By rssfeeds-admin 
The campaign also leans on Patreon branding as a lure, tricking users into downloading a malicious “Updated Version.zip” archive instead of legitimate content.
class="wp-block-heading" id="h-fake-itch-io-updates-hide-a-malicious-game-exe">Fake Itch.io updates hide a malicious “game.exe.”
Attackers create new Itch.io accounts and spam the comment sections of legitimate games with templated messages claiming to host updated builds.
These comments include Patreon URLs that directly download an archive called “Updated Version.zip”. Most files in this archive are harmless, but the primary executable, “game.exe,” is malicious.
Analysis shows that “game.exe” is a Node.js application compiled into a Windows PE executable using the nexe compiler.
This approach is noteworthy because most previous Node. JS-based attacks relied on the standard node.exe runtime rather than bundling everything into a single binary.
Researchers used nexeDecompiler to recover an obfuscated JavaScript file named “mains.js” from the executable.
After deobfuscation, the script reveals multiple asynchronous functions that perform extensive anti‑analysis checks before dropping and executing the final Lumma Stealer payload.
The malware performs at least six layers of environment checks to evade sandboxes and researchers.
It verifies system RAM and CPU core count, stops if it detects likely virtual machines, and checks usernames against a hardcoded list linked to malware analysis environments.
It also scans running processes for debuggers, traffic analyzers, and reverse‑engineering tools such as IDA, x64dbg, Wireshark, Burp Suite, and Process Hacker.
Additional checks query Windows Management Instrumentation (WMI) for video adapter names, refresh rates, and disk drive models.
The malware looks for indicators of virtualization, such as “VMware”, “virtualbox”, “microsoft basic display adapter”, and generic virtual disk models. If any red flags appear, execution is aborted.
Reflective loading of Lumma Stealer with Node.js internals
If the system passes all checks, the script decodes a Base64 string and writes a DLL named “modules.node” into the user’s %temp% directory.
This DLL exposes Node.js native module exports such as napi_register_module_v1 and node_api_module_get_api_version_v1, allowing tight integration with the JavaScript runtime.
A second Base64‑encoded blob, identified as a variant of Lumma Stealer, is then decoded and passed into modules.
Node, which uses Node.js N-API calls like napi_create_function and napi_set_named_property to reflectively load and execute the stealer in memory. This reduces filesystem artifacts and complicates detection.
Across different Patreon URLs and spam accounts, researchers observed multiple nexe‑compiled variants with altered variable names, encoding methods, and slightly different anti‑analysis techniques (e.g., replacing WMI commands with equivalent PowerShell queries).
These small but consistent changes indicate an active, ongoing campaign by a single threat actor attempting to stay ahead of detection while continuing to target unsuspecting Itch.io gamers.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Cybercriminals Hijack Trust in Itch.io and Patreon with Bogus Game Updates Delivering Lumma Stealer appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.