Fake P2E Project ‘Cthulhu World’ Used to Power Information-Stealing Malware

World of Cthulhu header image

Hackers have created a fake ‘Cthulhu World’ game-to-win community, including websites, Discord groups, social accounts, and a midsize developer site, to distribute Raccoon Stealer password-stealing malware infections, AsyncRAT and RedLine on unsuspecting victims.

As play-to-win games grow in popularity, scammers and threat actors are increasingly targeting these new platforms for malicious activity.

Such is the case with a new malware distribution campaign uncovered by cybersecurity researcher iamdeadlyz, where threat actors created an entire project to promote a fake game called Cthulhu World.

To promote the “project,” threat actors are direct messaging users on Twitter asking if they’d like to test their new game. In exchange for testing and promoting the game, iamdeadlyz says that threat actors promise a reward in Ethereum.

Twitter Direct Messages Promoting Fake P2E Game
Twitter Direct Messages Promoting Fake P2E Game
Source: iamdeadlyz

Visiting the now-defunct cthulhu-world.com site, users are greeted with a well-designed website containing information about the project and an interactive map of the game’s environments.

World of Cthulhu website
World of Cthulhu website

However, this site appears to be a clone of the legitimate Alchemical World Projectwhich has been warn users stay away from fake project.

The Cthulhu World website also has a big difference; when a user clicks the arrow in the top right corner of the site, the visitor will be taken to a web page that will ask for a code to download the “alpha” test of the project.

Threat actors share these codes with potential victims as part of their DM conversations on Twitter. A list of the access codes is also found in the source code of the site, as shown below.

Access codes to the different downloads
Access codes to the different downloads
Source: BleepingComputer

Depending on the code entered, one of three files will be downloaded from DropBox.

Download links embedded in the site's source code
Download links embedded in the site’s source code
Source: BleepingComputer

Each of the three files installs different malware, likely allowing threat actors to choose how they want to attack a particular user. The three malware identified by AnyRun installations are AsyncRAT, RedLine Stealer, and Raccoon Stealer.

The Cthulhu World website is currently down, but their Discord remains active. It’s unclear who on this Discord knows the site is distributing malware, but some users clearly believe it’s a legitimate project.

As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to discover that some victims have already cleaned out their wallets with this scam.

victim's tweet

If you visited Cthulhu-world.com and downloaded any of their programs, you should immediately run an antivirus scan on your computer and remove anything detected.

Also, as these malware infections steal your saved passwords, cookies and crypto wallets, you need to reset all passwords and create new wallets to import your cryptocurrency.

Ultimately though, the smartest course of action is to reinstall your computer from scratch, as these malware infections give full access to an infected computer and other undetected malware can still be installed.

Leave a Comment