A technical analysis by G DATA Security Lab reports that spam comments on itch.io pointed users to Patreon download links that delivered a nexe compiled Windows executable which unpacks and loads a LummaStealer payload. The sample included six anti analysis checks and a LummaStealer payload with SHA256 a2bacb00dfdb338b496d3128705f76c8cc935e6bd33e06271fb3e34d769d0a2b.
KEY FACTS
- Incident Spam comments on itch.io directed users to Patreon download links labeled as game updates
- Delivery A nexe compiled executable named game.exe downloaded an embedded native module and a LummaStealer payload
- Anti analysis The sample used six checks including VM, username, running processes, GPU, refresh rate and disk model
- Indicator LummaStealer payload SHA256 a2bacb00dfdb338b496d3128705f76c8cc935e6bd33e06271fb3e34d769d0a2b
The campaign used newly created itch.io accounts to post templated comments across legitimate game pages. The comments included Patreon links that directly downloaded an archive named “Updated Version.zip” which contained a large executable labeled game.exe.
The executable is a Node.js application compiled with nexe. Decompilation produced an obfuscated mains.js script that decodes Base64 payloads. One decoded payload is written as a native modules.node file and the other is the LummaStealer binary loaded reflectively into the native module.
The malware implements six anti analysis routines. The checks include total memory and CPU cores, a list of suspicious usernames, a list of debugging and analysis process names, GPU names from WMI, display refresh rate, and disk drive model values. The script stops if any checks indicate a virtual or analysis environment.
The report notes that some malicious itch.io accounts were removed but new accounts continued to appear. The analysis includes file hashes and detections for the modules.node and LummaStealer samples which defenders can use for detection and response.
WHY IT MATTERS
Players who follow unofficial update links in comment sections risk installing malware that evades simple sandbox checks. Defenders can use the provided indicators to hunt for infections and hosting platforms should monitor and remove spam that links to external downloads.