{"id":7964,"date":"2025-09-05T12:50:05","date_gmt":"2025-09-05T17:50:05","guid":{"rendered":"https:\/\/www.threatstop.com\/blog\/fake-dota-2-skin-changer-malware"},"modified":"2025-09-05T12:50:05","modified_gmt":"2025-09-05T17:50:05","slug":"skin-in-the-game-how-a-fake-dota-2-mod-stole-more-than-cosmetics","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/05\/skin-in-the-game-how-a-fake-dota-2-mod-stole-more-than-cosmetics\/","title":{"rendered":"Skin in the Game: How a Fake Dota 2 Mod Stole More Than Cosmetics"},"content":{"rendered":"
<\/div>\n

We recently observed a sudden 165% spike in DNS requests<\/strong><\/span> to the domain posholnahuy[.]ru<\/strong><\/span>, primarily from Spain, Portugal, Ukraine, Russia, and Kyrgyzstan. This unusual traffic led us to investigate the domain\u2019s activity, uncovering an ongoing malware campaign. The domain was registered in February 2025<\/a> and is fronted by Cloudflare\u2019s infrastructure. By tracing the DNS queries back to their source processes, we discovered a suspicious executable<\/strong><\/span> named \u201cdotaskinchanger.exe\u201d.<\/strong><\/span> This file claimed to be a \u201cDota 2 Skin Changer\u201d<\/i> tool but was in fact malware. The surge in traffic corresponded with infections by this fake skin changer, as infected machines attempted to beacon out to the posholnahuy[.]ru C2.  <\/p>\n

<\/p>\n

They say never to publish a blog post on a Friday, but we figured this was interesting enough to send out!<\/p>\n

The Lure: Dota 2 and \u201cSkin Changer\u201d Mods<\/strong><\/h3>\n

Dota 2<\/strong><\/span> is a hugely popular online game (a MOBA by Valve, released in 2013) with millions of players worldwide. While the game itself is free-to-play, Valve monetizes it by selling cosmetic items and skins that alter hero appearances. These cosmetic skins can be quite valuable, driving some players to seek unofficial methods to unlock them for free. A \u201cskin changer\u201d for Dota 2 is basically an unofficial mod or tool that lets players tweak the look of in-game items or heroes, unlocking skins they don\u2019t actually own. But here\u2019s the catch: downloading these from sketchy places is super risky. These programs are known for hiding malware or snatching your login info. It\u2019s like stepping back in time to the \u201cwarez\u201d days, where malware was a common thing in \u201ccracked\u201d software. Every time I see my kids trying to download something like this, I have to have a chat with them. How do you even explain malware to kids? Anyway.<\/p>\n

In this case, the attackers took advantage of that temptation. They packaged their malware as a fake \u201cDota2 skinchanger\u201d <\/i>tool. The malicious file, dotaskinchanger.exe<\/strong><\/span>, was found inside a ZIP archive named dota_skinchanger.zip<\/strong><\/span> (SHA-256: caa8ffe9723…e940a3)<\/a>. The archive was distributed with a text file containing a password (file named \u201cPASSWORD_0208\u201d, SHA-256: 62e2d97974…e6abe<\/a>) needed to extract the main EXE. This password-protected ZIP tactic<\/strong><\/span> is deliberate, requiring a user to manually enter a password (in this case \u201c0208\u201d), the malware can evade some automated scanners and sandboxes that don\u2019t unpack archives. Both the ZIP and the EXE within it have been observed in the wild across the same regions mentioned above, and in fact have been uploaded to VirusTotal hundreds of times<\/span> indicating widespread distribution.<\/p>\n

Unpacking the Trojan: \u201cKepavll\u201d aka Salat Stealer<\/strong><\/h3>\n

Once extracted and run, the dotaskinchanger.exe<\/strong><\/span> does not<\/i> grant any new skins, instead, it deploys a multi-purpose malware. Microsoft Defender detects this file with the generic signature Trojan:Win32\/Kepavll!rfn. <\/strong><\/span>Multiple antivirus engines concur: the sample we analyzed was detected by 53 out of 72 AV scanners on VirusTotal.<\/span> The malware has been identified by the community as part of the \u201cSalat Stealer\u201d<\/strong><\/span> family, a name derived from the \/sa1at\/<\/span> path seen in its network traffic (more on that shortly). A behavioral analysis showed Yara rules triggering on \u201cSalatStealer\u201d<\/i> and even an embedded XMRig cryptominer<\/strong><\/span> payload. <\/p>\n

Once running, the malware exhibits typical info-stealer behavior: it attempts to exfiltrate sensitive data<\/strong><\/span> such as saved credentials, browser cookies, and even searches for cryptocurrency wallet strings on the victim\u2019s system. We aren’t going to do the typical malware breakdown blog post, instead we’ll link to one by DeXpose<\/a>. One analysis<\/a> noted \u201cfound many strings related to crypto-wallets (likely being stolen)\u201d<\/i>, indicating the stealer is hunting for keys or addresses for theft. In our case, the victim whose machine triggered the alert had their Steam session compromised within minutes of running the fake skin changer, the user\u2019s Steam account was hijacked and valuable Dota 2 cosmetic items were stolen. Clearly, the malware operators are aiming to steal any profitable assets (gaming items, cryptocurrency, credentials) and possibly monetize further by mining cryptocurrency in the background.<\/p>\n

C2 Infrastructure: posholnahuy[.]ru, pidorasina[.]ru and Cloudflare Evasion<\/strong><\/h3>\n

After infecting a system, the malware establishes contact with its Command-and-Control servers<\/span>. In our case, it reached out to URLs under the path \/sa1at\/<\/strong><\/span> on the domain posholnahuy[.]ru<\/strong><\/span>, and we also observed traffic to a second domain pidorasina[.]ru<\/strong><\/span> with the same \/sa1at\/<\/span> path. Both domain names are crude Russian phrases (roughly translated, \u201cgo f<\/i>** yourself\u201d* and a slur, respectively). These domains are part of a broader cluster of malicious infrastructure attributed to a Russian-speaking group known as NyashTeam<\/strong><\/span>, which is known for spreading malware via fake game cheats and cracks. In fact, security researchers recently reported<\/a> that NyashTeam maintained an extensive network of hundreds of .ru domains for malware distribution and C2.<\/p>\n

Crucially, both posholnahuy[.]ru and pidorasina[.]ru are proxied through Cloudflare<\/span> name servers. This means the malware\u2019s traffic is going to Cloudflare\u2019s servers (IP addresses in Cloudflare\u2019s ranges) which then forward it to the attacker\u2019s hidden backend. Using Cloudflare can help threat actors in several ways: it masks the true origin server\u2019s IP, provides SSL certificates (the traffic is HTTPS), and can blend malicious traffic with legitimate Cloudflare CDN traffic. In our analysis, the malware made HTTPS requests<\/span> to https:\/\/posholnahuy[.]ru\/sa1at\/<random> URLs, which resolved to Cloudflare IPs. These domains and URLs have been explicitly flagged as malicious C2 by threat intelligence sources. For example, Abuse.ch\u2019s ThreatFox lists https:\/\/posholnahuy[.]ru\/sa1at\/<\/i> as a botnet C2 URL<\/span> associated with an \u201cUnknown Stealer\u201d (SalatStealer)<\/a>. Correspondingly, community IDS rules<\/a> were created to detect any HTTP traffic containing Host: posholnahuy[.]ru and the \/sa1at\/ path, as well as DNS queries<\/a> for pidorasina[.]ru.  While the rules are not from Cisco Talos, and therefore not part of the official ruleset, we still recommend deploying at least the first one if you have Snort 3 or above.<\/p>\n

It\u2019s worth noting that the attackers attempted a further trick: DNS over HTTPS. We observed the malware querying Cloudflare\u2019s DNS resolver (1.1.1.1) via HTTPS for certain domains like websalat[.]top<\/span> and sa1at[.]ru<\/span>. The presence of such behavior underscores the malware\u2019s design to hide its network footprint<\/span> within normal-looking Cloudflare traffic.<\/p>\n

Detection Shortfalls: AV vs. Network Monitoring<\/strong><\/h3>\n

While many antivirus vendors detected this file, it appears that network-based detection was lagging<\/span>. At the time of our investigation, we found no official rules in public IDS\/IPS databases (like Snort or Suricata community rulesets)<\/i> specifically flagging this malware\u2019s traffic. In other words, an organization that relied solely on IDS\/IPS or network firewall signatures might not have caught the C2 traffic<\/strong><\/span> to posholnahuy[.]ru or recognized dotaskinchanger.exe as malicious. The use of Cloudflare further complicated detection, an analyst watching network logs might just see TLS connections to Cloudflare IPs, which by itself is not suspicious, and the domain name might be encrypted (if DNS over HTTPS is used or if SNI is not inspected). Only with full DNS logging or decrypted TLS inspection would the malicious domain be visible. Indeed, the first alerts for this incident came from DNS telemetry,<\/span> not from any perimeter IDS.  Relying on IP blocking would not have helped at all.<\/p>\n

This highlights a common scenario: endpoint protection did its job on many machines (quarantining the Trojan on execution), but if an endpoint was unprotected or the malware evaded it, the network monitoring layers <\/span>needed to pick up the slack<\/span>. <\/p>\n

Layered Defense: How Protective DNS Foiled the Attack<\/strong><\/h3>\n

Thankfully, our Protective DNS service acted as a crucial safety net. It detected unusual DNS activity to posholnahuy[.]ru and blocked it at the DNS layer for all customers, preventing the infection from downloading anything else. Protective DNS blocks domain resolutions for known malicious domains, similar to how a web filter blocks URLs. posholnahuy[.]ru was identified as a C2, and any device protected by our DNS service was prevented from resolving that domain, cutting off the malware\u2019s communication channel. We confirmed that several customers had machines attempting to phone home to posholnahuy[.]ru and pidorasina[.]ru, but those DNS queries were blocked in real time, preventing the C2 connection. As a result, the Trojan\u2019s commands and data exfiltration failed, and the infected hosts could be identified and remediated.<\/p>\n

Just a friendly reminder that if these organizations had only relied on endpoint or IDS alerts, the C2 traffic might have slipped through the cracks. The malware\u2019s clever use of Cloudflare and its absence of an IPS signature allowed it to quietly lurk in the background. By using a layered defense strategy, like combining endpoint AV, network IDS, and Protective DNS, our customers had several opportunities to spot the threat. In this case, DNS-based blocking was the ultimate safeguard once other defenses were bypassed. Even the malware\u2019s attempt to hide DNS lookups through Cloudflare\u2019s resolver was spotted by our DNS monitoring. Our solution gives us that visibility, which an organization without DNS logging might have missed.<\/p>\n

Conclusion: Lessons Learned<\/strong><\/h3>\n

This incident serves as a reminder that attackers will leverage any popular trend \u2013 even game mods \u2013 to distribute malware.<\/span> The fake Dota 2 skin changer Trojan spread by enticing gamers with free cosmetics, only to steal their data and digital goods. For defenders, several takeaways are clear:<\/p>\n