Valve recently removed a game from Steam after discovering it was laced with malware designed to steal gamers’ sensitive data. The game, called PirateFi, was not just an innocent title that had been compromised—it was built from the ground up as a Trojan horse to distribute the powerful Vidar infostealer malware.
Security researchers analyzing PirateFi found that it had been created using a game template called Easy Survival RPG, a tool that allows developers to quickly build and launch their own single-player or multiplayer games. This game-making software, which costs between $399 and $1,099 to license, gave hackers an easy way to deploy their malware within what appeared to be a legitimate product.
According to Marius Genheimer of SECUINFRA Falcon Team, the malware was not an afterthought but the game’s primary purpose. “It is highly likely that it never was a legitimate, running game that was altered after first publication,” Genheimer told TechCrunch. This means PirateFi was never intended to be played—it was simply bait to lure unsuspecting gamers into downloading malicious software.
The Vidar malware is an advanced infostealer capable of exfiltrating vast amounts of data from infected computers. Once installed, it can harvest passwords saved in web browsers, steal session cookies to hijack accounts without needing login credentials, track browsing history, extract cryptocurrency wallet details, take screenshots, and even grab two-factor authentication codes from token generators.
Vidar has been linked to multiple cybercriminal operations in the past, including campaigns targeting hotel booking credentials, deploying ransomware, and injecting malicious advertisements into Google search results. In 2024, the U.S. Health Sector Cybersecurity Coordination Center (HC3) described Vidar as “one of the most successful infostealers,” with its reach growing since its discovery in 2018.
What makes Vidar particularly dangerous is its availability through the malware-as-a-service model, meaning it can be purchased and used by even low-skill cybercriminals. This makes identifying the original perpetrators behind PirateFi extremely difficult. Genheimer noted that Vidar is widely used by many different cybercriminals, making it unclear who was responsible for this specific attack.
Researchers found multiple samples of the malware embedded in PirateFi, including one uploaded to VirusTotal by a gamer in Russia, another identified through SteamDB, and a third located in a threat intelligence database. Each sample exhibited identical functionality, confirming that PirateFi was specifically designed to distribute Vidar.
Valve has not publicly commented on the incident, but its swift removal of PirateFi suggests that the company is actively monitoring for malicious software on its platform. However, the fact that PirateFi was able to make it onto Steam in the first place raises concerns about the potential for similar attacks in the future.
Adding to the mystery, the supposed developers of PirateFi, Seaworth Interactive, appear to have no real online presence. The game’s official X (formerly Twitter) account was deleted shortly after its removal from Steam. Before disappearing, the account linked directly to the game’s Steam page, but its owners did not respond to messages requesting comment.
This incident serves as a stark reminder of the increasing cybersecurity threats facing gamers. While Steam is generally a safe platform, it is not immune to bad actors attempting to exploit its vast player base. Gamers are advised to be cautious when downloading lesser-known titles, keep their systems updated with security patches, and use multi-factor authentication to protect their accounts from potential breaches.
With the rise of malware-as-a-service and increasingly sophisticated cyberattacks, this likely won’t be the last time hackers attempt to use gaming platforms as a distribution method for malware. The best defense remains awareness and vigilance.
