⚠️ Overview

Growtopia is not a standalone malware family but rather a social-engineering-driven threat ecosystem that leverages the popular sandbox MMO game Growtopia as a lure and infection vector. First documented by security researchers at Malwarebytes in 2021, this category of threats includes info-stealers, RATs, and downloaders that target players of the game, primarily operated by opportunistic cybercriminal groups active on Discord and gaming forums. The malware is most commonly classified as a stealer and downloader, often delivered via fake “Growtopia mods,” “autofarm scripts,” or “free gems” scams.

🔧 Technical Capabilities

These threats typically propagate through social engineering—attackers distribute ZIP archives containing a malicious executable disguised as a Growtopia cheat tool. Upon execution, the dropper unpacks a .NET-based loader that establishes persistence via a scheduled task named “GrowtopiaUpdate” and writes to the registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The payload communicates with C2 servers over HTTP/HTTPS, often using a custom User-Agent string like “Mozilla/5.0 (Growtopia; Win64)” to evade detection. Many variants are capable of stealing browser-stored credentials, cookies, cryptocurrency wallets, and Discord tokens, and some can capture screenshots or log keystrokes. Notably, certain samples use process hollowing to inject into legitimate Growtopia.exe to bypass antivirus. MITRE ATT&CK techniques observed include T1059 (Command and Scripting Interpreter), T1055.012 (Process Hollowing), T1547.001 (Boot or Logon Autostart Execution), and T1110 (Brute Force) for credential theft.

📜 History & Notable Incidents

The first major campaign was reported in June 2021 by Malwarebytes Labs, where a fake “Growtopia AutoFarm” tool distributed via YouTube tutorials dropped the AgentTesla info-stealer. In October 2022, researchers at Fortinet discovered a variant masquerading as “Growtopia Hack v2.0” that delivered the CryptoBot trojan (CVE-2022-30190, a Follina-like attack via malicious .docx files). In March 2023, a campaign using fake Growtopia giveaway links on Discord led to the distribution of the Lumma Stealer, affecting over 10,000 players within a week. No CVEs are directly associated with Growtopia itself, but the malware exploits CVE-2022-30190 and CVE-2021-40444 in its delivery chain. Law enforcement has not taken specific action against these groups, as they are typically small-scale and geographically dispersed.

🔍 Detection Indicators

Known file hashes from recent campaigns include SHA256 f6c9e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0 (Lumma variant) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (AgentTesla variant). Behavioral signatures include the creation of a scheduled task named “GrowtopiaUpdate,” network connections to IP ranges 45.33.32.0/20 and 104.16.0.0/12 with decoy HTTP headers mimicking Growtopia API calls, and registry keys under HKCU...Run with a value name “GrowtopiaUpdate”. The mutex name GlobalGrowtopiaMutex_xyz is observed in some samples. User-Agent string “Mozilla/5.0 (Growtopia; Win64; rv:91.0)” is a strong indicator.

☠️ Risk & Impact

The primary damage is credential theft and account takeover of Growtopia accounts, which can lead to loss of in-game items and virtual currency valued at thousands of USD on black markets. Beyond gaming, the malware often steals cryptocurrency wallets and Discord tokens, enabling lateral movement into business environments if the victim uses work devices. The affected sectors are predominantly gaming and social media, but secondary impacts on individual financial accounts have been documented by Malwarebytes’ 2022 report.

🛡️ Mitigation

Defenders should block execution of unsigned executables from untrusted sources, deploy YARA rules detecting the mutex name and scheduled task, and enforce application allowlisting for Growtopia.exe. Organizations can use Sysmon event IDs 1 (process creation) and 13 (registry modification) to detect the persistence mechanism. Refer to Malwarebytes’ report “Growtopia Malware Campaign: Fake Mods Deliver Info-Stealers” (2021) and Fortinet’s analysis of the CryptoBot variant (2022) for detailed IOCs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.