Traffic Breach Statement - Paradox Interactive
The analysis shows that the threat is specifically a DLL hijacking attack aimed at stealing Exodus cryptocurrency wallet information. The actor placed a malicious DLL file (fastmath.dll) in the Traffic mod directory, which gets loaded by the game executable when the game is launched on the target machine. The malicious DLL is the first stage of the malware chain.
Once loaded by the game executable, the second stage of the malware activity begins, where the DLL searches for Exodus crypto wallets on the computer inside the AppData local Folder.
If users do not have any Exodus cryptocurrency wallets on their devices, they are not impacted by the second phase of the attack.
Only the “Traffic” mod was affected. We have confirmed that the account of the “Traffic” mod’s author was compromised, and the malicious upload originated from an unauthorized location. The account has now been secured, and no further tampering with their work is expected.
If you didn’t start the game with the version of the Traffic mod containing the DLL downloaded and installed, you are entirely unaffected. If you do not have an Exodus cryptocurrency wallet on your computer the malware should not have been harmful.
