Onlinegames

Category: infostealer · Aliases: None known · Sample count (EMBER 2018): 243 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

PWS:Win32/Onlinegames is a highly specialized family of Password Stealers (PWS) engineered specifically to harvest credentials, session tokens, and valuable virtual assets from massively multiplayer online role-playing games (MMORPGs).

Understanding Onlinegames Stealers
To the victim, this malware results in the devastating loss of high-level gaming accounts and the theft of virtual currency that is often sold for real-world money on black markets. For threat intelligence analysts, Onlinegames stealers represent a highly targeted, lucrative cybercrime niche (particularly prevalent in Asian markets targeting titles like Lineage, World of Warcraft, or local MMORPGs).

Execution and Evasion Strategies
These stealers are frequently distributed via malicious links within the games themselves, phishing emails masquerading as official game administrators, or bundled with fake 'auto-leveling' bot software. Upon execution, the malware actively hunts for running instances of the target game client. It utilizes sophisticated API hooking, screen scraping, and memory reading techniques to capture the user's password as it is typed into the login prompt. Modern variants also attempt to steal the game's session tokens stored on disk to bypass two-factor authentication (2FA).

Indicators of Compromise & Impact
The primary impact is the loss of account control and financial theft. Incident responders should analyze the system for unauthorized DLLs injected into the game client's process space (e.g., wow.exe). Threat hunters will often find dropped configuration files or encrypted log files (.dat) in the %AppData% directory containing the stolen keystrokes. Network logs will reveal outbound SMTP or HTTP POST traffic transmitting the stolen credentials back to the attacker's drop zone.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1056.001Input Capture: KeyloggingCollection
T1555Credentials from Password StoresCredential Access
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1048Exfiltration Over Alternative ProtocolExfiltration
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ONLINEGAMES {
    meta:
        description = "Detects Onlinegames (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "onlinegames" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Onlinegames Activity
id: f6d5a6fd717ac157773be30d7983ed80
status: experimental
description: Detects generic indicators of the onlinegames malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*onlinegames*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint to prevent the active exfiltration of captured gaming credentials and session tokens.
  2. Assist the user in immediately recovering their gaming accounts from a known-clean device and forcing a password reset.
  3. Utilize EDR or memory forensics to locate and terminate the keylogging modules injected into the game client or <code>explorer.exe</code>.
  4. Perform a full system sweep to eradicate the dropped executables and delete any temporary log files containing stolen data.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the user to type any passwords or access sensitive portals while the machine is infected, as the keylogger captures all input.
  2. Avoid ignoring the infection as 'just a game stealer'; compromised accounts are often heavily linked to the user's primary email and financial accounts.

References & External Analysis

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/onlinegames.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.