Malware Incident Summary
Summary of Incident Analysis:
The analysis shows that the threat is specifically a DLL hijacking attack aimed at stealing Exodus cryptocurrency wallet information. The actor placed a malicious DLL file (fastmath.dll) in the Traffic mod directory, which gets loaded by the game executable when the game is launched on the target machine. The malicious DLL is the first stage of the malware chain.
Once loaded by the game executable, the second stage of the malware activity begins,
where the DLL searches for Exodus crypto wallets on the computer inside the AppData local
Folder.
If users do not have any Exodus cryptocurrency wallets on their devices, they are not impacted by the second phase of the attack.
Only the “Traffic” mod was affected. We have confirmed that the account of the “Traffic” mod’s author was compromised, and the malicious upload originated from an unauthorized location. The account has now been secured, and no further tampering with their work is expected.
If you didn’t start the game with the version of the Traffic mod containing the DLL downloaded and installed, you are entirely unaffected. If you do not have an Exodus cryptocurrency wallet on your computer the malware should not have been harmful.
If you have Exodus crypto wallet on your computer:
We recommend manually deleting the secondary DLL file located in the following path: C:\Users\<Username>\AppData\Local\exodus\app-<VersionNumber>\profapi.dll
For more information if your Exodus wallet has been compromised we refer you to their
FAQ.
For general security measures related to Exodus, please refer to their official guide:
Exodus Security Practices.
General information for those who use Code Mods:
While we work hard to minimize risks, there is always an inherent risk in downloading a mod that changes the contents of a program, no matter what platform is used for distribution. We cannot guarantee that malware incidents won’t occur, as malware is constantly evolving and can adapt faster than detection tools. Fully preventing such incidents would require prohibiting and removing code mods altogether—a step we’d prefer to avoid. We know that our players are sharing creative, wonderful work with us and with our community, and we intend to support that.
Every mod uploaded to Paradox Mods undergoes scanning, but it’s important to note that these tools, while thorough, cannot offer complete protection due to the rapid evolution of malware. We are actively looking into how we can further implement security measures around mod publishing to strike the right balance between security and usability.
We encourage users to exercise caution when using code mods. We deeply appreciate those who report any suspicious activity or updates on mods; if you notice anything unusual, please press report on the mod in question on the Paradox Mods platform.
Additionally, always keep your firewall and antivirus software installed and updated.
