Cybercriminals are exploiting the immense popularity of the upcoming game title, “Battlefield 6,” to distribute a range of malicious software. Security researchers from Bitdefender Labs have identified several campaigns that are distributing fake cracked game versions and fraudulent game trainers across torrent websites and underground forums. These malicious applications are designed to steal sensitive data from unsuspecting gamers and potentially compromise their systems.
The sophisticated nature of these attacks, which impersonate well-known game cracking groups, highlights a growing trend of cyber threats leveraging trending topics to ensnare victims. The malware identified by Bitdefender varies in its objectives, from simple information stealing to establishing persistent remote control over infected machines. Importantly, none of the distributed files contain any actual Battlefield 6 gameplay functionality, confirming them as purely malicious lures.
Hackers Exploit Battlefield 6 Hype for Malware Distribution
The initial wave of these malicious campaigns focuses on enticing users with fake “Battlefield 6 Trainer Installer” applications. These are readily discoverable through search engines, often appearing on the second page of search results, making them accessible to a broad audience. Once executed, this type of malware acts as an aggressive information stealer. It systematically scans the victim’s system for sensitive data stored in local directories and browser profiles.
The types of information targeted include cryptocurrency wallet credentials, session cookies from popular browsers like Chrome, Edge, and Firefox, and crucially, Discord session tokens and login details. Furthermore, it specifically seeks out data associated with cryptocurrency wallet extensions in Chrome, such as iWallet and Yoroi. This stolen data is then transmitted over unencrypted HTTP to a specific IP address (198.251.84.9) without any attempt at obfuscation, according to Bitdefender’s analysis.
Advanced Evasion Tactics Used in Second Malware Variant
A more advanced variant, distributed under the guise of “Battlefield 6.GOG-InsaneRamZes,” showcases significantly more sophisticated evasion techniques. This malware employs regional execution blocking as a self-protection mechanism. It is programmed to cease its operations if it detects system settings indicating Russian or Commonwealth of Independent States (CIS) affiliations, a common tactic used by threat actors originating from these regions.
To further conceal its activities, this variant utilizes Windows API hashing, a method that obfuscates its operational calls. It also incorporates anti-sandbox detection checks, employing timing analysis to ascertain the system’s uptime and determine if it is running within a controlled virtual environment. Memory analysis of this malware revealed references to development tools like Postman and BitBucket, suggesting a potential targeting of developer credentials and API keys for further exploitation.
Third Malware Sample Deploys Command-and-Control Agent
The third discovered malware sample, disguised as a Battlefield 6 ISO image, serves a different and potentially more dangerous purpose: deploying a persistent command-and-control (C2) agent. The executable file, weighing approximately 25MB, contains compressed data that, when unpacked, creates a file named “2GreenYellow.dat” within the user’s directory. This file is then silently executed using the legitimate Windows tool, regsvr32.exe.
The installed DLL component of this malware repeatedly attempts to establish contact with a domain identified as ei-in-f101.1e100.net. Researchers suggest that this domain, which appears to leverage Google’s infrastructure, might be used as a relay or a method to disguise the communication. The observed C2 structure indicates capabilities for remote command execution, suggesting the potential for future data theft or unauthorized system manipulation.
The varying technical approaches observed across these three distinct malware samples suggest that they likely originate from different threat groups. This diversification in tactics and objectives underscores the opportunistic nature of cybercriminal activity, with actors constantly seeking new avenues to exploit consumer interest. As the official launch of Battlefield 6 approaches, gamers are advised to exercise extreme caution when downloading any game-related files from unofficial sources. Staying vigilant and prioritizing legitimate software sources are crucial steps in protecting against these evolving cyber threats.