Cthulhu World header image

Hackers have created a fake 'Cthulhu World' play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims.

As play-to-earn games rise in popularity, scammers and threat actors increasingly target these new platforms for malicious activities.

Such is the case with a new malware distribution campaign discovered by cybersecurity researcher iamdeadlyz, where threat actors created a whole project to promote a fake play-to-earn game called Cthulhu World.

To promote the "project", threat actors are sending direct messages to users on Twitter asking if they would like to perform a test of their new game. In return for testing and promoting the game, iamdeadlyz says that the threat actors promise a reward in Ethereum.

Twitter DMs promoting the fake P2E game
Twitter DMs promoting the fake P2E game
Source:  iamdeadlyz

When visiting the cthulhu-world.com site, which is now down, users are greeted with a well-designed website, containing information about the project and an interactive map of the game's environments.

Cthulhu World website
Cthulhu World website

However, this site appears to be a clone of the legitimate Alchemic World project, which has been warning users to stay away from the fake project.

The Cthulhu World website also has a big difference; when a user clicks on the arrow in the upper right-hand corner of the site, the visitor will bring them to a webpage asking for a code to download the "alpha" test of the project.

The threat actors share these codes with prospective victims as part of their DM conversations on Twitter. A list of the access codes is also found in the site's source code, as shown below.

Access codes for the various downloads
Access codes for the various downloads
Source: BleepingComputer

Depending on the code entered, one of three files will be downloaded from DropBox.

Download links embedded in the site source code
Download links embedded in the site source code
Source: BleepingComputer

Each of the three files installs a different malware, likely allowing the threat actors to pick and choose how they wish to target a particular user. The three malware identified by AnyRun installs are AsyncRATRedLine Stealer, and Raccoon Stealer.

The website for Cthulhu World is currently down, but their Discord remains active. It is unclear who on this Discord is aware that the site is distributing malware, but some users clearly believe this is a legitimate project.

As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam.

Victim's tweet

If you have visited Cthulhu-world.com and downloaded any of their software, you should immediately run an antivirus scan on your computer and remove anything detected.

Furthermore, as these malware infections steal your saved passwords, cookies, and crypto wallets, you should reset all passwords and create new wallets to import your cryptocurrency.

Ultimately, though, the wisest course of action is to reinstall your computer from scratch, as these malware infections provide full access to an infected computer, and other undetected malware may still be installed.

Related Articles:

Cisco warns of password-spraying attacks targeting VPN services

PyPI suspends new user registration to block malware campaign

KuCoin charged with AML violations that let cybercriminals launder billions

Hackers poison source code from largest Discord bot platform

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service