Hackers secretly inserted three malicious software programs in the Steam Early Access game Chemia, which a security firm discovered to be crypto-mining tools, data thieves, and a gateway for installing additional malware.
The survival crafting game, Chemia, developed by Aether Forge Studios and available through Steam's Early Access program, was compromised on July 22, 2025. The malicious activity was attributed to the threat actor known as EncryptHub (also known as Larva-208).
In a concerning development for cybersecurity, the game was found to be hosting multiple malware strains, including HijackLoader, Vidar Stealer, and Fickle Stealer 13. These malicious programs pose significant risks to players, compromising cryptocurrency wallets and user data from web browsers, password managers, and other applications.
HijackLoader, the initial malware, acts as a loader that maintains persistence on infected systems and downloads the Vidar infostealer. Vidar, in turn, steals sensitive information and communicates with command-and-control (C2) servers via a Telegram channel 1. Fickle Stealer, introduced three hours later, targets web browser data such as passwords, cookies, autofill data, and cryptocurrency wallets 13.
The attackers exploited the game's early access status, inserting malware into game files hosted on Steam. As a result, players who downloaded the game unknowingly executed the malicious code 13.
Security researchers from Prodaft publicised this incident, warning users of the risk and highlighting it as the third Steam game exploited by malware in 2025 1. However, as of late July 2025, there are no official public reports indicating whether Steam or the developer has removed Chemia from the platform or taken remediation steps.
Key Details:
- Game: Chemia (early access on Steam)
- Developer: Aether Forge Studios
- Incident date: July 22, 2025 (initial malware injection)
- Threat actor: EncryptHub / Larva-208
- Malware involved: HijackLoader (loader), Vidar (info-stealer), Fickle Stealer (info-stealer)
- Attack vectors: Modified game files including executables and DLLs
- Impact: Risk of data theft including passwords, cookies, autofill, crypto wallets
- Current status: Publicly exposed, unknown removal or mitigation status
Players are advised to avoid downloading or running Chemia until the issue is resolved and to scan their systems if exposed to the game during the infection window 13.
- The cybersecurity concern surrounding Chemia, a survival crafting game developed by Aether Forge Studios, escalated when it was compromised on July 22, 2025, hosting malware like HijackLoader, Vidar Stealer, and Fickle Stealer.
- The exploitation of technology such as modified game files in Chemia, which is available through Steam's Early Access program, enabled the attackers to execute malicious code, posing significant risks to players' data and cryptocurrency wallets.
