Incident Involving the Slay the Spire Mod Downfall
A popular mod for the game Slay the Spire Mod Security Issue, known as Downfall, was hacked during the holiday season, resulting in the distribution of malware to its users. The incident occurred through a Steam update, where the mod was briefly replaced with a compromised version that included the malware, named Epsilon. This malicious software was designed to steal information from the infected devices. It was present in the standalone version of the mod on Steam for approximately one hour on Christmas Day.
The malware was spread to users who launched the Downfall mod within the specific timeframe when the compromised update was live. The Epsilon malware is known for its capability to run in the background undetected, harvesting sensitive data such as cookies, saved passwords, and credit card information from various browsers, including Google Chrome and Vivaldi. The main vector for the malware’s spread was through a Unity library installer popup that appeared for users during the affected period.
Developer’s Account Compromise and Malware Details
The attackers gained access to the mod’s developer accounts by compromising the Steam and Discord accounts of one of the developers. This breach allowed them to upload the malicious version of the Downfall mod to Steam’s library, which then became available to users as an update. The malware, identified as Epsilon, is known for its stealth and potency in stealing information.
| Capability | Description |
| Information Theft | Harvests cookies, saved passwords, and credit card information. |
| Background Operation | Runs undetected in the background of the infected device. |
| Targeted Browsers | Google Chrome, Vivaldi, and others. |
The Epsilon malware is particularly invasive, as it not only targets browser-stored data but also seeks out other sensitive information such as Discord credentials, network information, and Steam account details. The malware creates files in the user’s AppData/Local/Temp folder, including a zip file named epsilon-[username].zip, which contains the stolen data.
Response to the Security Breach
Following the security breach, developer Michael Mayhem took immediate action to contain the situation and assist affected users. The breach was contained by approximately 2:30 PM Eastern Time on Christmas Day. The compromised hardware on the developer’s end was purged, and communication with both users and Valve, the company behind Steam, was initiated regarding the breach. Additional security measures are being put in place to prevent future incidents.
- Recovery of hijacked Steam and Discord accounts.
- Containment of the breach within roughly two hours.
- Purging of all affected hardware used by the developers.
- Communication with users and Valve about the breach.
- Implementation of additional security measures.
Michael Mayhem has expressed his apologies to the affected users and has offered his assistance to those impacted by the malware. He emphasized the importance of the community and the distress caused by the attack on the free passion project.
Users who believe they may have been affected by the malware are advised to take the following actions:
- Change passwords for all potentially compromised accounts.
- Enable two-factor authentication wherever possible.
- Check the AppData/Local/Temp folder for any suspicious files created by the malware.
- Disconnect from the internet when investigating potentially malicious files to prevent retriggering the malware.
Aftermath of the Incident and Valve’s New Security Measures
In the aftermath of the Downfall mod incident, Valve has announced new security measures to enhance the safety of Steam users. These measures include additional security checks for Steam developers when pushing updates to their game’s default release branch. This step was taken in response to various instances of malicious builds being distributed to players via Steam. Valve has acknowledged that while these new protocols may create extra friction for partners, they are a necessary tradeoff to ensure the safety of the Steam community and to keep developers informed of any potential compromise to their accounts.
Valve’s initiative comes after recognizing an uptick in sophisticated attacks targeting developer accounts. The goal is to prevent similar incidents from occurring in the future by requiring developers to go through more rigorous checks before their updates can reach players.
For users of the Downfall mod, it is strongly advised to take proactive steps to secure their accounts. This includes changing passwords for any accounts that may have been compromised during the breach. Users should also ensure that two-factor authentication is enabled on all platforms where it is available, providing an additional layer of security against unauthorized access.
By taking these measures, users can help safeguard their personal information and reduce the risk of falling victim to similar cyber attacks in the future.
