The survival game Chemia has been removed from Steam after researchers uncovered malware targeting crypto wallets and browser data. The attack has been linked to hacker group EncryptHub.
The survival crafting game Chemia has been taken down from the Steam platform after cybersecurity researchers discovered that it was distributing malware designed to steal crypto wallet information and browser data. The malware has been linked to a known cybercriminal group called EncryptHub, also referred to as Larva-208. The game had been available on Steam through its Early Access program, which allows users to play games that are still in development.
Steam Removes Chemia After Hack
According to a report published by cybersecurity firm Prodaft, the Chemia game files were modified on July 22 to include three different types of malware: HijackLoader, Vidar Stealer, and Fickle Stealer. These types of malware are commonly used to steal sensitive information from users, including credentials stored in browsers, cookies, and digital wallet keys.
HijackLoader allowed attackers to gain a foothold in the infected system by operating silently in the background. Vidar Stealer and Fickle Stealer further extracted personal data by targeting browser-based storage and crypto-related files. Because these tools did not significantly affect the performance of the game, most users remained unaware of the compromise.
Steam Removes Chemia After Hack
Prodaft’s analysis showed that the malware used Telegram as a command-and-control channel. Through this setup, attackers were able to remotely send instructions and control infected machines. Additional malicious files were downloaded through specific executables and scripts, including a file named v9d9d.exe
used by Vidar Stealer and a combination of a dynamic-link library named cclib.dll
and a PowerShell script called worker.ps1
, used by Fickle Stealer.
These files pulled code from an external website identified as soft-gets[.]com
. This remote infrastructure allowed the malware to remain active and adaptable. It also provided attackers with the ability to update the malicious components at any time, further complicating detection and removal efforts.
Steam Removes Chemia After Hack
Following the discovery, Valve removed Chemia from the Steam store. As of now, the game's store page no longer exists and redirects users to the platform’s homepage. Valve has not released a public statement regarding the removal, and no comments have been issued by Aether Forge Studios, the developers of Chemia. Both parties were contacted by media outlets, including BleepingComputer, but have not responded to requests for information.
The game was distributed through Steam’s Early Access program, which has previously faced criticism for less rigorous safety and content checks. Because games in this section are still in development, they may be more vulnerable to unauthorized code changes or insufficient review processes.
Steam’s Early Access Program
This incident is not isolated. Earlier in the year, two other Early Access games on Steam (Sniper: Phantom's Resolution and PirateFi) were discovered to contain harmful software. While PirateFi was described as a web3-based game with built-in crypto functionality, Chemia and Sniper: Phantom's Resolution were standard PC games without blockchain elements. All three titles were available as Early Access releases, raising concerns about whether Steam’s current system provides sufficient safeguards to prevent the distribution of malware through unverified or developing titles.
Sniper: Phantom's Resolution
EncryptHub, the group tied to the Chemia incident, has previously launched large-scale phishing campaigns using similar malware combinations. In one documented case, their efforts affected over 600 organizations globally. According to Prodaft, the group’s recent use of Steam as a distribution platform is an evolution of their earlier techniques, focusing on exploiting users’ trust in reputable services.
The Prodaft report noted that the game executable appeared legitimate to users downloading it directly from Steam. This approach bypassed traditional phishing methods and relied instead on social engineering through trusted digital storefronts. Researchers emphasized that users accessing free games or public playtests were particularly at risk, as they might download and install malware believing it to be part of a harmless game.
EncryptHub
Cybersecurity threats targeting video games are on the rise. Data from Statista shows that malware infections have increased by 87% over the past decade. Additionally, Cybersecurity Ventures estimates that the global cost of cybercrime will reach $10.5 trillion by 2025, more than triple the figure from 2015. Digital platforms with large user bases, such as Steam, are becoming frequent targets due to the high level of trust users place in them.
Users who are involved with digital currencies or web3 services are especially vulnerable in such cases. When a game silently extracts wallet keys or login credentials, the financial impact can be immediate and severe. The Chemia case underscores the need for stronger verification processes on platforms that serve both gaming and tech-savvy audiences.
Hacks in Web3 Data from DappRadar
At present, Chemia is no longer available for download on Steam. However, cybersecurity experts warn that users who installed the game before its removal could still have infected systems. It is recommended that these users scan their computers using updated antivirus tools and monitor their crypto wallets and personal accounts for any unusual activity.
It remains unclear how EncryptHub gained access to the game files. One possibility being investigated is insider assistance, though this has not been confirmed. Aether Forge Studios has not released any updates or responses through official channels or social media.
Full technical indicators related to the malware, including filenames, domains, and file behaviors, have been published by Prodaft on its official GitHub page. Users and system administrators who may have encountered the game are encouraged to consult this resource for detailed analysis and detection support.
About the author
Eliza Crichton-Stuart
Head of Operations
Updated:
July 29th 2025
Posted:
July 29th 2025