A seemingly innocent patch update for the popular 2D platformer game BlockBlasters has transformed into a sophisticated malware campaign, exposing hundreds of Steam users to data theft and system compromise.

The malicious patch, deployed on August 30, 2025, demonstrates how threat actors are increasingly exploiting the gaming ecosystem to distribute information-stealing malware while users remain unaware of the ongoing compromise.

BlockBlasters, developed by Genesis Interactive and initially released on July 31, 2025, had garnered positive reviews from the gaming community before becoming the latest victim in a growing trend of Steam game infections.

The malicious Build 19799326 patch contains multiple files that exhibit dangerous behaviors, transforming what appeared to be a routine game update into a multistage attack capable of exfiltrating sensitive user data including cryptocurrency wallet information, browser credentials, and Steam login details.

G Data analysts identified the malware campaign after their MXDR platform flagged the suspicious activities within the game’s patch files.

The security researchers discovered that the threat actors had successfully bypassed Steam’s initial security screening, allowing the deployment of malicious updates that could potentially affect hundreds of players who had the game installed on their systems.

This incident follows a concerning pattern of similar attacks on Steam games, including the notable PirateFi and Chemia cases, highlighting the platform’s ongoing vulnerability to such sophisticated infiltration attempts.

The attack represents a significant escalation in gaming-focused malware campaigns, as threat actors continue to refine their techniques for distributing malicious payloads through legitimate software distribution channels.

The incident particularly stands out due to its multistage infection process and the range of sensitive data it targets, making it a comprehensive information theft operation rather than a simple malware installation.

Technical Infection Mechanism and Payload Delivery

The BlockBlasters malware operates through a sophisticated three-stage infection mechanism that begins with the execution of a seemingly benign batch file named game2.bat.

This initial payload performs several reconnaissance functions, including collecting IP and location information through queries to legitimate services like “ipinfo[.]io” and “ip[.]me”, while simultaneously detecting installed antivirus products to assess the target environment’s security posture.

The batch file’s primary function involves collecting Steam login credentials, including SteamID, AccountName, PersonaName, and RememberPassword data, which it then uploads to the command and control server located at hxxp://203[.]188[.]171[.]156:30815/upload.

The malware employs password-protected ZIP archives with the password “121” to conceal its payloads during download, effectively evading initial detection mechanisms.

Upon successful environment assessment, the malware deploys VBS loader scripts (launch1.vbs and test.vbs) that execute additional batch files while maintaining stealth through hidden console execution.

The test.bat component specifically targets browser extensions and cryptocurrency wallet data, demonstrating the campaign’s focus on high-value financial information.

The final stage involves the deployment of two primary payloads: Client-built2.exe, a Python-compiled backdoor that establishes persistent communication with the C2 infrastructure, and Block1.exe, which contains the StealC information stealer.

The malware strategically adds its execution directory to Microsoft Defender’s exclusion list using the path Drive:\SteamLibrary\steamapps\common\BlockBlasters\Engine\Binaries\ThirdParty\Ogg\cwe\, ensuring continued operation without triggering security alerts.

The StealC component targets multiple browsers including Google Chrome, Brave Browser, and Microsoft Edge, accessing their respective Local State files to extract stored credentials and sensitive information.

The malware uses deprecated RC4 encryption to obfuscate its API calls and key strings, connecting to a secondary C2 server at hxxp://45[.]83[.]28[.]99 for data exfiltration operations, demonstrating the campaign’s distributed infrastructure approach to maintaining operational security.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch appeared first on Cyber Security News.

In recent weeks, security researchers have observed a surge in attacks exploiting Oracle Database Scheduler’s External Jobs feature to gain a foothold in corporate environments.

This technique abuses the scheduler’s ability to execute arbitrary commands on Windows-based database servers, allowing adversaries to bypass perimeter defenses.

Initial intrusion vectors involve probing publicly exposed Oracle listener ports and leveraging misconfigured credentials or default administrative accounts.

Once connected, attackers can invoke the extjobo.exe component to run commands with the same privileges as the OracleJobScheduler service.

The impact of this technique has been significant. Organizations that segmented their networks and isolated database servers were still compromised due to the inherent trust placed in the database scheduler process.

In one incident, threat actors established encrypted tunnels to external Command & Control (C2) servers, created local administrative accounts, and deployed ransomware under the guise of standard database operations.

Event logs reveal multiple failed login attempts followed by a successful SYSDBA connection, indicating credential harvesting or brute-force tactics preceding command execution.

Yarix analysts noted that, following credential acquisition, the adversaries leveraged Oracle DBS External Jobs to spawn encoded PowerShell processes. This behavior highlights a shift towards living-off-the-land techniques that avoid dropping custom executables on disk.

Instead, the attackers piped Base64-encoded scripts directly into PowerShell via extjobo.exe, complicating detection and evasion of endpoint defenses.

In one case, the attacker executed a command to gather system information before payload download. The decoded script is shown below:

$cpu = Get-CimInstance -ClassName Win32_Processor
$ram = Get-CimInstance -ClassName Win32_ComputerSystem
Write-Host $cpu.Name, $cpu.NumberOfLogicalProcessors, [math]::Round($ram.TotalPhysicalMemory/1GB,2)
Get-PSDrive -PSProvider FileSystem
Get-WmiObject -Class Win32_OperatingSystem | Select-String 'OS Name'
Get-ItemProperty -Path HKLM:\Server-Tcp -Name PortNumber

Infection Mechanism via External Jobs

The Oracle Database Scheduler’s External Jobs feature was designed to allow database administrators to run operating-system commands for maintenance tasks.

However, threat actors have discovered that any user with scheduler privileges can connect to the named pipe used by extjobo.exe and inject malicious commands. In the observed attacks, adversaries first authenticated as SYSDBA, then invoked:

extjobo.exe -noservice -exec C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JABjAD0AbgBl…

This invocation bypasses script execution policies (-ep Bypass) and injects Base64-encoded payloads directly into memory.

The scheduler listens on a pipe—typically accessible to the ORACLEDBS service account—granting command execution without spawning new processes detectable by conventional monitoring tools.

Following initial reconnaissance, the attackers used similar commands to download secondary payloads from C2 servers, establish reverse shells, and create a local account named Admine for persistence and lateral movement.

By abusing legitimate scheduler functionality, the adversaries avoid writing executable artifacts to disk and rely on native Windows tools for reconnaissance, payload staging, and tunneling.

Logs confirm that after each execution instance, the attackers deleted temporary batch files and scheduler tasks, further hindering forensic analysis.

This technique underscores the need for tighter access controls on scheduler privileges, vigilant monitoring of named-pipe activity, and anomaly detection for unusual extjobo.exe invocations in Oracle database environments.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments appeared first on Cyber Security News.

A sophisticated Iran-nexus espionage group known as Subtle Snail has emerged as a significant threat to European telecommunications, aerospace, and defense organizations through an elaborate recruitment-themed social engineering campaign.

The group, also identified as UNC1549 and linked to the broader Unyielding Wasp network, has successfully compromised 34 distinct devices across 11 organizations since June 2022 by masquerading as HR representatives from legitimate companies to engage unsuspecting employees.

The attackers operate through meticulously crafted LinkedIn profiles, presenting themselves as hiring managers and HR personnel from well-known industry entities.

Their approach involves extensive reconnaissance to identify high-value targets within organizations, particularly focusing on researchers, developers, and IT administrators with privileged access to critical systems.

The threat actors create convincing fake job advertisements and establish domains following patterns like telespazio-careers.com and safrangroup-careers.com to impersonate legitimate companies and enhance the credibility of their recruitment schemes.

Catalyst analysts noted that Subtle Snail deploys a custom variant of the MINIBIKE backdoor, which communicates with Command and Control infrastructure proxied through Azure cloud services to evade detection.

At the time of initial discovery, the malicious samples exhibited remarkably low detection rates across most antivirus vendors due to sophisticated obfuscation techniques and the abuse of code signing certificates from Insight Digital B.V., a Dutch company, making the malware appear as trusted software.

The group’s operational methodology extends beyond simple malware deployment, incorporating victim-specific malware development and comprehensive data exfiltration capabilities that enable systematic collection of proprietary technologies, customer databases, and critical network configurations.

Their sustained campaign demonstrates the evolving sophistication of state-sponsored threat actors targeting critical infrastructure, with particular emphasis on telecommunications entities while maintaining interest in aerospace and defense sectors for strategic espionage purposes.

DLL Sideloading as Primary Attack Vector

The core of Subtle Snail’s infection mechanism relies heavily on DLL sideloading techniques that exploit Windows’ dynamic-link library search order to achieve code execution while remaining undetectable to security controls.

When victims execute what appears to be a legitimate setup.exe file contained within ZIP archives named Application.zip, TimeTable.zip, or TimeScheduler.zip, the threat actors utilize a malicious MINIBIKE DLL file strategically placed alongside the legitimate executable to perform DLL sideloading.

The malware leverages Windows’ DLL search order mechanism to load malicious libraries alongside legitimate applications, effectively bypassing security controls on trusted processes.

The group systematically names their malicious DLLs with common system library names such as iumbase.dll, dwrite.dll, or umpdc.dll to masquerade as legitimate Windows components.

Each DLL is specifically crafted for individual victims and operations, with legitimate DLL files being modified to facilitate seamless execution of the sideloading attack.

The technical implementation involves substituting function names in the export section with direct string variables, allowing attackers to bypass typical detection mechanisms by manipulating the DLL’s export table while maintaining the appearance of legitimate files.

All malicious DLLs are developed using Microsoft Visual C/C++ for 64-bit machine architecture, with WinAPI functions resolved dynamically at runtime after their corresponding module names and process names are decrypted using custom string decryption techniques.

The MINIBIKE backdoor gathers unique system identifiers and transmits them to the C2 server in the format {UNIQUE_ID}###{DEVICE_NAME}###{NETWORK_INTERFACE_IPs}, initiating the attack chain.

Upon successful connection, threat actors begin deploying victim-specific DLLs for various purposes including keylogging, credential stealing, and domain name checking, with each DLL executed through the same DLL sideloading technique to maintain operational stealth and persistence throughout the compromise.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Subtle Snail Mimic as HR Representatives to Engage Employees and Steal Login Credentials appeared first on Cyber Security News.

A sophisticated new ransomware group has emerged from the shadows, targeting multinational organizations across diverse sectors with precision and systematic approach.

Kawa4096, first detected in June 2025, has rapidly established itself as a formidable threat to enterprises spanning finance, education, and service industries, particularly focusing on victims in Japan and the United States.

The group’s operational sophistication suggests well-coordinated cybercriminal activities with potential for widespread impact across multiple countries within a remarkably short timeframe.

The Kawa4096 ransomware operation demonstrates advanced tactical capabilities through its implementation of double extortion methodologies, combining data encryption with data theft to maximize leverage over victims.

The group operates a dedicated Tor-based data exfiltration platform where they systematically disclose victim information, creating additional pressure for ransom payment compliance.

Their operational structure reveals meticulous planning, providing individualized claim URLs for each victim to control data access and maintain organized communication channels throughout the extortion process.

ASEC analysts noted that the ransomware’s technical implementation incorporates several distinctive characteristics that set it apart from conventional ransomware families.

The malware automatically re-executes with the - all argument when launched without parameters, ensuring comprehensive file encryption across target systems.

Additionally, it creates a unique mutex named “SAY_HI_2025” using the CreateMutexA API to prevent duplicate executions and potential system conflicts during the encryption process.

The ransomware’s configuration management system utilizes embedded resource sections containing 17 distinct fields that control encryption behavior.

These configurations include comprehensive exclusion lists for file extensions, directories, and specific filenames to maintain system stability while maximizing damage.

Critical system files such as [.]exe, [.]dll, [.]sys, and core Windows components like boot[.]ini and desktop[.]ini are deliberately excluded to preserve system functionality and maintain negotiation capabilities.

Advanced Encryption Mechanics and Evasion Tactics

Kawa4096 employs sophisticated partial encryption techniques to optimize speed and efficiency while maintaining destructive impact.

The malware divides target files into 64KB chunks and encrypts only 25% of each file, significantly reducing encryption time while rendering files completely unusable.

This selective approach proves particularly effective against databases, documents, and multimedia files, where partial corruption of headers or indexes renders entire files inaccessible.

The encryption process utilizes the Salsa20 stream cipher algorithm, with encrypted files receiving extensions in the format [original_filename].[extension].[9_random_characters].

For files exceeding 10MB, the ransomware applies strong partial encryption patterns, while smaller files receive full or weak partial encryption treatment.

This adaptive approach demonstrates the group’s understanding of system performance optimization and victim impact maximization.

The ransomware systematically terminates critical processes, including database servers, office applications, and backup services to unlock files for encryption.

Target processes include sqlservr[.]exe, excel[.]exe, firefox[.]exe, outlook[.]exe, and numerous other applications that could interfere with the encryption process or provide recovery mechanisms for victims.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Kawa4096 Ransomware Attacking Multinational Organizations to Exfiltrate Sensitive Data appeared first on Cyber Security News.

The cybersecurity landscape faces a growing threat from sophisticated Phishing-as-a-Service (PhaaS) platforms that are democratizing cybercrime by lowering technical barriers for fraudsters worldwide.

Among these emerging threats, the Lucid PhaaS platform has established itself as a formidable force in the underground economy, enabling massive-scale phishing operations across multiple continents and industry sectors.

Security researchers have uncovered an extensive criminal infrastructure centered around Lucid PhaaS, which has successfully deployed over 17,500 phishing domains targeting 316 prominent brands spanning 74 countries.

This scale represents one of the largest documented PhaaS operations to date, demonstrating the platform’s sophisticated capabilities and widespread adoption among cybercriminals.

The operation encompasses diverse industries including financial institutions, government agencies, postal services, and toll companies, indicating the platform’s versatility in mimicking various organizational structures and brand identities.

The campaign’s geographical reach extends from major financial centers in North America and Europe to emerging markets across Asia, Africa, and Latin America, suggesting a coordinated global operation rather than isolated regional activities.

Netcraft analysts identified the malware through advanced fingerprinting techniques and correlation analysis that linked Lucid to its companion platform, Lighthouse PhaaS, through shared anti-monitoring infrastructure and identical template systems.

The investigation revealed that Lucid operates through a subscription-based model where cybercriminals pay monthly fees for access to pre-configured phishing templates and hosting infrastructure.

Each phishing template within the platform receives a unique identifier, such as the “kuda295” theme discovered during analysis of a financial institution impersonation campaign.

This naming convention allows operators to efficiently manage multiple concurrent campaigns while maintaining operational security.

Advanced Evasion and Anti-Monitoring Mechanisms

Lucid PhaaS employs sophisticated detection evasion techniques that represent a significant evolution in phishing technology.

The platform implements a multi-layered filtering system that protects malicious content from security researchers and automated detection systems through several technical mechanisms.

The primary evasion technique requires visitors to access specific URL paths, such as “/servicios,” which are dynamically configured by fraudsters and vary significantly across campaigns targeting identical brands.

This path-based filtering makes automated detection challenging, as security systems cannot predict the required access patterns.

Additionally, the platform enforces geographical restrictions by requiring connections from specific proxy countries, effectively limiting exposure to security researchers operating from known analysis centers.

User-Agent filtering represents another critical evasion layer, with Lucid requiring mobile device signatures to display phishing content.

This restriction aligns with the platform’s targeting strategy, as mobile users often exhibit reduced security awareness and operate on devices with limited security tooling.

When visitors fail to meet these criteria, Lucid displays convincing fake e-commerce storefronts featuring products like shoes or women’s clothing, complete with professional layouts and product catalogs.

These anti-monitoring pages serve a dual purpose by maintaining the illusion of legitimate commerce while concealing the underlying criminal infrastructure.

Security researchers analyzing suspicious domains encounter apparently benign shopping websites, potentially causing them to classify the domains as false positives.

This deception technique significantly extends the operational lifespan of malicious domains and reduces the likelihood of successful takedown efforts.

The sophisticated fake storefronts demonstrating the platform’s attention to visual authenticity and user experience design, making detection increasingly challenging for both automated systems and human analysts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Lucid PhaaS With 17,500 Phishing Domains Mimics 316 Brands From 74 Countries appeared first on Cyber Security News.