Steam Game 'Chemia' Pulled After Malware Discovery

Malware Found in Steam Game ‘Chemia’

The survival crafting game Chemia has been removed from the Steam platform. Cybersecurity researchers discovered that it was spreading malware that steals crypto wallet data and browser information. The malware has been connected to a known group called EncryptHub, also known as Larva-208. Chemia was available on Steam through Early Access, which lets players try games still in development.

According to a report by cybersecurity firm Prodaft, the malware was added to Chemia on July 22. The infected files included three types of malware: HijackLoader, Vidar Stealer, and Fickle Stealer. These are often used to steal sensitive information like saved passwords, cookies, and digital wallet keys.

HijackLoader worked in the background, creating a quiet way for hackers to control the system. Vidar Stealer and Fickle Stealer pulled out user data by scanning browsers and crypto-related files. Since the malware did not slow down the game or crash it, most players didn’t know they had been compromised.

Source: X

Prodaft found that the malware used Telegram as a way to communicate with the attackers. It allowed remote control of infected systems. Attackers could send commands and download more harmful files. Some of the key files used in the process were named v9d9d.exe, cclib.dll, and a PowerShell script called worker.ps1.

These files are connected to an outside website: soft-gets[.]com. This setup helped attackers keep the malware running and even update it when needed. It also made it harder to detect and remove.

After the malware was confirmed, Valve removed Chemia from Steam. Its page now leads to the platform’s homepage. Valve has not made a public statement. Aether Forge Studios, the developer of Chemia, has also stayed silent. Media outlets tried to contact both, but no replies have been given.

Steam’s Early Access section has had criticism in the past. Games in this section are still being made, and the review process is often lighter. This makes it easier for bad actors to sneak in harmful code.

This isn’t the first case of malware in Steam’s Early Access section. Earlier this year, two other games were found to have similar issues. One was called Sniper: Phantom's Resolution, and the other was PirateFi. PirateFi was a web3 game with crypto features. The other two, including Chemia, were regular PC games with no blockchain tools.

All three were in Early Access, raising serious questions. Many are now asking whether Steam’s current process is doing enough to protect users.

Source: X

About EncryptHub

EncryptHub is a cybercriminal group known for large phishing attacks. In one campaign, they affected over 600 companies worldwide. Their shift to using Steam shows a change in tactics. Instead of phishing emails, they now use trusted platforms to trick users.

Prodaft explained that the Chemia game file looked normal. It came from Steam, a trusted source, so users didn’t think twice. The group relied on trust, not fake emails. People who try free games or public tests are at greater risk, since they expect bugs or strange behavior anyway.

Malware attacks in gaming are becoming more common. Data from Statista shows malware cases in gaming have grown by 87% over the last ten years. Cybersecurity Ventures says the cost of cybercrime could reach $10.5 trillion by 2025.

Gamers using crypto or web3 apps are a bigger target. A game that quietly takes wallet keys or logins can cause real damage fast. This case shows that stronger checks are needed on platforms like Steam, where tech-focused users often explore new content.

Chemia has been taken off Steam. Still, users who installed the game before its removal may have malware on their systems. Cybersecurity experts recommend running a full antivirus scan and checking crypto wallets and online accounts for suspicious activity.

It’s still not clear how the hackers got into the game’s files. One theory is that someone inside the development team helped, but this hasn’t been confirmed. Aether Forge Studios has not made any announcements or social media posts.

Prodaft has shared technical details, like filenames and domain addresses, on their official GitHub. Users and IT teams are encouraged to review this data. It can help with tracking, detection, and removal.