Cybercriminals are exploiting the recent launch of Battlefield 6, distributing info-stealers and command-and-control (C2) agents via fake cracked versions and bogus game trainers.
These files are circulating across torrent sites and sketchy download portals, masquerading as legitimate software to deceive unsuspecting users.
Bitdefender Labs identified three distinct malware samples weaponizing the popularity of Battlefield 6, a major title released by Electronic Arts (EA) in October 2025. Known for its high-stakes multiplayer gameplay and strong fanbase, the game has quickly become a lucrative bait for cybercriminals seeking to exploit the gaming community's interest.
Attackers have mimicked well-known warez groups like RUNE and InsaneRamZes, both respected names in game-cracking circles, to lend legitimacy to the malicious downloads. These impersonated releases are especially convincing to users who may not know the status of actual cracks for multiplayer-heavy games like Battlefield 6, which are typically difficult to bypass due to anti-piracy mechanisms.
Bitdefender analyzed three different samples, each employing distinct tactics:
- Fake trainer info-stealer (flingtrainer[.]io)
One of the samples pretends to be a Battlefield 6 game trainer, a type of utility that alters in-game parameters, often sought out by players looking for advantages like infinite ammo or invincibility. This malware, promoted through the site flingtrainer[.]io, uses the name “FLiNG,” which has been stolen from a legitimate trainer developer to increase credibility.
Despite its basic structure and lack of obfuscation, the executable aggressively targets browser-stored credentials, crypto-wallet data, and Discord session tokens. Affected browsers include Chrome, Edge, Firefox, Opera, Brave, and even lesser-known ones like WaveBrowser. The stolen data is exfiltrated over plaintext HTTP to IP address 198[.]251[.]84[.]9, making no attempt to encrypt or hide traffic, suggesting a wide-net, mass-harvesting approach.
- ‘Battlefield 6. GOG-InsaneRamZes'
Another sample, distributed under the name “Battlefield 6.GOG-InsaneRamZes,” demonstrates a more advanced and stealth-oriented design. The malware avoids execution on systems using Russian or CIS (Commonwealth of Independent States) locales, a tactic often used by threat actors based in those regions to avoid legal repercussions.
Technically, the malware includes API call obfuscation using hashed strings and anti-sandbox techniques like GetTickCount() timing checks to detect virtualized analysis environments. Additionally, embedded references to developer tools like CockroachDB, Postman, and BitBucket suggest it may be targeting software developers specifically, likely in search of API keys or database credentials.
- ‘Battlefield 6 V4.8.8 DLCs
The third sample comes packaged as an ISO file containing a large executable with a compressed DLL payload. Upon execution, the malware drops and silently runs a DLL via regsvr32.exe using the /i flag to invoke the DllInstall function. The DLL attempts to reach out to ei-in-f101[.]1e100[.]net, a domain associated with Google, likely used as a smokescreen for its command-and-control traffic.
Though the C2 server did not respond during analysis, the architecture clearly supports remote command execution and persistent control of infected systems, making it the most potent of the three samples.
Bitdefender noted that the malicious trainer appeared on the second page of Google search results for “Battlefield 6 trainer,” making it easily accessible to curious gamers. Meanwhile, torrent distributions have hundreds of active seeders and leechers, indicating a significant number of potential victims.
Users should avoid downloading pirated games, mods, or trainers from unofficial sources, particularly during high-profile game launches. Even if the file appears to come from a well-known cracking group or trainer developer, its authenticity cannot be guaranteed.
Leave a Reply