Steam Game “Chemia” promises adventure and innovation, but in the case of the survival game, it delivered something far more sinister.
Security researchers have uncovered a cyberattack campaign using Chemia, an unreleased game on Steam’s platform, to spread malware directly to players. Behind this scheme is a threat actor known as EncryptHub, also identified as Larva-208, who embedded multiple malware strains into the game files.
According to cybersecurity firm PRODAFT, the infection began on July 22, 2025, when EncryptHub injected a Trojan downloader into Chemia’s game files. This downloader quietly installed three separate malware strains, Fickle Stealer, Vidar Stealer, and HijackLoader, alongside the actual game.
Chemia, ironically billed as a survival game in a world devastated by natural disaster, turned out to be a real-world digital disaster in disguise.
Malware Triple Threat
Here’s what these three malware components are designed to do:
- Fickle Stealer: A new and highly evasive info-stealer that abuses PowerShell scripts to bypass Windows security, exfiltrating files, passwords, crypto wallets, and system data.
- Vidar: A seasoned Malware-as-a-Service tool used by cybercriminals to harvest browser data, 2FA tokens, and financial credentials, often communicating through legitimate platforms like Steam and Discord.
- HijackLoader: A flexible malware loader that can deliver additional payloads, such as RedLine Stealer or banking Trojans like DanaBot, to infected systems later on.
This malware trifecta allowed EncryptHub to establish a foothold on victims’ machines, stealing sensitive data immediately and reserving the option to install more malware later.
How Did It Get On Steam?
Chemia was not available to the general public but was instead offered through Steam’s Playtest program, a subset of that allows developers to invite users to test pre-release builds.
While Steam usually vets games before full release, its Playtest program is less tightly regulated than a vulnerability that EncryptHub exploited. The game’s listed developer, Aether Forge Studios, appears to be a fake identity, with no traceable online presence or legitimate studio history.
Despite PRODAFT’s disclosure on July 23, Chemia remained accessible on Steam until July 25, raising concerns about Valve’s response time and malware detection protocols.
A Pattern Of Abuse On Steam
This isn’t the first time hackers have leveraged Steam to deliver malware:
- In a recent sniper game case, attackers linked to a malicious demo hosted on an external site.
- Just last month, a game called PirateFi reportedly spread malware through its Steam listing.
- And now, Chemia takes the threat to the next level by embedding multiple malware payloads directly inside the game files distributed via Steam itself.
With over 100 million monthly active users, Steam has become a high-value target for threat actors seeking to exploit the trust gamers place in the platform.
How to Stay Safe As A Gamer
If you tested Chemia or suspect your system may have been compromised, take the following steps:
✅ Run a full anti-malware scan with an updated security solution
✅ Avoid downloading unofficial demos or game files from external links
✅ Verify any game invites or test offers with the supposed sender via another communication channel
✅ Don’t trust developers or games with zero online presence, even if they’re hosted on Steam
✅ Monitor your crypto wallets, bank accounts, and password managers for unusual activity
Trust, But Verify
Trusted platforms like Steam can still harbor dangerous threats when safeguards fall short. This latest attack is a stark reminder that convenience must not override caution in the world of digital entertainment.
Steam Model is designed to bring players closer to developers. Still, if hackers continue to exploit that closeness, the platform may need to tighten its review policies, even for early-stage titles.
Until then, gamers should treat every download, even from a “trusted” platform, with a healthy dose of skepticism.
