When a Steam "Update" Becomes a Wallet Drainer: Inside the BlockBlasters Malware
The timeline
- Jul 31: BlockBlasters launches on Steam with positive reviews.
- Aug 30: A new build ships; this "update" quietly adds the malicious components.
- Sep 21–22: Reports surface that the game is draining crypto; Steam removes the listing.
 
    Steam store interface - the platform where BlockBlasters was distributed before removal
How the infection chain worked
Stage 1 — Batch dropper & data grab
A batch file (game2.bat) executed on launch. It queried the victim's IP/geo, enumerated AV processes, grabbed Steam login artifacts (SteamID, AccountName, PersonaName), and uploaded them to a C2 endpoint. It then unpacked password-protected ZIPs (password 121) to stage further payloads.
Stage 2 — VBS launchers
Two VBS scripts (launch1.vbs and test.vbs) invisibly executed additional batch files, continuing collection of browser extension and wallet info, and maintaining contact with the C2.
Stage 3 — Defender exclusion + payload execution
The script added the payload directory to Microsoft Defender's exclusions, then unpacked and launched two executables: a backdoor (Client-built2.exe) and a stealer (Block1.exe).
The stealer: StealC
StealC (Win64) targeted Chromium-based browsers (Chrome, Edge, Brave), extracting "Local State" data and other artifacts used to decrypt stored credentials and wallet extension data. It communicated with a separate C2 for exfiltration.
How wallets were drained
Victims with hot wallets (browser extensions or locally stored keys) were especially exposed. Once StealC exfiltrated extension storage, cookies, and key material, attackers could immediately:
- Import private keys / seed phrases into attacker-controlled wallets, then transfer funds.
- Replay active sessions using stolen cookies/tokens to approve malicious transactions.
- In some cases, perform clipboard address-swap or transaction-redirection tricks if additional components were present.
Who was hit (known cases)
Coverage to date cites aggregate losses of >$150,000, including a public case where streamer Raivo "Rastaland" Plavnieks lost roughly $32,000 while fundraising for cancer treatment.
Indicators of Compromise (IOCs)
| Artifact | Example / Note | 
|---|---|
| Batch dropper | game2.bat(SHA256:aa1a1328…b73b3) — collects Steam login fields, queries IP, uploads to C2hxxp://203[.]188[.]171[.]156:30815/upload | 
| VBS launchers | launch1.vbs,test.vbs— silent runners for subsequent.batpayloads | 
| Defender bypass | Directory exclusion added for payload folder before execution | 
| Main payloads | Client-built2.exe(backdoor) &Block1.exe(StealC stealer) | 
| Archive trick | Password-protected ZIPs (password 121) to hinder static scanning | 
| StealC C2 | Separate exfil endpoint (e.g., hxxp://45[.]83[.]28[.]99) | 
Defensive takeaways for gamers
- Don't store real money in hot wallets on a gaming PC. Use a hardware wallet for meaningful funds; keep seeds offline.
- Treat "updates" as untrusted. Unknown indies can ship clean, then go bad via a patch. Delay playing post-update until there's community scrutiny.
- Segregate risk. Use a separate Windows profile or a VM for random/indie downloads. Enable Controlled Folder Access and keep Defender tamper protection on.
- Hygiene: Keep browser password storage off; prefer a dedicated manager with a master password. Lock down extension install rights.
- If you played BlockBlasters: Disconnect from the network, change passwords from a known-clean device, rotate keys, and move funds. Run a full scan and check for the IOCs above.
Pattern, not a one-off
This follows earlier Steam incidents (e.g., Chemia) where info-stealers (Fickle, Vidar) and loaders (HijackLoader) were embedded—evidence that Steam updates and playtest builds are a rising supply-chain target.
Credits & Sources
- Technical teardown of the BlockBlasters patch chain, payloads, C2s, and StealC behavior (incl. password-protected ZIPs and Defender exclusions): G DATA analysis.
- Removal date, total losses (>$150K), and streamer loss (~$32K), plus patch date context and targeting of streamers: reporting and primary coverage.
- Prior Steam malware case Chemia (Fickle, Vidar, HijackLoader) for pattern context: industry reporting.