The investigation indicates that the identified threat is a DLL hijacking attack specifically targeting the Exodus cryptocurrency wallet data. The attacker introduced a harmful DLL file (fastmath.dll) within the Traffic mod directory, which the game executable inadvertently loads upon launch on the affected system. This malicious DLL acts as the initial stage in the malware’s operation.
After being activated by the game executable, the subsequent stage of the malware initiates,
wherein the DLL attempts to locate Exodus crypto wallets stored within the AppData local
directory of the computer.
If there are no Exodus cryptocurrency wallets present on a user’s device, the second phase of this attack does not proceed.
Only the “Traffic” mod was compromised. It has been verified that the author’s account for the “Traffic” mod was breached, after which the malicious content was uploaded from a location that was unauthorized. The account has since been secured, and no further interference with their work is anticipated.
If you have not launched the game using the version of the Traffic mod with the infected DLL downloaded and installed, you remain unaffected. Similarly, if your system lacks an Exodus cryptocurrency wallet, the malware should not have caused any harm.
We advise manually removing the secondary DLL file found at this location: C:\Users\\AppData\Local\exodus\app-\profapi.dll
For more information on actions to take if your Exodus wallet has been breached, please consult their FAQ.
For general security guidelines concerning Exodus, refer to their official guide: Exodus Security Practices.
While we strive diligently to reduce risks, there remains a fundamental risk when downloading mods that alter a program’s content, regardless of the platform it’s distributed on. We cannot completely eliminate the possibility of malware incidents because malware effortlessly evolves and can outpace detection methods. Fully preventing these incidents would require banning and eliminating code mods altogether—a measure we are reluctant to take. We understand that our players contribute exceptional, innovative work to our community, and we are committed to supporting this.
Every mod submitted to Paradox Mods undergoes scanning, but it’s vital to appreciate that these tools, despite their thoroughness, cannot guarantee total defense against malware due to its rapid advancement. We are actively seeking additional ways to enhance security around mod publishing in order to balance safety with functionality.
We urge users to exercise vigilance when utilizing code mods. Your reports on anomalies or updates within mods are invaluable; if you encounter anything suspicious, please report the mod in question on the Paradox Mods platform.
Moreover, consistently maintain and update your firewall and antivirus software.