Bitdefender Labs has uncovered a wave of malware campaigns taking advantage of interest in Battlefield 6, the latest release in Electronic Arts’ long-running first-person shooter series. The game, developed by DICE and launched in October, has been one of the year’s biggest releases, drawing attention from both gamers and threat actors.
As soon as the game became available, cybercriminals began circulating fake pirated versions across torrent websites and underground forums. These downloads were not functional game files. Instead, they delivered a mix of information stealers, evasion-focused payloads, and command-and-control agents. The attackers also used well-known cracking group names, such as InsaneRamZes and RUNE, to make the files appear credible to users searching for illegal copies.
Bitdefender’s analysis shows that the malware was not limited to fake game installers. Attackers also created fraudulent Battlefield 6 trainers, which appeared to offer gameplay enhancements but instead acted as information-stealing tools. Trainers are typically used to modify single-player titles, although they are often ineffective or unsafe in multiplayer environments. In this case, the so-called trainers had no legitimate features and were built to harvest sensitive data from infected systems.
Infostealers posing as Battlefield 6 trainers
One of the samples examined by Bitdefender posed as a Battlefield 6 Trainer Installer. It was easy to find through a simple online search and appeared to come from a website offering multiple trainers, all of which pushed similar malware.
Although the file was small and not heavily obfuscated, it acted quickly once executed. It scanned user directories and browser profiles from Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and WaveBrowser, collecting information such as session cookies and cryptocurrency wallet data. It also extracted session tokens and credentials from Discord, along with details from Chrome-based crypto wallet extensions like iWallet and Yoroi.
The stolen data was transmitted over plain HTTP without any attempt to conceal the traffic, showing that the attackers prioritised speed and scale over stealth. Despite its simplicity, the malware proved effective and could run even in virtualised environments.
Evasive malware linked to fake cracked versions
A second sample, distributed under the name Battlefield 6.GOG-InsaneRamZes, used a more sophisticated approach. The malware closely examined the host system before activating its payload.
It checked the device’s regional settings and terminated itself on systems configured for Russia or CIS countries. This form of regional blocking is common among threat groups aiming to avoid legal consequences in their own jurisdictions. The file also relied on Windows API hashing to hide its calls to system libraries, making analysis more difficult.
The malware conducted an anti-sandbox timing check by reviewing system uptime, a tactic used to detect automated analysis environments. Strings found in memory referenced developer tools such as CockroachDB, Postman, BitBucket, and FastAPI, suggesting that the malware was designed to search for API keys and development-related credentials in addition to standard browser data.
Although the sample crashed before completing its full behaviour, Bitdefender believes the malware was built to steal a broader range of sensitive information, extending beyond typical targets.
Command-and-control agent hidden in fake Battlefield 6 ISO files
The third sample analysed was disguised as a Battlefield 6 ISO image and contained a persistent command-and-control agent. Inside the ISO was a 25MB executable that unpacked compressed content before writing a file named 2GreenYellow.dat to the user’s directory. The malware then executed this file through regsvr32.exe, triggering its DllInstall function.
Once running, the DLL repeatedly attempted to contact a server hosted on a Google-owned domain, likely using it as a relay or masking mechanism. Although these attempts failed during testing, the structure of the code indicated that it was designed to support remote command execution and data exfiltration. Bitdefender warns that the modular design allows for many potential attack scenarios.
The findings highlight that none of the analysed files had any real connection to Battlefield 6. Instead, they were created solely for credential theft, stealthy exploitation, and long-term control of victim systems.
The appearance of hundreds of active seeders and leechers for these torrents suggests a sizeable pool of potential victims. Fake trainers also appeared on early pages of search results, increasing the likelihood that users downloaded them without realising the risks.
Bitdefender recommends that players obtain Battlefield 6 only from official platforms such as EA App, Steam, Epic Games Store, Uplay, and GOG, and avoid torrents, unauthorised tools, and unknown executables. The company also advises the use of real-time behavioural protection to detect malicious activity before it can compromise a device.
