December 11, 2023

Researchers have discovered the activities of  threat actors involving uploading several modifications “mods” containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Users with mods installation ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability CVE-2021-38003 in the V8 open-source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.


Researchers reported the  issue to Valve, the developer of the game. Valve immediately updated the game’s code to a new version of V8 and took down the rogue game mods from its Steam online store.

Value is also owning Counter-Strike, left 4 Dead, and Day of Defeat  also notified the small handful of users who downloaded the backdoor about the issue and implemented measures to reduce Dota 2’s attack surface.

This attack is same alike where a threat actor has uploaded malicious applications to Google Play and Apple’s App Store, or malicious code blocks to repositories like npm or PyPI.

Dota’s game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes or new games. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use.


This cyber incident is the latest in a string of attacks that have targeted online gaming companies and players in recent years involving Riot Games and Rockstar Games The attacks have put growing pressure on gaming companies to ramp up their security processes.

This research was documented by researchers from Avast

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.