Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
The cyber incident that is too “isolated” to accentuate to mass media...
Sparsa AI Launches Sovereign Enterprise AI Platform with Global Deploy...
Conifers AI Opens Singapore Data Region, Bringing Local Data Residency...
Finally taken down: Residential proxy network of at least 2m smart dev...
DXC Opens Flagship AI-first Customer Experience Center in Bengaluru
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      S E Asia governments targeted by cyber-espionage group

      S E Asia governments targeted by cyber-espionage group

      Tuesday, June 23, 2026, 8:00 AM Asia/Singapore | Features
    • Featured

      Rethinking network and infrastructure design for resilience

      Rethinking network and infrastructure design for resilience

      Thursday, June 18, 2026, 2:17 PM Asia/Singapore | Features
    • Featured

      Bringing cybercriminals to justice in APAC

      Bringing cybercriminals to justice in APAC

      Thursday, June 11, 2026, 10:30 AM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • AWARDS 2026
  • Directory
  • E-Learning

Select Page

News

Cybercriminals target Battlefield 6 players

By CybersecAsia editors | Thursday, November 27, 2025, 12:04 PM Asia/Singapore

Cybercriminals target Battlefield 6 players

Bitdefender Labs has identified malware campaigns exploiting the popularity of EA’s Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers, and fake game trainers across torrent websites and other easily found websites.

Electronic Arts’ Battlefield 6, developed by DICE and published by Electronic Arts (EA), was released in October 2025, and it’s likely one of the largest game launches of the year.

Cybercriminals take advantage of major events to push their malware, and the release of a critically acclaimed title is a certain attack vector.

As soon as the game became available for download, criminals began spreading fake cracked versionsof Battlefield 6 on torrent sites and underground forums. 

These fake cracked games are actuallyinfected installers and apps delivering stealers, advanced evasion payloads, and even command-and-control (C2) agents.

As a side note, there are real groups that routinely crack newly released games and their names are well known within the online community. 

InsaneRamZesandRUNE are just two of the more popular ones right now, which is exactly why cybercriminals used their names in the fake releases, just like it could happen with legit brands.

However, users who search for pirated versions of Battlefield are not the only targets. Battlefield 6 players might look for something to give them an advantage, and attackers know this all too well. So, cybercriminals built game ‘trainers’ that promise to do just that, only they are designed to steal information.

Bitdefender’s analysis of three such samples has revealed attacks weaponizing the game’s popularity to compromise PCs and extract sensitive data.

Key findings

  • Multiple Battlefield 6 ‘cracks’ and ‘trainers’ circulate online, but none are functional.
  • The fake trainer is as an aggressive infostealer, targeting browsers and crypto-wallets.
  • The InsaneRamZes pirated version shows advanced anti-analysis and regional evasion techniques.
  • The RUNE pirated version deploys a C2 agent capable of persistence and remote control.
  • The malware samples have no real Battlefield-related functionality and they are very likely from different groups.

Pirated versions of games have been around for years. Depending on the type of game and the protection used by the publishers, it’s not uncommon to see a pirated version of a title pop up online on the same day as the official release.

Games that integrate advanced protection and have a very heavy multiplayer component, such as Battlefield 6, take a longer time to pirate. But not everyone knows this and there will always be potential victims who believe they are actually downloading the pirated version of Battlefield 6.

Users might also notice that the pirated games are also accompanied by two names, InsaneRamZes and Rune.These are real groups that crack new games, but in this case the attackers only use their names to lend credibility, leading people to believe they are getting the real deal.

As for game trainers, these are applications – often legitimate – that allow players to make changes to games, such as giving themselves more gold coins, other in-game resources, or even gaining immortality in first-person shooters.

These trainers are usually designed for single-player titles and don’t work in multiplayer mode. Sometimes, players get banned for using such software in multiplayer mode.

It’s worth noting that security solutions may detect some game trainers as potentially dangerous due to how they work. In some situations, certain types of malware exhibit the same behavior

Fake Battlefield 6 Trainer (Infostealer)
The first sample poses as a ‘Battlefield 6 Trainer Installer’. The malware can be found by a summary Google search for Battlefield 6 trainers. Despite its small size and lack of obfuscation, it quickly steals data once executed.

The website is full of ‘trainers’ that only push similar stealers. The name FLiNG is also stolen from a real game trainer developer who is well-known for his apps.

Behavior Overview
The executable goes through local user directories and Internet browser profiles, retrieving data such as:

  • Crypto Wallets and Cookie Sessions from Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and WaveBrowser.
  • Session tokens and credentials from Discord.
  • Crypto-wallet extension data from Chrome add-ons like iWallet and Yoroi.

The stolen information is exfiltrated over plaintext HTTP, with no attempt to hide the traffic.

The malware’s simplicity makes it highly effective, even if it lacks anti-analysis measures and even runs inside virtual machines.

Sample ‘Battlefield 6.GOG-InsaneRamZes’ (Evasive Malware)
The second sample, distributed as Battlefield 6.GOG-InsaneRamZesvia torrent websites, uses an entirely different strategy that includes stealth and environmental awareness.

Regional Execution Blocking
Before deploying its payload, the malware builds an array of locale identifiers and stops execution if it detects Russian or CIS regional settings.

Disassembly showing locale comparison with codes such as RU, AM, AZ, BY, KZ, KG, LT, and UZ, leading to immediate termination on matching systems.

 This is a self-protection measure often used by Russian malware groups to avoid legal exposure in certain jurisdictions.

Windows API Hashing
To obscure the way it works, the malware hides API calls behind hashed strings. When it runs, it tries to determine the hash of each target API (from system DLLs). When the hash matches, it will save it for later use.

Decompiled code demonstrating API hashing to obscure calls to GetSystemDefaultLCID, GetLocaleInfoW, and GetUserGeoID.

Anti-Sandbox Timing Check
The malware also performs a GetTickCount()test, a technique used to detect whether it’s running in a sandbox. Basically, it tries to determine the system’s uptime to figure out how long the machine has been running. This is a fairly common technique among attackers.

Developer Tool Targeting
The analysis of memory strings revealed references to software such as CockroachDB, Postman, BitBucket, and FastAPI, which suggests the stealer is targeting API keys or exfiltrating database credentials.

While the sample crashed before completing the full payload execution, the evidence suggests an intent to harvest other types of credentials, not just the regular ones from browsers, Discord, etc.

Sample 3: Battlefield 6 V4.8.8 DLCs – Bonuses -RUNE (C2 Agent)
The third sample, disguised as a Battlefield 6 ISO image, delivers a persistent Command-and-Control agent. Inside the ISO is a 25MB MZ executable containing a ZLIB-compressed object. Upon execution:

  1. The binary unpacks the ZLIB content.
  2. It writes a file named 2GreenYellow.dat to the current user’s directory.
  3. It silently executes it using: regsvr32.exe /s /i “C:\Users\<User>\2GreenYellow.dat“
  4. The /i flag triggers the DLL’s DllInstall export function.

The DLL includes three standard exports:

  • DllRegisterServer
  • DllInstall
  • DllUnRegisterServer

Once initialized, the DLL repeatedly tries to contact ei-in-f101.1e100.net, which is on a domain belonging to Google. It’s possible that the domain is being used as a relay or to disguise the C2 communications.

Although the C2 beaconing failed during testing, the code structure indicates it’s designed for remote command execution or data exfiltration. Because this is a C2 agent, the number of attack vectors is countless.

Recommendations
The discovery of these malicious Battlefield 6 pirated versions and trainers underline a very real, incredibly active threat model in the gaming landscape – attackers are exploiting players’curiosity and impatience for newly launched titles.

While it’s impossible to tell how many people downloaded the malware, we observed hundreds of active seeders and leechers for the torrents, which means they’re all potential victims.

The Battlefield 6 trainer showed up on page 2 of a simple Google search, indicating numerous possible victims.

None of the files analysed offer any kind of functionality.

  • Unsophisticated stealers for mass harvesting of browser and wallet data.
  • Evasive payloads designed to avoid detection and focus on developer credentials.
  • Modular loaders for remote control and future exploitation.

Bitdefender strongly recommends users:

  • Download Battlefield 6 and other games only from official platforms (EA App, Steam, Epic Games Store, Uplay, GOG, etc).
  • Avoid torrents, third-party ‘trainer’ utilities, and unknown executables.
  • Employ real-time behavioural protection to block malicious payloads before they execute.

Share:

PreviousAI coding assistant reveals security vulnerabilities linked to politically-sensitive prompts
NextSEHMUA Launches Its First 2K Solar Security Camera System with Homebase

Related Posts

When warning users of risk, timing and personalization is everything: report

When warning users of risk, timing and personalization is everything

Friday, April 30, 2021

Is the APJ region’s level of API security up to par in 2024?

Is the APJ region’s level of API security up to par in 2024?

Thursday, March 7, 2024

How India is learning from Israel’s lead in cybersecurity and tech development

How India is learning from Israel’s lead in cybersecurity and tech development

Thursday, February 25, 2021

Ignoring deepfakes – a risky gamble for CXOs

Ignoring deepfakes – a risky gamble for CXOs

Tuesday, November 12, 2024

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Cyber threats have become more frequent and sophisticated, targeting organizations of all sizes across all …Download Whitepaper
  • Zero Trust Made Simple: Why it matters and how to get started

    Zero Trust Made Simple: Why it matters and how to get started

    Data breaches and cyberattacks are no longer limited to large, high-profile organizations.Download Whitepaper
  • Cloud Secure Edge: Remote access, better security

    Cloud Secure Edge: Remote access, better security

    ​SonicWall Cloud Secure Edge™ is a modern, cloud-native Security Service Edge (SSE) solution that addresses …Download Whitepaper
  • Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • How a Vietnamese D2C retailer built its own secure digital infrastructure

    How a Vietnamese D2C retailer built its own secure digital infrastructure

    Would your organization build your own digital infrastructure – including AI governance and cybersecurity – …Read more
  • Cyber protection for medical clinics in Singapore

    Cyber protection for medical clinics in Singapore

    As Singapore’s healthcare sector becomes increasingly digital and interconnected, clinics are facing heightened cyber risks, …Read more
  • India’s WazirX strengthens governance and digital asset security

    India’s WazirX strengthens governance and digital asset security

    Revamping its custody infrastructure using multi‑party computation tools has improved operational resilience and institutional‑grade safeguardsRead more
  • Bangladesh LGED modernizes communication while addressing data security concerns

    Bangladesh LGED modernizes communication while addressing data security concerns

    To meet emerging data localization/privacy regulations, the government engineering agency deploys a secure, unified digital …Read more

Bottom sidebar

Other News

  • Sparsa AI Launches Sovereign Enterprise AI Platform with Global Deployment at QNET

    Wednesday, July 8, 2026
    The Sparsa AI Enterprise Operating …Read More »
  • Conifers AI Opens Singapore Data Region, Bringing Local Data Residency to Asia-Pacific Security Teams

    Wednesday, July 8, 2026
    With data regions now spanning …Read More »
  • DXC Opens Flagship AI-first Customer Experience Center in Bengaluru

    Tuesday, July 7, 2026
    Strengthens DXC’s India presence with …Read More »
  • D-Link Brings Advanced AI Fall Detection and Privacy Protection to Home Elderly Care with the New DCS-8610 Wi-Fi Camera

    Monday, July 6, 2026
    Advanced technologies traditionally found in …Read More »
  • ICAC Commissioner attends first IAACA European regional anti-corruption conference in Hungary

    Friday, July 3, 2026
    BUDAPEST, Hungary, July 2, 2026 …Read More »
  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2026 CybersecAsia All Rights Reserved.