Important Update Regarding Traffic Mod
Update 2024-11-07
Update on malware incident - Final determination
Summary of Incident Analysis
The analysis shows that the threat is specifically a DLL hijacking attack aimed at stealing Exodus cryptocurrency wallet information. The actor placed a malicious DLL file (fastmath.dll) in the Traffic mod directory, which gets loaded by the game executable when the game is launched on the target machine. The malicious DLL is the first stage of the malware chain.
Once loaded by the game executable, the second stage of the malware activity begins, where the DLL searches for Exodus crypto wallets on the computer inside the AppData local Folder.
If users do not have any Exodus cryptocurrency wallets on their devices, they are not impacted by the second phase of the attack.
Only the “Traffic” mod was affected. We have confirmed that the account of the “Traffic” mod’s author was compromised, and the malicious upload originated from an unauthorized location. The account has now been secured, and no further tampering with their work is expected.
If you didn’t start the game with the version of the Traffic mod containing the DLL downloaded and installed, you are entirely unaffected. If you do not have an Exodus cryptocurrency wallet on your computer the malware should not have been harmful.
If you have Exodus crypto wallet on your computer
We recommend manually deleting the secondary DLL file located in the following path: C:\Users\<Username>\AppData\Local\exodus\app-<VersionNumber>\profapi.dll
For more information if your Exodus wallet has been compromised we refer you to their FAQ. For general security measures related to Exodus, please refer to their official guide: Exodus Security Practices.
General information for those who use Code Mods:
While we work hard to minimize risks, there is always an inherent risk in downloading a mod that changes the contents of a program, no matter what platform is used for distribution. We cannot guarantee that malware incidents won’t occur, as malware is constantly evolving and can adapt faster than detection tools. Fully preventing such incidents would require prohibiting and removing code mods altogether—a step we’d prefer to avoid. We know that our players are sharing creative, wonderful work with us and with our community, and we intend to support that.
Every mod uploaded to Paradox Mods undergoes scanning, but it’s important to note that these tools, while thorough, cannot offer complete protection due to the rapid evolution of malware. We are actively looking into how we can further implement security measures around mod publishing to strike the right balance between security and usability.
We encourage users to exercise caution when using code mods. We deeply appreciate those who report any suspicious activity or updates on mods; if you notice anything unusual, please press report on the mod in question on the Paradox Mods platform.
Additionally, always keep your firewall and antivirus software installed and updated.
2024-11-04
Update 2024-11-04
Additional information regarding malware suspicion on the Mod “Traffic” on Cities: Skylines II.
Over the weekend, we have had our experts - along with other DFIR teams - investigating the file, and we believe our initial suspicion of malware was accurate. While we cannot 100% confirm its purpose as of yet, our current belief is that it is a file designed to target Crypto Wallets on exposed systems, specifically Exodus crypto wallet. Regardless of whether this turns out to be confirmed or not, the file has enough suspicious activity that it should still be considered harmful.
Since our initial identification of the .dll file, 30 out of 72 security vendors now flag it as malware in their scans. Please update your antivirus/antimalware software as a general preventative measure. All mods uploaded to Paradox Mods always get run through a virus scan as a general precaution.
We will continue to share updates as we receive them, and we thank you for your cooperation.
2024-11-01
Update 2024-11-01
We are still working to determine the nature of the malicious file that was added to the “Traffic” mod. As a rule, all mods uploaded to Paradox mods have always been run through a virus scan as a general precaution. We are hard at work to secure our platform against further issues.Since our original alert, we have taken the following steps to ensure the safety of our community:
We have conducted a specific, thorough scan of other files on the Paradox Mods platform for this malicious file, and no other mods appear to have it.
We have worked in close cooperation with the author of the affected Mod “Traffic” to ensure their account is secure and no further tampering should occur with their work.
We have engaged a team of IT experts to analyze the malicious file and better understand any current and subsequent risks it may pose.
As of now, the precautions we suggested in our original statement are still suggested in order to protect your system. Cities: Skylines II should be perfectly safe to play, and will not put you at further risk. We will issue further updates when our security experts have finished their thorough analysis.
2024-10-31
Important update for all Cities: Skylines II Players
There is a potential security issue that has affected the “Traffic” mod for Cities: Skylines II. Late Monday evening, an outside actor pushed an update to the mod, which includes a .dll file which we believe is malicious. We have already removed it and the current version as of 2024-10-31 15:35 CET is safe to download and use, but if your mod synced and you played the game using the mod between Monday and then, there is a possibility that you may have the malicious file.
We are working to determine the nature of this .dll, and we will update you as soon as possible. In the meantime, please take the following steps as soon as possible to secure your system:
If you have not played with the Traffic mod and have not subscribed nor downloaded it, there should be no risk to your system and nothing you need to do.
If you have the Traffic mod and have not played Cities: Skylines 2 between Monday and today, let the mod sync as normal, and the malicious file should be deleted automatically. Please still scan your system with an anti-malware program like Windows Defender.
If you have played using the affected version, please check your local files. If you have any malicious files installed, you will find them here; %localappdata%low\Colossal Order\Cities Skylines II\.cache\Mods\mods_subscribed\ inside the folder 80095_13
Note that it is only specifically the 80095_13 folder that will contain malicious files; if you do not see this folder, you do not have the compromised version of the mod.
If you do locate this folder, use an antivirus or antimalware program to quarantine it and/or remove it from your system, and run a thorough scan of your drives.
As a precaution, we recommend changing your passwords.
We are working on the following steps to ensure you can enjoy our mods safely and securely:
We will be going through all files uploaded to Paradox Mods and see if any other mods have had unexpected updates.
We have contacted the modder whose mod was compromised and discussed our recommended steps to secure their account. They have updated Traffic to a safe version, so anyone playing with version v.0.2.4 is playing with a safe version.
Paradox Mods will receive an update that notifies modders when their mods have been updated so that creators are quickly alerted to changes they have not personally made.
Sharing creative game content is at the heart of our community at Paradox, and we will continue to ensure you can explore mods safely.
As an important reminder, do not share your account information or passwords with anyone; we will never directly ask for your password or personal information.