When a Steam "Update" Becomes a Wallet Drainer: Inside the BlockBlasters Malware

The timeline

• Jul 31: BlockBlasters launches on Steam with positive reviews.
• Aug 30: A new build ships; this "update" quietly adds the malicious components.
• Sep 21–22: Reports surface that the game is draining crypto; Steam removes the listing.

Steam store interface - the platform where BlockBlasters was distributed before removal

How the infection chain worked

Stage 1 — Batch dropper & data grab

A batch file (game2.bat) executed on launch. It queried the victim's IP/geo, enumerated AV processes, grabbed Steam login artifacts (SteamID, AccountName, PersonaName), and uploaded them to a C2 endpoint. It then unpacked password-protected ZIPs (password 121) to stage further payloads.

Stage 2 — VBS launchers

Two VBS scripts (launch1.vbs and test.vbs) invisibly executed additional batch files, continuing collection of browser extension and wallet info, and maintaining contact with the C2.

Stage 3 — Defender exclusion + payload execution

The script added the payload directory to Microsoft Defender's exclusions, then unpacked and launched two executables: a backdoor (Client-built2.exe) and a stealer (Block1.exe).

The stealer: StealC

StealC (Win64) targeted Chromium-based browsers (Chrome, Edge, Brave), extracting "Local State" data and other artifacts used to decrypt stored credentials and wallet extension data. It communicated with a separate C2 for exfiltration.

How wallets were drained

Victims with hot wallets (browser extensions or locally stored keys) were especially exposed. Once StealC exfiltrated extension storage, cookies, and key material, attackers could immediately:

• Import private keys / seed phrases into attacker-controlled wallets, then transfer funds.
• Replay active sessions using stolen cookies/tokens to approve malicious transactions.
• In some cases, perform clipboard address-swap or transaction-redirection tricks if additional components were present.

Who was hit (known cases)

Coverage to date cites aggregate losses of >$150,000, including a public case where streamer Raivo "Rastaland" Plavnieks lost roughly $32,000 while fundraising for cancer treatment.

Indicators of Compromise (IOCs)

Defensive takeaways for gamers

• Don't store real money in hot wallets on a gaming PC. Use a hardware wallet for meaningful funds; keep seeds offline.
• Treat "updates" as untrusted. Unknown indies can ship clean, then go bad via a patch. Delay playing post-update until there's community scrutiny.
• Segregate risk. Use a separate Windows profile or a VM for random/indie downloads. Enable Controlled Folder Access and keep Defender tamper protection on.
• Hygiene: Keep browser password storage off; prefer a dedicated manager with a master password. Lock down extension install rights.
• If you played BlockBlasters: Disconnect from the network, change passwords from a known-clean device, rotate keys, and move funds. Run a full scan and check for the IOCs above.

Pattern, not a one-off

This follows earlier Steam incidents (e.g., Chemia) where info-stealers (Fickle, Vidar) and loaders (HijackLoader) were embedded—evidence that Steam updates and playtest builds are a rising supply-chain target.

Credits & Sources

• Technical teardown of the BlockBlasters patch chain, payloads, C2s, and StealC behavior (incl. password-protected ZIPs and Defender exclusions): G DATA analysis.
• Removal date, total losses (>$150K), and streamer loss (~$32K), plus patch date context and targeting of streamers: reporting and primary coverage.
• Prior Steam malware case Chemia (Fickle, Vidar, HijackLoader) for pattern context: industry reporting.

© Third Degree Media — zero trackers, all signal.