From Headshots to Infostealers

Measuring Malware Prevalence in Gaming Cheats

Odin Midtgard | Bachelor in Cyber Security
Noroff University College | Supervisor: Barry Irwin

Research Context

The Problem

  • $187B+ gaming industry with competitive ecosystems
  • Cheats increasingly weaponized for malware distribution
  • Users disable AV & grant admin privileges willingly

Research Gap

  • Lack of systematic measurement in free, public CS2 cheats
  • Limited academic focus on cheat-to-malware pipeline
  • Need for reproducible static analysis methodology

Research Question: To what extent does freely distributed cheating software contain malicious components?

Research Methodology

Mixed empirical design with static analysis pipeline

Operational Security

Sample Handling

  • Immediate SHA-256 hashing
  • external USB storage
  • filename is the sha-256 hash

Isolated Lab Environment

  • Dedicated laptop
  • FlareVM
  • ProtonVPN

Safety Protocol

Zero Local Execution

Static analysis only
No dynamic detonation except a few detonation in Any.run

Data Collection & Processing

From raw collection to analysis-ready corpus

Data Collection Strategy

Collection Sources

YouTube: Video descriptions & links

Discord: Public cheat-sharing servers

GitHub: Repositories tagged as cheats

Telegram: Public channels

Target Specifications

Games: CS2, Valorant, Apex Legends, Fortnite, and others

Formats: .exe, .dll, .sys, .zip archives

Target Size: 80-120 unique samples

Exclusion: Paid, subscription, or invite-only cheats

distribution data

Candidate File Breakdown

File Type Composition (n=554)

Game Targeting (n=554)

73% scripts reflect GitHub cheat repos shipping Python source alongside compiled binaries

Results

Multi-engine validation & static indicator analysis

Dataset Composition

Raw Collection

18,907

files from GitHub, forums, searches

After Triage

554

PE files & scripts

Stage Count Percentage Note
Raw Files 18,907 100% GitHub repos, forum threads, YouTube downloads
Candidate Files (PE + Scripts) 554 2.9% Filtered by extension & header signatures
Unique SHA-256 Hashes 293 1.6% Deduplicated corpus for analysis

73.1% of candidates were scripts (.py, .js, .bat); 26.2% were compiled PE files

Multi-Engine Validation

All 293 unique hashes cross-referenced with VirusTotal and MalwareBazaar

VirusTotal Coverage

81.6%

239 of 293 hashes indexed

MalwareBazaar Matches

0.3%

1 hash (curated repository)

Classification Threshold: >=5 distinct AV engine detections = "Confirmed Malicious" (Microsoft, Bitdefender, Kaspersky, etc.)

detection data

Detection Rates: All 19 Malicious Hashes

Infostealer / High-risk Kernel Injector Cheat Framework / Generic Script / Low detection

Analysis

Social engineering, code reuse & greyware

Confirmed Malicious Samples

File Detections Target Game Classification
Swift.exe 51/76 (67%) Roblox Dropper -> Loader
Fortnite.exe 50/76 (66%) Fortnite Generic Malware
DragonBurn.exe 44/76 (58%) CS2 Generic Malware
undetek-v10.12.exe 41/76 (54%) CS2 Generic Malware
BlackBoneDrv10.sys 40/76 (53%) Multi-game Kernel Injector
Cs2Hack.exe 36/71 (51%) CS2 Custom Loader
Set-Up.exe* 17/72 (24%) Multi-game Vidar/Stealc

*YouTube collection | 802MB padded with null bytes -> stripped to 2.28MB

Collection

19

total malicious hashes

forensic evidence

Static Chain Recovered from Swift.exe

Stage 1: Dropper (confirmed)

Swift.exe - Go dropper behavior 

SHA-256:
165c77e0cb3fc6551babc2de99e0c5182fb86e20ac3354da7ae980b580721049

Hardcoded staging URL:
https://pastebin.com/raw/QKQwYyHd

Recovered behavior:
- fake "Checking for updates..." popup
- fetches Pastebin staging text
- drops %APPDATA%\<random>.exe
- launches second stage

Classification:
Downloader / dropper

Stage 2: Loader / Injector (confirmed)

4J8576A0E8V3.exe - masquerading loader 

Masquerades as:
- dllhost.exe / COM Surrogate
- Microsoft Corporation
- unsigned, checksum mismatch

Embedded payload carrier:
- .text  = 16 KB
- .rsrc  = 2.66 MB
- RCDATA = encrypted embedded blob

Injection-capable APIs:
CreateProcessA
VirtualAllocEx
WriteProcessMemory
GetThreadContext / SetThreadContext
ResumeThread

Classification:
Loader / injector with encrypted PE payload

Supported by static analysis: this is a two-stage malware chain.

Malware Category Mapping

Category Files Observed Behaviour
Infostealer / Loader Swift.exe
Set-Up.exe		 Swift: staged dropper -> loader. Set-Up.exe: credential theft, browser exfiltration, C2.
Kernel Injector BlackBoneDrv*.sys (x4) Ring-0 process injection bypassing user-mode protections
Multi-stage Loader Cs2Hack.exe Custom Go loader with PE parsing plus transformed PE-like companion payload blobs
Cheat Framework silky.dll, dll.dll, Cheat-Base.dll Process memory manipulation, game overlay injection
Unclassified undetek, codexsoftwares High detection rates without clear family attribution
category breakdown

Category Distribution & API Indicators

Malware Categories (n=19)

Suspicious API Imports: Malicious vs Benign

API Function Malicious Benign
CreateRemoteThread Present Absent
WriteProcessMemory Present Absent
VirtualAllocEx Present Absent
InternetOpenW Present Absent
SuspendThread Present Absent
ShellExecuteW Present Present
ReadProcessMemory Present Present

The injection triad (CreateRemoteThread + WriteProcessMemory + VirtualAllocEx) appeared exclusively in confirmed malicious samples.

Swift.exe: Proven Loader Chain, Cautious Attribution

mugiwaraDr

GitHub username. Account ID 141640030. Created Aug 2023.

Swift-Executor

40-star repo used as a Roblox executor lure.

Best-supported finding

Stage 1 Go dropper -> fake dllhost.exe loader -> encrypted embedded payload.

Pastebin stage -> second-stage EXE -> fake dllhost.exe / COM Surrogate

Recovered chain evidence:

  • Hardcoded staging URL: pastebin.com/raw/QKQwYyHd
  • Detection: 51/76 engines (67.1%)
  • Malicious chain proven
kernel evidence

BlackBone.sys: Kernel-Level Injection

Kernel API Surface (98 imports)

BlackBoneDrv10.sys imports 

// Memory manipulation
ZwAllocateVirtualMemory
ZwProtectVirtualMemory
MmCopyVirtualMemory
MmMapLockedPagesSpecifyCache

// Process injection
KeInitializeApc
KeInsertQueueApc
PsCreateSystemThread

// Internal routines (strings)
BBInjectDll
BBApcInject
BBMapUserImage
BBExecuteInNewThread
BBAllocateFreeMemory

Set-Up.exe: 800MB Null-Byte Padding

hex analysis 

File size:     841,247,745 bytes (802 MB)
PE content:    2,386,944 bytes  (2.28 MB)
Overlay:       838,860,801 bytes (800 MB)
Overlay data:  0x00 0x00 0x00 ... (null)

# Purpose: evade sandbox upload limits
# After stripping: 17/72 detections
# ANY.RUN: Vidar/Stealc stealer
# Original PE name: encouraging.exe
# Branding: fake Steam client

Dynamic analysis on ANY.RUN confirmed C2 POST requests with Stealc/Vidar headers, Chrome credential harvesting across 40 spawned processes.

loader analysis

Cs2Hack.exe: Custom Loader Package

Loader Logic Exposed by Symbols

go tool nm / strings 

main.parsePE
main.resolveImports
main.processRelocations
main.Virtual_Alloc
main.getExportByOrdinal
main.Trick

# Static imports:
VirtualAlloc
LoadLibraryExW
GetProcAddress

Transformed PE-Like Companion Payloads

companion file triage 

Cs2Hack/
  Cs2Hack.exe          # Go custom loader
  AcXtrnal.dll         # MZ + DOS stub + Rich
  libavif-16.dll       # MZ + DOS stub + Rich
  vstdlib_s.dll        # shifted PE-like blob
  i2j9S2Mrl3BV         # duplicated 50 MB blob

Interpretation:
transformed PE-like payload containers
for manual in-memory loading

Best claim: a custom Go loader package paired with intentionally transformed PE-like payload blobs.

Conclusions

Implications & future work

Key Findings Summary

RQ1: Prevalence

6.5% of samples contained confirmed malware. 13.5% showed threat intelligence signals when including suspicious detections. Infostealers were the dominant threat category identified.

RQ2: Categories

Four malware categories identified: infostealer / loader chains, kernel injectors, custom multi-stage loaders, and cheat framework DLLs with memory manipulation.

RQ3: Social Engineering

Accompanying content instructed users to disable security controls and grant administrator privileges. YouTube distribution used sophisticated evasion techniques including null-byte padding and content lockers. Discord servers enabled secondary payload delivery.

final data

Final Classification Outcomes (n=554)

1 in 5

source packages contained at least one flagged file

13.54%

total TI signal (malicious + suspicious combined)

13.18%

unseen by any TI platform (classification blind spot)

Classification: Malicious (5+ engines) | Suspicious (1-4 engines) | Benign (0 detections, VT indexed) | Unknown (not in VT or MB)

social engineering

Social Engineering Indicators

Security Control Bypass Patterns

README.md / installation guides 

# Common instructions found in packages:

"Disable Windows Defender before running"
"Add exception to antivirus folder"
"Run as Administrator"
"Turn off Real-Time Protection"
"Allow through Windows Firewall"

# Trust signals:
"Verified by VirusTotal" (false claim)
"Open source and safe"
"Used by 10,000+ players"

Risk Level Distribution

Critical: contains confirmed infostealer + AV bypass instructions + secondary delivery channel (Discord/Telegram)

Thank You

odimid01218@stud.noroff.no

Bachelor in Cyber Security | Noroff University College

Supervisor: Barry Irwin | May 2026