Battlefield 6 fans targeted by malware hidden in fake game files
Cybercriminals are targeting fans of Battlefield 6 by distributing malware disguised as pirated game copies and fake game trainers, according to new research from Bitdefender Labs. The malicious software, shared through torrent sites and unofficial download platforms, is designed to steal sensitive information and enable remote access to victim PCs.
Malware campaigns
The campaigns revolve around fake 'cracked' versions of Battlefield 6 and illicit trainers, both trailing the official launch of Electronic Arts' popular shooter. These files, while promising gameplay advantages or free access, deliver infostealers, advanced evasion payloads, and command-and-control agents. They operate by exfiltrating data from browsers, crypto wallets, and Discord accounts, while some strains show clear intent to enable persistent remote control over infected devices.
Torrent distribution
Fake Battlefield 6 packages have emerged primarily on torrent portals and underground gaming forums. Notably, attackers misuse the names of established game-cracking groups such as InsaneRamZes and RUNE to lend credibility to their malware-laden uploads. According to Bitdefender analysts, none of the circulating trainers or cracked releases actually provide access to the game or deliver any promised advantages.
Infostealer details
Bitdefender researchers analysed several samples. One such infostealer, masquerading as a Battlefield 6 trainer, was found as a top result through a routine Google search. This malware quickly swept user directories and browser profiles targeting cookies, session tokens, and crypto-wallet data from browsers including Chrome, Edge, Firefox, Opera, Vivaldi, Brave, and WaveBrowser. It also retrieves credentials stored in Discord and specific wallet extension data from Chrome add-ons.
Stolen information is transmitted in plaintext over HTTP, making it visible to anyone monitoring network traffic and highlighting the unsophisticated but effective approach favoured by the attackers.
Evasive techniques
More advanced samples, such as one branded as 'Battlefield 6.GOG-InsaneRamZes', display anti-analysis techniques to avoid detection. The malware checks local system settings and aborts its operation if it detects Russian or Commonwealth of Independent States (CIS) regional configurations, a signature move of malware groups seeking to evade enforcement in those jurisdictions. It obscures its API calls by hashing function names and also performs system timing checks to bypass sandbox analysis. Memory references to developer tools suggest the malware endeavours to steal credentials for services such as CockroachDB, Postman, BitBucket, and FastAPI, as well as browser and Discord data.
Remote control agents
A third variant, associated with the RUNE label, distributes an ISO file that unpacks to a persistent command-and-control agent. Once executed, this malware writes a secondary payload to the device and attempts to trigger DLLs via the regsvr32 mechanism. The agent was observed attempting to contact a domain registered to Google, which may serve as a relay or mask external command instructions. According to Bitdefender, the design of this agent leaves impacted systems vulnerable to remote execution, data theft, or further exploitation.
Victim exposure
Bitdefender researchers observed "hundreds of active seeders and leechers for the torrents," indicating significant potential exposure among users seeking pirated or enhanced content for Battlefield 6. None of the malicious files provide actual gameplay features. Instead, they focus on either mass data collection or enabling persistent control for further cybercriminal activity.
"We have observed three distinct malware campaigns targeting Battlefield 6 enthusiasts. All deliver distinct payloads, but none offer any game-related functionality. The malware ranges from aggressive data stealers to advanced loaders for future attacks," said Bogdan Botezatu, Senior Director, Threat Research and Reporting, Bitdefender.
