Developer Michael Mayhem revealed that the corrupted package is not a mod installed through Steam Workshop, but rather the packed standalone modified version of the original game.
Hackers breached Discord
The hackers took over the Discord and Steam accounts of one of the Downfall devs, giving them access to the mod’s Steam account.
Once installed on a compromised system, the malware will gather information from Steam and Discord as well as cookies, saved passwords, and credit card numbers from web browsers (Yandex, Microsoft Edge, Mozilla Firefox, Brave, and Vivaldi).
Additionally, it will search for documents with the phrase “password” in the filenames and for additional credentials, such as Telegram and the local Windows login.
It is recommended that users of Downfall change all significant passwords, particularly those associated with accounts that are not secured by Two-factor authentication ( (2-factor authentification).
The virus would install itself, according to users who received the malicious update, as UnityLibManager in the /AppData/Roaming folder or as a Windows Boot Manager application in the AppData folder.