I saw no intrusion either for at least 12 hours, and then I noticed a Windows service with a chinese-glyph name sending data out over the firewall and realised it had just been in deep sleep to let me think it had gone. Neither Malwarebytes nor Avast detected it. Avast's firewall is next to useless as it doesn't prevent network egress by default (I mean, seriously).

Used Windows Recovery to reinstall, which in hindsight, was not wise at all. I've now migrated wholly to Mint installed from an iso on a fresh USB stick. Might go back to Windows one day, gonna see how it works out as an experiment.

To anyone blaming victims for being pwned by this attack - don't, it's not helpful. That's like blaming rape victims for trusting Uncle Alan.

Elias a écrit :

Gisbert a écrit :

You did everything right, I wouldn't have done any more myself. Maybe additional reinstalling the BIOS.

In the past, we were also full of viruses on LAN after we loaded the pron and then we reset the computer and didn't worry about anything else.

Thanks, it feels reassuring.

I also never allow network media sharing between me and my sister's PC (only 2 PCs present at home connected to the same network).

Just in case I also ran WS and Malwarebytes in there too, no threats found.
I checked my social medias activity logs after I changed passwords, I didn't find anything unusual.

Maybe I'll consider reinstalling the BIOS at this point, it's the only thing left for me to do...

BTW when I was infected, I repeat: you could clearly see WindowsBootManager.exe (I should have screenshot it) and other obviously affiliated parasites running; opening file folder and trying to manually removing them was useless --they probably already blended with the win registry.

@cprince is saying that the trojan "came back", but my processes after fresh-reinstalling are clean and I see no intruder.

Cprince, can you tell me if you fresh installed via Windows Recovery Tool or you flashed a fresh install via USB drive?

Cause I'm pretty sure that Windows Recovery Tool is useless when your OS drive is infected...

Be special aware and sceptical the next few days/weeks.
If there are no abnormalities, you should be fine.

There is no 100% guarantee - never.
Or have you ever not given a friend a WLAN login from you because his cell phone could be infected? Nobody checks new hardware or when a friend brings a USB stick with pictures.

You have already taken your own best precaution by not saving passwords. Pure common sense. You can pat yourself on the back.

I just wouldn't save anything in the cache in future (in general btw.), even if it's convenient and 98%+ of people do it.

PS: If it does come back, check BIOS flash, keyboard and mouse, replace if necessary, in the worst case replace router and motherboard... perhaps ask a specialist and compare the costs with the hardware costs you would have, and decide which makes more sense.

And yes, the characteristics of the program have deep sleep. Is not recognized as long as it is inactive, so be careful.
But as long as it doesn't come back and you don't save any passwords anyway, why go crazy now.

cprince a écrit :

Used Windows Recovery to reinstall, which in hindsight, was not wise at all.

This is easily why the trojan persisted.

It sheds a bit of light to those who actually proceeded with a complete flash drive re-install using Windows Media Tool externally; I made sure to literally NUKE every drive I had using the Media Tool, leaving nothing behind; this reinforces my sense of safety, for now.

Nevertheless, thanks for your testing, @cprince.
This thread is literal GOLD for whoever was a nutjob like me to run the .exe.

cprince a écrit :

To anyone blaming victims for being pwned by this attack - don't, it's not helpful. That's like blaming rape victims for trusting Uncle Alan.

I have no excuses, I feel embarassed, humiliated and frustrated, aside from suffering from anxiety for the past 24hrs lol

The thing is that I'm no novice when it comes to PC (which makes it worse), and I was distracted my 10 more things I was doing all at the same time, added up to talking to my GF on discord about our day, and I just proceeded with downloading the malware and run the .exe .

The reason why I did it so nonchalantly is probably because my brain was set on "Deltarune" mode: I remember when part1 was released to the public, Toby Fox just gave a link to the site to download and run the .exe through folder (no installation whatsoever).

But in hindsight indeed, comparing Toby Fox to Irongate makes no sense whatsoever.
I'm sorry for myself going through this and sorry for every poor soul affected.

Elias a écrit :

The thing is that I'm no novice when it comes to PC (which makes it worse), and I was distracted my 10 more things I was doing all at the same time, added up to talking to my GF on discord about our day, and I just proceeded with downloading the malware and run the .exe .

The reason why I did it so nonchalantly is probably because my brain was set on "Deltarune" mode: I remember when part1 was released to the public, Toby Fox just gave a link to the site to download and run the .exe through folder (no installation whatsoever).

But in hindsight indeed, comparing Toby Fox to Irongate makes no sense whatsoever.
I'm sorry for myself going through this and sorry for every poor soul affected.

If it helps you to feel better, I have also fallen for phishing before. And I'm really not a stupid person and certainly not inexperienced. Fortunately, I only lost one password/account. But interesting to see how they tried to crack all the accounts by randomly simply trying ALL websites/launchers/everything with this email and that password.

I would have been f**ked if I had one password for everything.

cprince a écrit :

To anyone blaming victims for being pwned by this attack - don't, it's not helpful. That's like blaming rape victims for trusting Uncle Alan.

On the other hand - something like this should not happen to a company with this budgetsize. I don't blame the person at IG who falls for phishing. I blame that it's possible without double checking to open a extern file.

Seems like pure carelessness on the part of Iron Gate security standards in a Discord of this size, towards all members/customers. Absolutely irresponsible.

I mean... damn, when you're that big, you have to expect attacks, right? If I know I'm going to be shot at, then I have a bulletproof vest, don't I?

I fully expected attacks. One of my friends fell for this exact same attack a few months ago. What happened? I let my guard down for just 2 minutes. I was busy, distracted, trying to get some work done at midnight, someone was hassling me to try their game out, I "gave the kid a break" and tried to give them some feedback. It can happen to anyone at any time. Imagine having to be so constantly vigilant you're going to be murdered every time you leave the house that you wear armour and keep spinning around to look behind you. It's exhausting and irritating at best.

The fault lies here with Discord and their appalling practises. Their 2FA is utterly broken. They know it's been broken for years. They refused to do anything about it when I first reported when we got hacked. They eventually replied over a day later to tell us they'd reinstated the hacker's account! And now they refuse to reply at all.

Discord should be on fire at the moment. They deserve it.

On the other hand several other sites claiming to implement 2FA are broken similarly - one successful sign in and you're in, they do no further 2FA checking, so every single one of those sites is vulnerable to session hijacking exploits.

Gisbert a écrit :

On the other hand - something like this should not happen to a company with this budgetsize.

What I find disappoointing the most is the complete lack of responsibility on Irongate's end: they literally not cared one bit about whoever fell victim of the phishing.

They gave no instructions whatsoever, they didn't care about minimally studying the malware or grant just a tiny mote of light for those affected because of them.

They could've done better tbh.

Gisbert a écrit :

Seems like pure carelessness on the part of Iron Gate security standards in a Discord of this size, towards all members/customers. Absolutely irresponsible.

What I find much worse is that the only information I see about how serious this is, is coming from you. The only official word I see from ig is 'don't click links' which isn't really helpful for those that clicked the links. Never been on their discord so not affected, but can understand the pain of those that are.

seven a écrit :

Gisbert a écrit :

Seems like pure carelessness on the part of Iron Gate security standards in a Discord of this size, towards all members/customers. Absolutely irresponsible.

What I find much worse is that the only information I see about how serious this is, is coming from you. The only official word I see from ig is 'don't click links' which isn't really helpful for those that clicked the links. Never been on their discord so not affected, but can understand the pain of those that are.

Exactly what I said.
To think there are no instructions or help anywhere, one has to dig Steam's thread for this.

I am trying to post everywhere on the Reddit's megathread to make people aware of this issue, people who fell victims of this.

Hopefully it's of any help, but IronGate should take responsibility.

seven a écrit :

What I find much worse is that the only information I see about how serious this is, is coming from you. The only official word I see from ig is 'don't click links' which isn't really helpful for those that clicked the links. Never been on their discord so not affected, but can understand the pain of those that are.

Please don't give me too much credit.
I'm not the one uploaded the file to virustotal and without cprince post I had never clicked on it. If anyone, you can leave cprince a big thank you, he has revealed his path of suffering. I just had a quick look at the virus behaviour.

Elias a écrit :

seven a écrit :

What I find much worse is that the only information I see about how serious this is, is coming from you. The only official word I see from ig is 'don't click links' which isn't really helpful for those that clicked the links. Never been on their discord so not affected, but can understand the pain of those that are.

Exactly what I said.
To think there are no instructions or help anywhere, one has to dig Steam's thread for this.

I am trying to post everywhere on the Reddit's megathread to make people aware of this issue, people who fell victims of this.

Hopefully it's of any help, but IronGate should take responsibility.

Either IronGate simply didn't expect this and is completely up in the air right now / which would be fatal not to have any security protocol or fallback plan in place - no emergency route, no worst-case scenario, or they have such huge problems themselves - who knows, maybe Unity logins were leaked/game leaks or something else, that they are simply preoccupied with themselves.

But yeah it's true. When Sony was hacked for example, there was instant support from the manufacturer. Accounts were temporarily blocked, instructions were made public, so that user damage was kept to a minimum.
In this case you have the feeling of being alone after almost 24? hours.

In any case, there will be a huge internal debate and safety briefings at IG.

cprince a écrit :

I fully expected attacks. One of my friends fell for this exact same attack a few months ago. What happened? I let my guard down for just 2 minutes. I was busy, distracted, trying to get some work done at midnight, someone was hassling me to try their game out, I "gave the kid a break" and tried to give them some feedback. It can happen to anyone at any time. Imagine having to be so constantly vigilant you're going to be murdered every time you leave the house that you wear armour and keep spinning around to look behind you. It's exhausting and irritating at best.

The fault lies here with Discord and their appalling practises. Their 2FA is utterly broken. They know it's been broken for years. They refused to do anything about it when I first reported when we got hacked. They eventually replied over a day later to tell us they'd reinstated the hacker's account! And now they refuse to reply at all.

Discord should be on fire at the moment. They deserve it.

On the other hand several other sites claiming to implement 2FA are broken similarly - one successful sign in and you're in, they do no further 2FA checking, so every single one of those sites is vulnerable to session hijacking exploits.

Reading over all of the stuff posted here. Laptop got infected by this, ran for about 40 seconds while it was currently being remoted into, and was hard powered off after that 40 seconds. Netowork it was on was very high security, and network wide firewall, and security successfully blocked the RAT portion of the attack.
Removed the laptops access to the internet, and moved it away from any wifi it could go onto, and put it in airplane mode. dug through to find the log files and epsilon stealer file that had been created. Epsilon stealer file was incomplete, having my browser data / auto fill passwords, but missing entire sections such as almost no system data, literally no network data. I've reset my password on every account I can think of on a separate device, and managed to secure even my discord account. I've re-flashed my wifi card drivers, completely wiped and formatted all drives on the laptop, and any peripherals connected at the time are currently quarantined. I'm holding off on connecting this laptop back up to anything, but it seems I interrupted the virus part way through the data collection process.
Not really sure what else I can do here. I've had no attempted logins, or uses of any of my accounts that I've secured. I haven't seen a single account that was flagged, or that I couldn't get into, and it's hard to tell how safe further use of the laptop is. Any way for me to check, and see if any of my firmware is infected? I don't currently see any more signs of the trojan, but it's painfully hard to tell sometimes.
Reading over the VirusTotal file I don't see anything in there about firmware encoding, but that certainty doesn't mean it doesn't. I'm progressively checking the places I know it placed hooks on the initial infection, and I know that viruses injecting into the Bios is stupidly rare to see, but I'm trying to take every precaution I can, considering how freaking brain dead I was when I ran the file.

Do not click the discord link on store page or Google, they have taken over it

cprince a écrit :

I saw no intrusion either for at least 12 hours, and then I noticed a Windows service with a chinese-glyph name sending data out over the firewall and realised it had just been in deep sleep to let me think it had gone. Neither Malwarebytes nor Avast detected it. Avast's firewall is next to useless as it doesn't prevent network egress by default (I mean, seriously).

Used Windows Recovery to reinstall, which in hindsight, was not wise at all. I've now migrated wholly to Mint installed from an iso on a fresh USB stick. Might go back to Windows one day, gonna see how it works out as an experiment.

To anyone blaming victims for being pwned by this attack - don't, it's not helpful. That's like blaming rape victims for trusting Uncle Alan.

also this, but man is it hard to not beat myself up for making such an idiotic rookie mistake. I'm mad because I know I'm better than this, and it honestly baffles me that I fell for this attack at all.
Either way getting upset at myself won't help my predicament. I just want to see if I can fully save my 2k$ laptop :/

For those who had the virus and did a cleanup of their system but are still doubtful you could open task manager and click on the Performance tab, then click on the Ressource Monitor. There you will see all the processes that are running, see their CPU and network usage in real time with detailed information. For example you can see where and to whom you are sending your data. If you spot suspicious activity there it may be good to do some research as to what is causing it. However don't go deleting anything you see up there as there are some executables that are vital too. I don't know how the virus works so maybe it'll be useless to do that if it just did what it had to do upon first launching it, but it could still be worth the try. Just sit and watch what your computer is doing once in a while. IMO you should do that even when you don't think you have a virus, just a good habit to see what your computer is up to.

Another thing you could do would be to use Event Manager and go back to the date and time you got the virus and read the reports from there up until now. Your computer logs a lot of data in there. Errors, crashes, authentification attempts, software conflicts and hardware issues, etc. However, once again, you need to figure out what's what, and don't act impulsively if you see something odd. You can use the web to identify the meaning of those reports. ( just a heads up: launching this software can freeze your PC for a few seconds, that's normal, it's just gathering a lot of data, and also don't be surprised to see a ton of errors, that's also normal. You should mainly focus on the red icon ones ).

It's a good idea to learn how your computer works to prevent stress when this stuff happens. It's a bit like car mechanics. You don't need to know everything but it's always handy to know a little beyond the basics, that'll make you more at ease if something bad happens.

If you are still haunted by doubt it's best to find a professional and tell them exactly what happened. Professional PC experts from renowned computer repair shops know how to wipe a virus out of a computer. It will cost you some money but it's a good investment if you want to rid yourself of stress.

Dawnthief a écrit :

Do not click the discord link on store page or Google, they have taken over it

I've already told the devs to remove the embedded link on store page. But they don't care.

Or steam is being slow to make the change. I don't know.

They removed the link on the Twitter/X account as soon as I brought it up. I don't see why they wouldn't do the same for the Steam page. I don't know how Steam manages things so there could be some process that is delaying the change.