Playing games concept. Part body man with joystick play game on console playstation. Male hands holding grey pad.

“Free Steam games” videos promise much, deliver malware

Gamers are a hot target for scammers, especially in the run up to Christmas. Major games are released throughout the last few months of any year, and the FOMO (fear of missing out) is strong. Especially if said titles offer pre-order exclusive bonuses, or deals and discounts for a few weeks after the game launches.

There’s a lot of big titles hitting digital storefronts at the moment. In the last few weeks alone we’ve seen the release of:

  • Skyrim Anniversary Edition
  • Forza Horizon 5
  • Jurassic World Evolution 2
  • Halo Infinite (portions of it, with more to come)
  • Myth of Empires
  • Battlefield 2042

Add other upcoming titles and older ones updated for the festive season into the mix, and it’s fertile ground for people up to no good.

Bogus YouTube videos promise much, deliver little

We’ve seen a lot of activity on YouTube in the last 24 hours in relation to dubious videos. They ride on the coat tails of common searches for “free” versions of popular titles like Skyrim, CSGO, PUBG, Cyberpunk, and more. Other videos focus on Call of Duty, GTAV, Fallout 4, and DayZ.

In all cases, “free Steam keys” are the name of the fake out game. No matter which of the many accounts post up these videos, they all typically link to the same download hosting site.

When free games lead to Malware

The file offered up for download is SteamKeyGeneration.rar, weighing in at 4.19MB. YouTube pages containing the link offer the following instructions:

“Download the ExLoader, open the RAR file, open the EXE file”

The .RAR is password protected, with the password being supplied in the YouTube description. Once the executable runs on the target system, it’s infected by the owner’s own hand.

We detect the file as Trojan.Malpack. This is a generic name given to files which have been packed suspiciously. The actual payload can be anything at all, but this form of packing files is not typically used for legitimate purposes. We’ve seen similar attacks like this previously. In 2018, Fortnite gamers were targeted by scammers pushing Trojan.Malpack files as Fortnite freebies. If the files were downloaded and run on the target system, the reward for doing so was data theft.

Part of a bigger campaign, or a standalone?

YouTube has definitely had some trouble along these lines recently. Researchers at Cluster25 spotted similar activity, targeting a multitude of interests including how-to guides, cryptocurrency, VPN software, and more. In those cases, activity seems to be primarily geared towards two infection paths.

Videos with bit(dot)ly links send victims to download sites such as Mega. Unshortened links redirect to taplink(dot)cc to push Racoon Stealer. Target machines are scanned for card details, passwords, cryptocurrency wallets and other forms of data. This is all harvested and sent on to the attacker.

There are similarities, despite the final destination links being different to those mentioned – such as the password requirement, the similarities in scam setup. Of course, this isn’t a particularly new or novel tactic for YouTube attacks. Including a link to an off-site compressed file on free file hosting, and disabling comments so nobody can point out they’ve had things stolen is video portal shenanigans 101.

You also tend to see one major campaign hit and enjoy success, and then lots of smaller would-be scammers jump on the bandwagon and before long everybody is doing it.

Tips to avoid scams

Whether this is part of the same campaign, a spin-off, or is simply inspired by it, you should avoid any promise of free games deploying these techniques on YouTube. The warning signs are:

  1. Too good to be true claims of Steam (or another platform) being “hacked”, with free games being the end result.
  2. Brand new accounts with no other content than these videos. Much older accounts which have been dormant until now, or display a sudden shift in content produced. Were they making videos of their cats until last week and now they’re all about hacked Skyrim downloads? Beware.
  3. Comments disabled. Anybody linking to off-site files and turning off the comments may not have your best interests at heart.

Getting your hands on a cool new game at a discount is always good news, but sometimes the hidden cost is just too high.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.