Ddos 
The highly anticipated October release of EA’s Battlefield 6 has become a digital minefield for gamers. Bitdefender Labs has identified multiple active malware campaigns exploiting the shooter’s popularity to distribute sophisticated infostealers and command-and-control (C2) agents.
Cybercriminals have flooded torrent sites and underground forums with fake “cracked” versions of the game and “trainers” (cheat software). While these files promise free access or gameplay advantages, “none are functional”. Instead, they are aggressive malware loaders designed to strip-mine victim PCs for sensitive data.
To lure victims, attackers are leveraging the reputation of well-known warez groups. The fake installers mimic releases from real cracking groups like InsaneRamZes and RUNE to lend credibility to the infected files.
“In this case, the attackers only use their names to lend credibility, in an effort to convince people that they are getting the real deal.“
Bitdefender Labs analyzed three primary variants of this campaign, each with different capabilities and targets.
1. The Fake Trainer: A “Smash and Grab” Infostealer
This variant, found on the suspicious domain flingtrainer[.]io, poses as a game cheat. It is a straightforward, aggressive stealer that transmits data in plaintext HTTP to the IP 198[.]251[.]84[.]9.
- Targets: Crypto wallets, browser cookies (Chrome, Edge, Firefox, Opera, Brave), and Discord session tokens.
- Impact: Attackers gain immediate access to victim accounts and funds.
2. The “InsaneRamZes” Crack: Evasive & Developer-Focused
Distributed via torrents, this sample is highly sophisticated. It employs API hashing to hide its function calls and performs timing checks to detect if it is running in a sandbox.
- Regional Safety Switch: The malware checks the victim’s locale and terminates immediately if it detects Russian or CIS settings (e.g., RU, AM, AZ, BY, KZ). This is a “self-protection measure often used by Russian malware groups to avoid legal exposure”.
- Specific Targets: Unlike generic stealers, this variant scans memory for developer tools, specifically hunting for credentials related to CockroachDB, Postman, BitBucket, and FastAPI.
3. The “RUNE” Crack: A Persistent Backdoor
Disguised as a Battlefield 6 ISO image, this malware drops a persistent C2 agent. It unpacks a ZLIB-compressed object and uses regsvr32.exe to silently execute a malicious DLL (2GreenYellow.dat).
- Capabilities: The agent is designed for remote command execution and persistence.
- Traffic Masking: It attempts to beacon to
ei-in-f101[.]1e100[.]net, a Google-owned domain, likely used as a relay to disguise the malicious traffic.
The gaming community is urged to avoid all “cracked” versions of Battlefield 6. Bitdefender researchers noted “hundreds of active seeders and leechers” for these torrents, indicating a massive pool of potential victims.
If you have downloaded a “crack” or “trainer” for Battlefield 6 recently:
- Assume Compromise: Change all passwords, especially for email, gaming accounts, and crypto wallets.
- Scan Immediately: Run a full system scan with reputable antivirus software.
- Check Extensions: Verify no malicious browser extensions were installed.
Donate