Since its release this October, “Battlefield 6” has ignited gaming communities, with millions eagerly jumping into the action-packed experience. However, alongside the excitement comes a darker side – cybercriminals have seized on this popularity to distribute malicious software that targets unsuspecting players and fans looking for game modifications.
This isn’t a new tactic; brand impersonation attacks are becoming increasingly common across industries. In this case, attackers are mimicking legitimate groups like “InsaneRamZes” and “RUNE,” leveraging their established reputation to gain trust and credibility among potential victims. These malicious campaigns have even begun to incorporate sophisticated techniques for spreading the malware, further enhancing their appeal.
Bitdefender Labs has identified three distinct types of malware deployed in this campaign, each designed with specific objectives:
Stealing Sensitive Data: The first type operates as a simple yet aggressive information stealer disguised as a “Battlefield 6 Trainer Installer.” This installer easily ranks high on search results pages, making it accessible to vulnerable individuals. Once executed, the malware scans local directories and browser profiles, stealing sensitive data such as crypto wallet information, cookie sessions from popular browsers like Chrome, Edge, and Firefox, Discord session tokens and credentials, and cryptocurrency wallet extension data from Chrome plugins like iWallet and Yoroi.
Geographic Manipulation: The second type showcases more advanced techniques, employing “regional execution blocking” to stop operation when detecting Russian or CIS country settings – a common self-protection measure used by groups in those regions. This malware also employs sophisticated evasion tactics, including Windows API hashing and timing analysis checks for anti-sandbox detection, suggesting that the authors are attempting to obfuscate their operations and minimize detection by security software.
C2 Agents and Persistence: The third type delivers a persistent command-and-control agent disguised as a “Battlefield 6 ISO image”. The malware installs an agent in the user’s system, constantly monitoring for commands from a central server. This C2 structure allows attackers to remotely execute tasks on infected systems, potentially allowing them to steal data or even compromise the users’ devices.
This latest example highlights how seemingly harmless trends can turn dangerous when exploited by malicious actors. With cybercriminals targeting popular games and exploiting their popularity for financial gain, players must stay vigilant, ensuring they download software only from trusted sources.