Gamers Targeted with Lua-Based Malware Disguised as Cheating Script Engines

Published on October 9, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor
Created using Copilot | Powered by DALL.E 3

Users seeking game cheats have become targets of a sophisticated malware campaign. The attackers are enticing gamers to download a Lua-based malware by masquerading it as legitimate cheating script engines, according to a new Morphisec security report.

This malware, which has been detected globally, leverages the popularity of Lua gaming engine extensions among student gamers.

Originally documented by OALabs in March 2024, the campaign uses a Lua-written malware loader. The attackers exploit quirks in GitHub's platform to host and distribute malicious payloads through booby-trapped ZIP archives.

Technical Working of the Lua Compiler | Source: Morphisec

GitHub has actively disabled user accounts and content that violate its Acceptable Use Policies, prohibiting hosting content supporting unlawful activities, including malware distribution.

The recent analysis highlights a shift in the malware's delivery mechanism, as threat actors are now deploying obfuscated Lua scripts rather than compiled Lua bytecode to reduce detection risks. The infection vector remains unchanged, with users directed to fake websites hosting malicious archives.

Google Ads as Solara, a popular cheating script engine | Source: Morphisec 

The ZIP archive typically includes a Lua compiler, a runtime interpreter DLL, an obfuscated Lua script, and a batch file to execute the script. The malicious Lua script establishes a connection with a command and control (C2) server, facilitating persistent system compromise or the deployment of additional payloads like the Redone Stealer.

Infostealers continue to rise in prominence, with harvested credentials often sold on the Dark Web. The RedLine information stealer, in particular, has a significant market presence.

Recent reports from Kaspersky reveal parallel campaigns targeting users searching for pirated software, distributing the SilentCryptoMiner via AutoIt compiled binaries. These attacks have predominantly targeted regions, including Russia, Belarus, and India.

The cybersecurity landscape indicates a growing trend of malware distributed through unconventional channels, such as encrypted messaging apps and video platforms, often masked as cryptocurrency-related content.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: