Valve Removes PirateFi Game from Steam After Malware Discovery

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The timeline of events began on Thursday, February 6, 2025, when PirateFi appeared on Steam as a free-to-play beta release. The game's store page presented it as a survival title with low-poly graphics, and it quickly accumulated positive reviews from users who had not yet detected the malicious payload.

Within days of the release, users began reporting problems. One user on the Steam forums noticed their antivirus software prevented the game from running, flagging it as carrying "Trojan.Win32.Lazzzy.gen," according to PCMag. The user documented the malware's behavior: "When you launch the 'game,' the virus unpacks into /AppData/Temp/****/ and looks like Howard.exe."

By Tuesday, February 11, 2025, multiple users reported account compromises. One affected user wrote on the Steam community forums: "Most of my stuff has either been hacked and passwords changed or being signed in using cookies that've been stolen!" Another user reported: "My Microsoft account got stolen from this trojan. They blocked Microsoft support from my emails and swiped it. Went in my Roblox and stole $20 and messaged all my friends scam links while taking all my Steam points to buy awards for bot accounts."

Valve removed PirateFi from Steam by February 12, 2025, and began sending notifications to users who had downloaded the game. The company did not publicly disclose the specific type of malware found or how the game passed initial review.

An additional distribution vector emerged on February 13, 2025. According to PCMag, the game was also circulated through Telegram using fake job offers. A reader reported: "Somebody in the channel that I was in sent a message that they had a in-game chat moderator vacancy that would pay 17$ an hour." The reader investigated and discovered evidence that a bot was operating the Telegram account, noting: "I've noticed that the speed of his replies were very consistent, almost always 21 seconds. I was messaging with an AI that was trying to get people to download the game on their devices to infect their computers."

The malware has been identified by antivirus software as Trojan.Win32.Lazzzy.gen, a classification indicating an infostealer variant. According to user reports documented by PCMag, the malicious executable unpacks to the Windows AppData/Temp directory and runs as "Howard.exe."

The primary attack vector involves browser cookie theft. Cookies stored by web browsers often contain session tokens that allow users to remain logged into websites without re-entering credentials. By stealing these cookies, attackers can hijack active sessions and gain access to accounts without knowing the actual passwords.

User reports confirm the malware's effectiveness. Multiple Steam community members documented having accounts across various services compromised, including Microsoft accounts, Roblox accounts, and Steam itself. The attackers used stolen access to send scam links to victims' contacts and make unauthorized purchases.

SteamDB, a third-party service that tracks Steam statistics, estimated the game reached over 800 users before removal. The actual number of infected systems may be lower, as not all users who added the game to their library necessarily downloaded and executed it.

Evidence suggests the game's Steam listing used copied screenshots from another title called Easy Survival RPG, according to user observations documented by PCMag. The use of stolen assets may indicate the game was created solely as a malware delivery mechanism rather than a legitimate development project.

Figure 2: How the authentication bypass vulnerability works

Valve's rapid response and direct communication with affected users demonstrates the platform's ability to address security incidents once detected. The recommendation to fully reformat affected systems, while disruptive, represents sound security advice for dealing with infostealer malware that may have established persistence mechanisms.

The incident provides an opportunity for Steam to strengthen its game submission review process. Enhanced automated scanning for known malware signatures and behavioral analysis during the review period could catch similar threats before they reach users.

For the broader gaming community, the incident serves as a reminder about the risks of downloading software from any source, even established platforms. Users who maintained updated antivirus software were able to detect and block the malware before it executed.

Security researchers gain valuable intelligence from incidents like this. The identification of the specific malware variant (Trojan.Win32.Lazzzy.gen) and its behavioral patterns (unpacking to AppData/Temp, executing as Howard.exe) helps improve detection capabilities across the security industry.

The incident exposes limitations in Steam's game review process. Despite being the largest PC gaming platform with established submission guidelines, a malware-laden game was able to pass review and remain available for several days. Valve has not disclosed what review procedures failed or what changes will be implemented.

Users who downloaded PirateFi face significant remediation challenges. The recommendation to fully reformat the operating system represents a substantial time investment and potential data loss for users without recent backups. Many users may opt for less thorough cleanup methods that could leave malware components intact.

The cookie-stealing attack vector is particularly concerning because it bypasses traditional password-based security. Even users with strong, unique passwords and two-factor authentication can have their accounts compromised if session cookies are stolen. The only reliable defense is to invalidate all active sessions after a potential compromise.

The Telegram distribution channel indicates a coordinated campaign with multiple attack vectors. The use of AI-powered bots to engage potential victims and offer fake job opportunities suggests a level of sophistication beyond opportunistic malware distribution.

At the time of reporting, Valve had not disclosed how the malicious game passed initial review, leaving questions about whether similar threats might already exist on the platform undetected.

Figure 3: Privilege escalation from user to SYSTEM level

Infostealer malware operates by targeting data stored locally on infected systems. Browser cookies represent a particularly valuable target because they often contain authentication tokens that websites use to maintain user sessions.

When a user logs into a website, the server typically issues a session cookie that the browser stores locally. On subsequent visits, the browser sends this cookie to prove the user's identity without requiring re-authentication. By stealing these cookies, attackers can impersonate the legitimate user to any service where an active session exists.

The PirateFi malware followed a common infostealer pattern. Upon execution, it unpacked itself to the Windows temporary directory (AppData/Temp) and launched a secondary executable (Howard.exe). From this location, the malware could access browser data stores where cookies are kept.

Modern browsers store cookies in SQLite databases or similar structured formats. Chrome, Firefox, and Edge each use different storage locations and formats, but all are accessible to any process running with the user's permissions. The malware likely enumerated installed browsers and extracted cookie data from each.

Once collected, the stolen cookies would be transmitted to attacker-controlled servers. The attackers could then import these cookies into their own browsers, effectively cloning the victim's authenticated sessions. Services that rely solely on cookies for session management would be unable to distinguish between the legitimate user and the attacker.

Technical context (optional): The Trojan.Win32.Lazzzy.gen classification suggests this malware belongs to a known family of infostealers. The "Lazzzy" designation may indicate specific behavioral characteristics or code signatures that antivirus vendors use for identification. The ".gen" suffix typically indicates a generic detection based on heuristics rather than an exact signature match.

The PirateFi incident highlights a systemic challenge facing digital distribution platforms. Steam, the Epic Games Store, mobile app stores, and browser extension marketplaces all face the same fundamental problem: how to verify that submitted software is safe without access to source code or the ability to observe all possible runtime behaviors.

Malware authors increasingly target gaming platforms because they offer access to users who are accustomed to downloading and running executable software. Unlike web applications that run in sandboxed browser environments, games typically require full system access to function properly, making them ideal vehicles for malicious payloads.

The use of AI-powered bots for social engineering represents an evolution in malware distribution tactics. Automated systems can engage potential victims at scale, maintaining conversations and building trust in ways that would be impractical for human operators. The 21-second response time noted by the Telegram user suggests a system optimized for appearing human while processing many conversations simultaneously.

For platform operators, the incident underscores the limitations of pre-publication review. Even thorough manual review cannot catch all malicious software, particularly when attackers use techniques like delayed payload activation or server-side triggering. Post-publication monitoring and rapid response capabilities become essential complements to upfront review.

The cookie-theft attack vector also highlights ongoing weaknesses in web authentication. Despite years of security improvements, session cookies remain a single point of failure for many online services. More robust authentication mechanisms, such as hardware security keys or continuous authentication, could reduce the impact of cookie theft but remain uncommon outside high-security environments.

Confirmed:

• Valve removed PirateFi from Steam after discovering it contained malware
• The malware is classified as Trojan.Win32.Lazzzy.gen by antivirus software
• The malware unpacks to AppData/Temp and executes as Howard.exe
• Multiple users reported account compromises affecting Microsoft, Roblox, and Steam accounts
• Valve recommended affected users fully reformat their operating systems
• SteamDB estimates the game reached over 800 users
• The game was also distributed via Telegram using fake job offers
• An AI-powered bot was used to engage potential victims on Telegram

Unclear:

• How the malicious game passed Steam's review process
• The exact number of users who were infected (vs. those who only added the game to their library)
• The identity of the attackers or their geographic location
• Whether other malicious games remain undetected on Steam
• What specific changes Valve will implement to prevent similar incidents
• The full scope of data stolen beyond browser cookies
• Whether the malware established any persistence mechanisms beyond the initial executable

Steam's response to this incident will likely include enhanced security measures, though the company has not announced specific changes. Observers should monitor for updates to Steam's developer submission guidelines or new automated scanning requirements.

The security research community may publish more detailed analysis of the Trojan.Win32.Lazzzy.gen variant as samples become available. Such analysis could reveal additional capabilities or connections to known threat actors.

Users who downloaded PirateFi should monitor their accounts for unauthorized activity even after remediation. Attackers who obtained session cookies may have also captured other credentials or personal information that could be used in future attacks.

The Telegram distribution channel suggests a broader campaign that may target other platforms or use different lures. Security teams should watch for similar fake job offers or gaming-related social engineering attempts.

Platform operators across the industry will likely review their own submission processes in light of this incident. Any announcements of enhanced security measures from Steam, Epic Games Store, or other platforms would indicate lessons learned from the PirateFi case.

1. TechCrunch - "Valve removes Steam game that contained malware" (February 13, 2025) https://techcrunch.com/2025/02/13/valve-removes-steam-game-that-contained-malware/

2. PCMag - "Did You Download This Steam Game? Sorry, It's Windows Malware" (February 12, 2025, updated February 13, 2025) https://www.pcmag.com/news/did-you-download-this-steam-game-sorry-its-windows-malware

3. The Gamer - "PirateFi Steam Malware Game Taken Down, Valve Warns Players to Reset PC" (February 2025) https://www.thegamer.com/piratefi-steam-malware-game-taken-down-valve-warns-players-reset-pc/