Itch.io Targeted: Lumma Stealer Deployed Via Fake Updates and Reflective Node.js Loader
Ddos 
Image: G DATA Security Lab
A sophisticated malware campaign has infiltrated the indie gaming platform Itch.io, using deceptive “game update” lures to distribute the notorious Lumma Stealer. Security researchers at G DATA Security Lab report that threat actors are spamming comment sections with links to fake updates, tricking users into downloading password-stealing malware.
The attack begins with newly created Itch.io accounts flooding the comments of legitimate games. These comments, often templated and generic, claim to offer a “game update” hosted on Patreon.
“The way these comments are written and spammed across multiple games suggests a shotgun approach, where any unsuspecting user unfamiliar with the Itch.io website might confuse the comments as real updates from the game developers,” the report explains.
The links direct users to download an archive named Updated Version.zip. While most files inside are benign decoys, the main executable, game.exe, is a malicious loader.
To evade detection, the attackers employ advanced obfuscation techniques. The game.exe file is a Node.js application compiled into a single executable using nexe. This allows the malware to run JavaScript code directly on the victim’s machine without requiring Node.js to be installed.
Once executed, the malware drops a file named modules.node into the system’s temporary directory. This file acts as a bridge, using Node.js APIs (napi_create_function) to reflectively load the final payload into memory.
“modules.node receives the function containing the LummaStealer payload in the node_api_module_get_api_version_v1 export function… and serves as a reflective loading technique to execute the LummaStealer payload in the system”.
The ultimate goal of the campaign is to deploy Lumma Stealer, a potent information theft tool sold on underground forums. Once active, it harvests sensitive data such as:
- Browser cookies and passwords.
- Cryptocurrency wallet details.
- System information.
This data is then exfiltrated to the attacker’s command-and-control (C2) server, leaving victims vulnerable to identity theft and financial loss.
This incident is part of a broader trend of attackers exploiting gaming platforms. Similar tactics have been observed on Steam, where profile images and fake game patches (like the “BlockBlasters” incident) were used to distribute malware.
Related Posts:
- Kimsuky APT Escalates Cyberespionage with Stealthy LNK Files & Reflective Malware Payloads
- Tax Extension Malware Campaign Exploits Trusted GitHub Repositories to Deliver Remcos RAT
- Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage
- Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
Donate