. It is noted that the Epsilon Stealer is sold via Telegram and Discord and is commonly used to target gamers by tricking them into installing malware under the guise of testing a new game for payment.
8. Valve has implemented SMS-based security checks in response to compromised Steamworks accounts being used to upload malicious game builds in the past.
These key points provide a clear understanding of the security breach and the implications for the Downfall expansion and its users.