Sometimes getting more than what you asked for is nice. Finding cash in a jacket you haven’t worn in a while, getting an extra chicken nugget at the drive-thru, discovering a hidden track on an album — those are all pleasant surprises. This one isn’t: A cyber threat intelligence firm called Prodaft revealed that “Chemia,” a game previously available via Steam’s Early Access program, shipped with three strains of malware.
“Chemia” was described on its Steam page as “a gripping survival crafting game set in a world ravaged by a catastrophic natural disaster,” which requires players to “gather resources, craft vital equipment, and navigate this hazardous world if [they] hope to survive.” The game wasn’t publicly available—Steam users had to request access to the playtest—which makes the fact that it contained malware seem even sleazier.
Prodaft said that “Chemia” shipped with the Fickle Stealer, Vidar Stealer, and HijackLoader malware. The first two are infostealers that look to compromise a victim’s cryptocurrency wallets as well as user data from web browsers, password managers, and other apps; the last can be used to deploy other malware in the future.
Did you play Chemia on Steam? 🎮 Then you should be worried.LARVA-208’s modification of the game to distribute Fickle Stealer, HijackLoader and Vidar demonstrates a concerning trend.➡️Check the IOCs now: https://t.co/heavBpufeD #threatintel #cybersecurity #malware #IOC pic.twitter.com/epfckhIohCJuly 23, 2025
“Chemia” was still available on Steam the morning of July 25, two days after Prodaft shared its findings, but it was removed sometime during the process of writing this post. The developer was listed as Aether Forge Studios, but I couldn’t find any websites, social media profiles, or other online references bearing that name with specific references to “Chemia.”
This incident should serve as a helpful reminder not to assume that software is safe simply because it’s distributed through a trusted platform like Steam—especially if it’s being offered by an unknown developer that otherwise doesn’t seem to exist. (Especially if the same name is being used by other groups that don’t have clear ties to the game.)
Prodaft shared indicators of compromise (IOCs) related to the versions of Fickle Stealer, Vidar Stealer, and HijackLoader that were embedded in “Chemia” on GitHub. The company included these IOCs as part of a broader collection of materials related to the activity of a group called EncryptHub that has been carrying out “highly sophisticated spear-phishing attacks” since at least June 26, 2024.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
