The Steam store -- home to millions of gamers and thousands of titles -- has once again found itself at the center of a cybersecurity storm. A free-to-play game named PirateFi managed to slip through the platform’s security measures, distributing the notorious Vidar infostealing malware to unsuspecting players. Up to 1,500 users may have been affected before PirateFi was finally pulled from the store on February 12.
Gaming Platforms as a New Cyber Battleground
While malware distribution through Steam is relatively rare, it’s not unheard of. However, PirateFi's case is particularly alarming because of its stealthy execution. Initially, the game -- developed by a publisher under the alias Seaworth Interactive -- gained positive traction among players. It marketed itself as a survival game with base-building and crafting elements, appealing to fans of the genre. However, behind the scenes, the game was much more sinister.
"For gamers—especially those working from home or with family members using the same network—this is a wake-up call. Check on the apps installed on your household devices. Do some research on them. See if there’s chatter about security concerns, and take action accordingly. Your home network is only as secure as its weakest link, so raising security awareness and controls across all devices is critical," said Randolph Barr, CISO at Cequence.
Vidar Infostealer: A Silent Threat
The malware was identified by security researcher Marius Genheimer of SECUINFRA Falcon Team, who confirmed that PirateFi was embedding Vidar, a known infostealer. The malware was delivered as Howard.exe, hidden inside Pirate.exe, and distributed via an InnoSetup installer. Once activated, Vidar would siphon credentials, browser session cookies, and cryptocurrency wallet information, making it a serious threat to gamers who often store sensitive financial data on their PCs.
"If you are one of the players who downloaded this ‘game’: Consider the credentials, session cookies and secrets saved in your browser, email client, cryptocurrency wallets etc. compromised," warned Genheimer. His advice to affected players? Change all passwords immediately and enable multi-factor authentication (MFA) wherever possible.
Steam’s response has been swift but arguably inadequate. The company notified users who played PirateFi, advising them to run full system scans and, in extreme cases, to reinstall Windows. Yet, for many users, the damage may already be done.
Exploiting Gaming Trust
The success of the attack raises questions about the evolving nature of cyber threats targeting gamers. "One thing I didn’t do, looking back, was truly vet what I was downloading. Back then, the risks felt lower. But today, attackers are far more sophisticated, and they have the flexibility and resources to craft highly targeted attack methods," Barr added. "If they know their target is at home, leveraging gaming platforms, family devices, or even home networks becomes an easy and effective way in."
The game’s title, PirateFi, wasn’t chosen at random. Security experts suspect that references to web3, blockchain, and cryptocurrency were deliberate, designed to lure a specific demographic—one that’s both tech-savvy and likely to have digital wallets.
A Pattern of Breaches
While PirateFi is the latest, it’s far from the first security incident on Steam. In February 2023, malicious Dota 2 game modes exploited a Chrome n-day vulnerability to execute remote code on users' machines. More recently, in December 2023, an infected mod for Slay the Spire contained an ‘Epsilon’ infostealer dropper, compromising countless users.
To combat these threats, Steam has implemented security measures like SMS-based verification for developer accounts. However, these safeguards failed to prevent PirateFi from deploying multiple obfuscation techniques to evade detection while swapping command-and-control (C2) servers.
A Call to Action for Gamers and Platforms Alike
The PirateFi incident underscores a growing need for vigilance, both from platforms and users. "Since COVID, the transition from office to remote work -- and now hybrid work -- has changed the attack surface. Companies are doing a great job of securing corporate-issued devices and providing security awareness training, but they’re not securing the personal devices in our homes. That responsibility falls on each of us," Barr noted.
Apple, for instance, recently faced scrutiny for temporarily blocking Mobile Legends -- a game linked to ByteDance -- before reinstating it on February 14. "Apple does a solid job implementing security guardrails and app review processes, but no platform is perfect. Meanwhile, other app stores may not have the same level of scrutiny," Barr explained.
For gamers, especially those working remotely or sharing networks with family, this is a wake-up call. "Check on the apps installed on your household devices. Do some research on them. See if there’s chatter about security concerns, and take action accordingly. Your home network is only as secure as its weakest link, so raising security awareness and controls across all devices is critical," Barr advised.
As gaming platforms continue to be prime targets for cybercriminals, players must adopt the same level of skepticism and caution they would with any other digital service. Meanwhile, Steam and other gaming distributors must rethink their security protocols, ensuring that incidents like PirateFi don’t become the norm.