Cities: Skylines II players who have played with mods recently may want to run some scans on their computers, according to Paradox Interactive, the game"s publisher. A popular mod on the game"s built-in modding platform, Paradox Mods, has seemingly been updated to include an unauthorized .dll outside of the mod author"s control, and Paradox believes this file to be malicious.
The mod "Traffic" seems to be the sole affected custom content available on the platform, and the company says that the version with the rogue .dll has already been removed. However, anyone who has played Cities: Skylines II with the Traffic mod in between Monday, October 28, and Thursday, October 31, may have this file on their computers.
Here"s what Paradox recommends players do, depending on if they are affected:
- If you have not played with the Traffic mod and have not subscribed nor downloaded it, there should be no risk to your system and nothing you need to do.
- If you have the Traffic mod and have not played Cities: Skylines 2 between Monday and today, let the mod sync as normal, and the malicious file should be deleted automatically. Please still scan your system with an anti-malware program like Windows Defender.
- If you have played using the affected version, please check your local files. If you have any malicious files installed, you will find them here; %localappdata%low\Colossal Order\Cities Skylines II\.cache\Mods\mods_subscribed\ inside the folder 80095_13
- Note that it is only specifically the 80095_13 folder that will contain malicious files; if you do not see this folder, you do not have the compromised version of the mod.
- If you do locate this folder, use an antivirus or antimalware program to quarantine it and/or remove it from your system, and run a thorough scan of your drives.
- As a precaution, we recommend changing your passwords.
An update to the breach announcement blog post today says that Paradox is engaging with a " team of IT experts" to scan the .dll file and assess its risks. It has also scanned through all the mods available via Paradox Mods and made sure no other content is affected. The Traffic mod"s author account is also said to be secure again, with the company saying that "no further tampering should occur with their work."
The company says that more information about the breach and the file will be shared later once the security team is finished scanning the data. "Cities: Skylines II should be perfectly safe to play, and will not put you at further risk," it adds.
UPDATE: Paradox Interactive has updated the official statement with details on the file that was spread to players via the Paradox Mods platform:
Over the weekend, we have had our experts - along with other DFIR teams - investigating the file, and we believe our initial suspicion of malware was accurate. While we cannot 100% confirm its purpose as of yet, our current belief is that it is a file designed to target Crypto Wallets on exposed systems, specifically Exodus crypto wallet. Regardless of whether this turns out to be confirmed or not, the file has enough suspicious activity that it should still be considered harmful.
The company adds that numerous antivirus vendors are now detecting this file and alerting to users that it is malicious, if it is found on a system.