Bitdefender Labs has identified malware campaigns exploiting the popularity of EA’s Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers, and fake game trainers across torrent websites and other easily found websites.
Electronic Arts’ Battlefield 6, developed by DICE and published by Electronic Arts (EA), was released in October 2025, and it’s likely one of the largest game launches of the year.
Cybercriminals take advantage of major events to push their malware, and the release of a critically acclaimed title is a certain attack vector.
As soon as the game became available for download, criminals began spreading fake cracked versionsof Battlefield 6 on torrent sites and underground forums.
These fake cracked games are actuallyinfected installers and apps delivering stealers, advanced evasion payloads, and even command-and-control (C2) agents.
As a side note, there are real groups that routinely crack newly released games and their names are well known within the online community.
InsaneRamZesandRUNE are just two of the more popular ones right now, which is exactly why cybercriminals used their names in the fake releases, just like it could happen with legit brands.
However, users who search for pirated versions of Battlefield are not the only targets. Battlefield 6 players might look for something to give them an advantage, and attackers know this all too well. So, cybercriminals built game ‘trainers’ that promise to do just that, only they are designed to steal information.
Bitdefender’s analysis of three such samples has revealed attacks weaponizing the game’s popularity to compromise PCs and extract sensitive data.
Key findings
- Multiple Battlefield 6 ‘cracks’ and ‘trainers’ circulate online, but none are functional.
- The fake trainer is as an aggressive infostealer, targeting browsers and crypto-wallets.
- The InsaneRamZes pirated version shows advanced anti-analysis and regional evasion techniques.
- The RUNE pirated version deploys a C2 agent capable of persistence and remote control.
- The malware samples have no real Battlefield-related functionality and they are very likely from different groups.
Pirated versions of games have been around for years. Depending on the type of game and the protection used by the publishers, it’s not uncommon to see a pirated version of a title pop up online on the same day as the official release.
Games that integrate advanced protection and have a very heavy multiplayer component, such as Battlefield 6, take a longer time to pirate. But not everyone knows this and there will always be potential victims who believe they are actually downloading the pirated version of Battlefield 6.
Users might also notice that the pirated games are also accompanied by two names, InsaneRamZes and Rune.These are real groups that crack new games, but in this case the attackers only use their names to lend credibility, leading people to believe they are getting the real deal.
As for game trainers, these are applications – often legitimate – that allow players to make changes to games, such as giving themselves more gold coins, other in-game resources, or even gaining immortality in first-person shooters.
These trainers are usually designed for single-player titles and don’t work in multiplayer mode. Sometimes, players get banned for using such software in multiplayer mode.
It’s worth noting that security solutions may detect some game trainers as potentially dangerous due to how they work. In some situations, certain types of malware exhibit the same behavior
Fake Battlefield 6 Trainer (Infostealer)
The first sample poses as a ‘Battlefield 6 Trainer Installer’. The malware can be found by a summary Google search for Battlefield 6 trainers. Despite its small size and lack of obfuscation, it quickly steals data once executed.
The website is full of ‘trainers’ that only push similar stealers. The name FLiNG is also stolen from a real game trainer developer who is well-known for his apps.
Behavior Overview
The executable goes through local user directories and Internet browser profiles, retrieving data such as:
- Crypto Wallets and Cookie Sessions from Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and WaveBrowser.
- Session tokens and credentials from Discord.
- Crypto-wallet extension data from Chrome add-ons like iWallet and Yoroi.
The stolen information is exfiltrated over plaintext HTTP, with no attempt to hide the traffic.
The malware’s simplicity makes it highly effective, even if it lacks anti-analysis measures and even runs inside virtual machines.
Sample ‘Battlefield 6.GOG-InsaneRamZes’ (Evasive Malware)
The second sample, distributed as Battlefield 6.GOG-InsaneRamZesvia torrent websites, uses an entirely different strategy that includes stealth and environmental awareness.
Regional Execution Blocking
Before deploying its payload, the malware builds an array of locale identifiers and stops execution if it detects Russian or CIS regional settings.
Disassembly showing locale comparison with codes such as RU, AM, AZ, BY, KZ, KG, LT, and UZ, leading to immediate termination on matching systems.
This is a self-protection measure often used by Russian malware groups to avoid legal exposure in certain jurisdictions.
Windows API Hashing
To obscure the way it works, the malware hides API calls behind hashed strings. When it runs, it tries to determine the hash of each target API (from system DLLs). When the hash matches, it will save it for later use.
Decompiled code demonstrating API hashing to obscure calls to GetSystemDefaultLCID, GetLocaleInfoW, and GetUserGeoID.
Anti-Sandbox Timing Check
The malware also performs a GetTickCount()test, a technique used to detect whether it’s running in a sandbox. Basically, it tries to determine the system’s uptime to figure out how long the machine has been running. This is a fairly common technique among attackers.
Developer Tool Targeting
The analysis of memory strings revealed references to software such as CockroachDB, Postman, BitBucket, and FastAPI, which suggests the stealer is targeting API keys or exfiltrating database credentials.
While the sample crashed before completing the full payload execution, the evidence suggests an intent to harvest other types of credentials, not just the regular ones from browsers, Discord, etc.
Sample 3: Battlefield 6 V4.8.8 DLCs – Bonuses -RUNE (C2 Agent)
The third sample, disguised as a Battlefield 6 ISO image, delivers a persistent Command-and-Control agent. Inside the ISO is a 25MB MZ executable containing a ZLIB-compressed object. Upon execution:
- The binary unpacks the ZLIB content.
- It writes a file named 2GreenYellow.dat to the current user’s directory.
- It silently executes it using: regsvr32.exe /s /i “C:\Users\<User>\2GreenYellow.dat“
- The /i flag triggers the DLL’s DllInstall export function.
The DLL includes three standard exports:
- DllRegisterServer
- DllInstall
- DllUnRegisterServer
Once initialized, the DLL repeatedly tries to contact ei-in-f101.1e100.net, which is on a domain belonging to Google. It’s possible that the domain is being used as a relay or to disguise the C2 communications.
Although the C2 beaconing failed during testing, the code structure indicates it’s designed for remote command execution or data exfiltration. Because this is a C2 agent, the number of attack vectors is countless.
Recommendations
The discovery of these malicious Battlefield 6 pirated versions and trainers underline a very real, incredibly active threat model in the gaming landscape – attackers are exploiting players’curiosity and impatience for newly launched titles.
While it’s impossible to tell how many people downloaded the malware, we observed hundreds of active seeders and leechers for the torrents, which means they’re all potential victims.
The Battlefield 6 trainer showed up on page 2 of a simple Google search, indicating numerous possible victims.
None of the files analysed offer any kind of functionality.
- Unsophisticated stealers for mass harvesting of browser and wallet data.
- Evasive payloads designed to avoid detection and focus on developer credentials.
- Modular loaders for remote control and future exploitation.
Bitdefender strongly recommends users:
- Download Battlefield 6 and other games only from official platforms (EA App, Steam, Epic Games Store, Uplay, GOG, etc).
- Avoid torrents, third-party ‘trainer’ utilities, and unknown executables.
- Employ real-time behavioural protection to block malicious payloads before they execute.
