Steam game mod "Downfall" breached, pushed password-stealing malware

The "Downfall" mod for the game "Slay the Spire" on Steam was breached on Christmas Day to distribute Epsilon information stealer malware via Steam's update system.

This compromised package was a standalone modified version of the game, not a Steam Workshop mod. The breach, believed to be a token hijack, compromised the mod's Steam and Discord accounts, allowing attackers to control uploads and communication.

Token hijacking is a cybersecurity attack where an unauthorized person gains access to a user's authentication token, a digital key that confirms a user's identity and permissions after they log into a system. These tokens, which are intended to streamline authentication processes for subsequent interactions with a system, become a vulnerability when hijacked. Attackers exploit security flaws to steal these tokens, allowing them to impersonate the user and access their accounts and associated privileges.

The breach occurred between 1:30 PM and 2:30 PM Eastern on December 25.

The malware, installed during this window, collects cookies, saved passwords, and credit card details from browsers and accounts like Steam and Discord, and searches for documents containing 'password' and other credentials.

Users who launched "Downfall" during the breach are advised to change important passwords, especially for non-2FA protected accounts.

The malware, disguised as a Windows Boot Manager application or UnityLibManager, was sold on Telegram and Discord, often targeting gamers.

Valve, in response to increasing Steamworks account compromises, announced SMS-based security checks for game developers updating games on Steam starting October 24, 2023. The developer's email account was confirmed not breached in the update on December 28, 2023.