Cheaters never win: large-scale campaign targets gamers who cheat with StealC and cryptojacking

September 4, 2025 Ari Novick

Explosion of computer

A sprawling cyber campaign is turning gamers’ hunger to gain an edge into a massive payday for threat actors who are leveraging over 250 malware samples to steal credentials and cryptocurrencies. The operation has already netted wallets containing more than US$135,000.

In this blog post, we will delve into a specific infection instance, explore its mechanisms. and share indicators of compromise (IoCs).

Introduction – an unusual campaign

The StealC group is a malware as a service (MaaS) group that provides access to their infostealer malware for various periods of time at varying prices. From what we’ve observed, most of the StealC group’s customers buy access for a month and only create a small handful of samples. In contrast, the threat actors from this campaign seem to have purchased longer access of at least three months. Additionally, we’ve observed significantly more builds being created in this campaign compared to others. Not everything they do is unusual, though. Like other threat actors, they are targeting gamers and more specifically, gamers who cheat.

Another unusual thing about this campaign is the use of StealC’s loader capabilities. StealC can be configured to double as a loader-type malware and download secondary payloads from a C2 server (doesn’t have to be the same as the first server). Once again, it appears that not many threat actors use this feature. Still, the ones running the current campaign do use the loader capability to download what appears to be a custom lightweight cryptojacker, which is meant to steal cryptocurrencies from users on infected machines.

Infection chain

As stated, there seems to be multiple infection chains targeting gamers in this campaign. Previous reports have linked the website entrarium[.]live to malware distribution, and it appears to serve as one of the starting points in this campaign as well. The Entrarium site seems to promote various tools for modding and hacking different games, but it appears that in at least some of the cases it has been used as a malware distribution vector. Trying to download one of these tools redirects one to mega[.]nz, a file sharing service that has been widely used by threat actors in previous malware distribution campaigns. Once on mega[.]nz, the victims have to manually download an archive called entrarium.zip containing the malware.

Infection Chain

Figure 1 Infection Chain

Entrarium website
Figure 2 Entrarium website

The image shown above is a screenshot captured from the publicly accessible Entrarium website (entrarium[.]live) at the time of research. It is used strictly for educational, security research, and informational purposes.

After downloading and unzipping the zip archive, the victim ends up with several different files. Notably, in our case, the single exe file — setup.exe — was, in fact, StealC wrapped in a packer. Since we first saw the archive on VirusTotal, we can’t be sure what specific tool led to the infection. However, looking at the attached PDB file provides us with a clue. A (now deleted) GitHub repository is linked to in the pdb: https://raw.githubusercontent.com/Riz-ve/Xeno/87ae4f96f8a0927052c1120167982fb069afd1b4/*

This alone wouldn’t be enough, but some quick Googling resulted in a Reddit thread about how someone forked that repository from the PDB file and re-uploaded it after the original was deleted. The subreddit “r/robloxhackers” title suggests that the threat actors might be spreading StealC specifically through the “Roblox Executor” seen in Figure 2 on the right.

Unzipped Entrarium folder

Figure 3 Unzipped Entrarium folder

As a quick side note, we assume this infection chain likely starts with the Entrarium website because of the name of the zip file, which is consistent with the names of zip files downloaded through Entrarium. Still, looking at other archives that contain samples of StealC using the same C2 server, we see things like Fortnite Hack.zip, Mod Menu V5.80.rar, and, in fact, even a Roblox Executor.zip. These file names are inconsistent with how Entrarium distributes their zips, which is why we believe there are also other infection chains.

Plenty of other researchers have analyzed the StealC malware itself, so we’ll skip the analysis. Basically, it’s an infostealer targeting various browsers and applications. The main thing to mention is that the C2 server used for exfiltrating the stolen data is:

45[.]141[.]233[.]187

This, for some reason, comes with two endpoints: /38a5d6b24dac26be.php, /7d1ca61c169b4862.php

The C2 is the original reason we looked at this campaign. Even by just looking at one of the endpoints, we already had more than 250 communicating files on VirusTotal (See Figure 4). By reviewing the behavior of some of the samples, we observe another unusual thing about the campaign: the loader capabilities. Once StealC finishes stealing data from the infected machines, it asks the C2 server if there’s any loader functionality; the server responds with a second C2 server and two new binaries:

66[.]63[.]187[.]190/work/addon[.]exe

66[.]63[.]187[.]190/work/addon2[.]exe

VirusTotal communicating files to C2

Figure 4 VirusTotal communicating files to C2

Decrypted C2 loader response
Figure 5 Decrypted C2 loader response

The first binary, addon, is packed with Themida, a popular packer used both legitimately and maliciously. The main functionality of the unpacked binary appears to be adding some exclusions to Windows Defender. Notably, excluded folders include Users, Windows, and ProgramData. These excluded folders cover a significant percentage of locations in Windows. Excluding them is not that different from disabling Defender without actually having to run a much more suspicious command to really disable Defender.

The second binary, addon2, is the cryptojacker. It’s a lightweight .NET binary likely obfuscated with some version of ConfuserEx. Luckily, using de4dot, we were able to quickly deobfuscate it.

The binary itself isn’t especially exciting. However, one thing of interest is that it copies itself to a secondary location where it masquerades as a Windows binary known as UserOOBEBroker.exe and places itself specifically into a folder called “oobe.{D20EA4E1-3957-11D2-A40B-0C5020524153}”. At first glance, this might seem like nothing special, but this specific GUID had an interesting impact. When opening the folder, we see the contents of the “Windows Tools” folder in the Control Panel. In contrast, when using the dir command from the cmd (or ls from PowerShell), we can see the UserOOBEBroker file (see Figure 6). This is rather unexpected behavior and a clever way to cause the system to hide the malicious file. As far as we can tell, this is a feature of Windows known as virtual folders or shell folders, where adding specific GUID extensions can hide the real folder and instead redirect to somewhere else. Another GUID with a similar effect seems to be {2227A280-3AEA-1069-A2DE-08002B30309D}, which redirects to the printer settings.

Contents in file explorer

Figure 6 oobe.{D20EA4E1-3957-11D2-A40B-0C5020524153} contents in file explorer (right) compared with cmd (left)

That neat trick aside, once de4dot is used to deobfuscate the cryprojacker, it took us no time at all to find the cryptojacking abilities and the wallet addresses used. The threat actors don’t use too many addresses, but they seem to have a decent success rate. As of August 19, 2025, the wallets held around a value of US$139,405 (not quite as much as MassJacker but still significant). However, it should be noted that we couldn’t access all the wallets, so the amount may be more.

Cryptojacker wallets

Figure 7 Cryptojacker wallets

Summary

This threat actor first caught our attention because of the large number of samples tied to a single C2, which also lasted an unusual amount of time. From there, just looking around on VirusTotal led to a lot of interesting stuff. Still, not everything here is new. Targeting gamers and, more specifically those who cheat, is a common practice of threat actors. It’s like the old saying, “Cheaters never win, and winners never cheat.”

IoCs:

URLs:

45[.]141[.]233[.]187/38a5d6b24dac26be.php

45[.]141[.]233[.]187/7d1ca61c169b4862.php

66[.]63[.]187[.]190/work/addon[.]exe

66[.]63[.]187[.]190/work/addon2[.]exe

Hashes:

Entrarium.zip: D5C5D400B35DB2351856143ED7A1900E797F7037

Setup.exe:1DED712E0BEA7AC58C8A7C27EFA88B443A165033

Addon.exe: D8C48A3206A61A1FDEAE9E2DA4306A4B94460C88

Addon2.exe: E23197A43C6C765882ABFDA0087464C7CE2223BC

StealC build IDs (partial list):

kenkaneki, fltlzt, pohuy, fuckluck, tigar, Banned, fuxwdx, witted, LJAGYX, MAMANKUNE, work13, porsche, MacTraxer, Alexxxx, bestworker7520654805, nootropum, temp_7745454979_1747924890

Wallets:

BTC1 – 1BwnGUw7gupnSkGW5h7PkGdoU3ueGx6dDU

BTC3 – 3LhTNWq4Nrox7jxMen68X4oKQ49wW7DmCK

BTCBC1 – bc1qc2fcu2dd56t4953t5tuxfjvmqlctek654hc3yw

ETH – 0x4B9804DE72bA9bbF54C146aa87e3198C31307a63

XMR4 – 48EzR9SzuqGf2S1gXVTkpEDrEhZ6WpJX3KKsG6ZxMi447nkY7LQeN4p7Ye13tkw7G3KGDKp5Q3C47ZUsQpsSXzA27tT3z82

XMR8 – 84v6huEzx6M11z8KGXSTsmW7yVNoPAPzXdqGZSXh41XbdNdggQANGrKRfgrvsPkPSjgdXtwuSx6hvZFSMRNuTfukKukSet4

XLM – GBE4NODBNW2X2EDIQ7633TJEWIOUPB4G57QCKCZQMVYFH5GXY57UEVVV

XLM-M – GBE4NODBNW2X2EDIQ7633TJEWIOUPB4G57QCKCZQMVYFH5GXY57UEVVV

XRP – rLqN1Qs3j3yRTcFBE9JzFa7S3jBiG7SmN5

LTC1 – ltc1q44zt4zy36hn0pj6m5zdq6vn2kjraj3nz4dp5lt

LTCLM – LdgrTc6D1fhwq9FJRjMEYhanFr7xNCSaaR

ADA – addr1q9zcu74fn3z6edylep0ny0twmc4cxvhnkynsmlz00rntfdf57s4k9n8hcaxmkvfr29l7d77t39jdevnehucv89um3l5qsv9qyp

ADA-Icarus – addr1q9zcu74fn3z6edylep0ny0twmc4cxvhnkynsmlz00rntfdf57s4k9n8hcaxmkvfr29l7d77t39jdevnehucv89um3l5qsv9qyp

ADA-Daedalus – addr1q9zcu74fn3z6edylep0ny0twmc4cxvhnkynsmlz00rntfdf57s4k9n8hcaxmkvfr29l7d77t39jdevnehucv89um3l5qsv9qyp

ZEC1 – t1LUZo1nwusdAiS4TobzmWUtJSUDBaPg67H

ZEC2 – t1LUZo1nwusdAiS4TobzmWUtJSUDBaPg67H

ZEC3 – t1LUZo1nwusdAiS4TobzmWUtJSUDBaPg67H

DOGE – DK6q4Jgad9g8NTMKuWJaovRBCxvKXMYzta

DASH – XdsJ9kCXdwZVHv87Xa9prVAZMpvq5TjtSM

TRON – TQETHLJsLwbRHLu7eezG3EybjmSq5vCfJt

COSMOS – cosmos13ynxkeafn4qj7cteaxf0y23pqcl0mc69w60t2j

BCH1 – bitcoincash:qqeyxy4qa6fkggnlrp5gwk3wjkk0gkqs8un44xn9ek

BCH2 – qqeyxy4qa6fkggnlrp5gwk3wjkk0gkqs8un44xn9ek

RONIN – ronin:4B9804DE72bA9bbF54C146aa87e3198C31307a63

TON – UQBOgUi5olEtv0tkYWIoqOKLbQn6GADh2HgnRtf_c3kBa4dM

TERRA – terra1me3jggucey2uf7u83rg9mlpxdyulh7m8tg8cl2

RVN – RAXhzSsZaeEXYNuvMRCj9nwmR8m4LCcDKm

XTZ – tz1WmfxpJgiTwxpmKNuHKr4Uq5J4tqKyYWR1

NANO – nano_1ssnfxr3yojd91habnabrrw366x6cian4ygfg783eemwkekb6aaawcgkmd1k

ZIL – zil1jqm0843n3c8p2x745tp3u8mpwdd78e8tmt3wrc

ALGO – 7SFOR4ZW5H5S275O2WNNLC3WEM4R6P74OK3FALSDLVA3WZX7UBVVJSR2QA

SOLANA – DGviuAtXwkNhoZJp2zVewVfh5DpMjucQVKm1dL5csisv

POLKADOT – 14G7JgNRdxiAxrVnR7MrqRPDuT76Jr6Q7uvgSYJZHE7LGRfS

– Ari Novick is a malware researcher at CyberArk Labs.

No Previous Articles

Next Article
Defeating Microsoft EPM in the Race to Admin: a Tale of a LPE vulnerability
Defeating Microsoft EPM in the Race to Admin: a Tale of a LPE vulnerability

Introduction Not too long ago I read an interesting blogpost by SpecterOps about Microsoft EPM that got my ...