December 28, 2023 at 04:20PM
The popular Slay the Spire fan expansion, Downfall, was breached on Christmas Day, distributing the Epsilon information stealer malware via the Steam update system. The compromised package was a prepackaged standalone modified version of the game and not a mod installed via Steam Workshop. The attackers gained control of the mod’s Steam account and users are advised to change important passwords. Valve recently announced tightened security measures in response to compromised Steamworks accounts being used to upload malicious game builds.
Based on the meeting notes, it appears that the Downfall expansion for Slay the Spire was breached on Christmas Day, and the attackers managed to push the Epsilon information stealer malware through the Steam update system. The compromised package was the prepackaged standalone modified version of the original game, and not a mod installed via Steam Workshop.
Developer Michael Mayhem mentioned that their device was hit with malware that wasn’t detected by their security measures. He indicated that it might have been a token hijack designed to hijack Steam and Discord to prevent warning users, but he noted that this was speculative at that time.
The attackers compromised one of Downfall’s developers’ Steam, Discord, and email accounts, which allowed them to gain control of the mod’s Steam account. The breach window was roughly 1:30 PM-2:30 PM Eastern on 12/25.
The malware, Epsilon Stealer, was found to collect cookies, saved passwords and credit cards from web browsers, as well as Steam and Discord information. It was also reported to target documents containing ‘password’ in the filenames and additional credentials, including local Windows login and Telegram.
As a result, Downfall users were advised to change all important passwords, especially those for accounts not protected by 2FA. Users who received the malicious update reported that the malware would install itself as a Windows Boot Manager application in the AppData folder or as UnityLibManager in the /AppData/Roaming folder.
Further information revealed that Epsilon Stealer is commonly sold via Telegram and Discord to other threat actors and is often utilized to target gamers on Discord by tricking them into installing the malware. It was also mentioned that the threat actor behind this attack may have targeted other games and game developers.
In response to these types of attacks, Steam has announced that it now requires SMS-based security checks from game developers pushing an update on the default release branch on Steam to bolster security measures and prevent such incidents in the future.