The developer behind the popular EvolvedAim cheat for the game “Escape From Tarkov” has been exposed for embedding malware in his product, stealing sensitive information from users. This deceitful practice has caused significant damage to the gaming community and beyond.
Escape From Tarkov is a realistic hardcode military simulator game that has gained significant popularity since its release, attracting an estimated player base of around 14.7 million.
Discovery and analysis
The discovery was initiated by EDP, owner of a major forum dedicated to Tarkov cheats and bots, who noticed suspicious activity on his accounts. The developer of EvolvedAim, known as Mythical, was initially selling the cheat on EDP's forum, sharing profits for nearly a year. However, a dispute over profit shares led to EDP uncovering the malicious nature of EvolvedAim, prompting a deeper investigation.
CyberArk researchers conducted a technical analysis of EvolvedAim, revealing that it was written in Python 3.10 and converted into an executable using PyInstaller. By using pyinstxtractor and decompilers like pycdc and pycdas, they managed to dissect the executable despite the challenges posed by newer Python versions.
The analysis revealed four concurrent threads running within the cheat, with two being benign and two malicious. The malicious threads, disguised under innocent names, were responsible for stealing user information and exfiltrating it.
Upon execution, EvolvedAim immediately began stealing information even before users entered their license keys. The malware ran multiple threads, including “discord_to_bot” and “run_antivm,” which conducted the bulk of the malicious activities.
Sensitive information of Escape From Tarkov players including passwords, browser cookies, crypto wallet files, Discord data, and screenshots were collected and uploaded to Mega.nz, a file hosting service. The malware also used Discord webhooks to notify the attacker once data was uploaded.
Additionally, EvolvedAim had a rudimentary command and control system, allowing the attacker to execute commands like stopping the game process, deleting files, grabbing files, and ensuring the malware's persistence on infected machines.
CyberArk
Impact and recommendations
Escape From Tarkov, a military simulator game, boasts a large player base of approximately 14.7 million. EvolvedAim's user base primarily consisted of young adults, making the scale of data theft significant. The stolen information posed not only a personal risk to the affected individuals but also a potential threat to their workplaces if they used the same machines for professional purposes.
Following the exposure, EDP and other forum owners warned users about EvolvedAim and banned Mythical from their platforms. The EvolvedAim service has since been shut down, with its Discord server closed and operations ceased.
This incident serves as a stark reminder of the risks associated with using cheats and cracked software.
Escape From Tarkov players are advised to:
- Avoid using cheats, cracked software, and anything that's not digitally signed by a reputable publisher.
- Use security software to scan and clean their systems from threats.
- Regularly update passwords and enable two-factor authentication.
- Be cautious about entering sensitive information on devices used for gaming.
CrowdStrike Users Now Targeted by Lumma Stealer Campaign
Leave a Reply