PWS:Win32/Onlinegames is a highly specialized family of Password Stealers (PWS) engineered specifically to harvest credentials, session tokens, and valuable virtual assets from massively multiplayer online role-playing games (MMORPGs).
Understanding Onlinegames Stealers
To the victim, this malware results in the devastating loss of high-level gaming accounts and the theft of virtual currency that is often sold for real-world money on black markets. For threat intelligence analysts, Onlinegames stealers represent a highly targeted, lucrative cybercrime niche (particularly prevalent in Asian markets targeting titles like Lineage, World of Warcraft, or local MMORPGs).
Execution and Evasion Strategies
These stealers are frequently distributed via malicious links within the games themselves, phishing emails masquerading as official game administrators, or bundled with fake 'auto-leveling' bot software. Upon execution, the malware actively hunts for running instances of the target game client. It utilizes sophisticated API hooking, screen scraping, and memory reading techniques to capture the user's password as it is typed into the login prompt. Modern variants also attempt to steal the game's session tokens stored on disk to bypass two-factor authentication (2FA).
Indicators of Compromise & Impact
The primary impact is the loss of account control and financial theft. Incident responders should analyze the system for unauthorized DLLs injected into the game client's process space (e.g., wow.exe). Threat hunters will often find dropped configuration files or encrypted log files (.dat) in the %AppData% directory containing the stolen keystrokes. Network logs will reveal outbound SMTP or HTTP POST traffic transmitting the stolen credentials back to the attacker's drop zone.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1056.001 | Input Capture: Keylogging | Collection |
T1555 | Credentials from Password Stores | Credential Access |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_ONLINEGAMES {
meta:
description = "Detects Onlinegames (infostealer)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "onlinegames" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Onlinegames Activity
id: f6d5a6fd717ac157773be30d7983ed80
status: experimental
description: Detects generic indicators of the onlinegames malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*onlinegames*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/onlinegames.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.