{
	"id": "8652013f-6e8c-4e80-af52-2853b6ac00c7",
	"created_at": "2026-04-06T00:08:47.359974Z",
	"updated_at": "2026-04-10T03:24:29.539124Z",
	"deleted_at": null,
	"sha1_hash": "cf73a77539cdc5a4e7eef62a86c42b1dbd65e0ef",
	"title": "Gamescom 2017: It’s all fun and games until black hats step in",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2796687,
	"plain_text": "Gamescom 2017: It’s all fun and games until black hats step in\r\nBy Tomáš Gardoň\r\nArchived: 2026-04-05 21:03:59 UTC\r\nESET Research\r\nESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide.\r\n22 Aug 2017  •  , 6 min. read\r\nESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide. Spread\r\nvia hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually\r\nany other malicious code on the victim’s computer.\r\nTo spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games\r\n(MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was\r\nbeing distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 1 of 8\n\nOur research has shown that several other Aeria games have been misused in the same way in the past, however,\r\ntheir corresponding unofficial websites have either gone inactive or had the malicious downloads removed in the\r\nmeantime.\r\nESET blocks the website serving Joao malware and has informed Aeria Games about the matter.\r\nFigure 1: Infected version of Grand Fantasia as distributed via gf.ignitgames[.]to\r\nHow does it work?\r\nThe affected games have been modified to run Joao’s main component – a malicious library mskdbe.dll, detected\r\nby ESET's systems as Win32/Joao.A. When users run the game launcher, Joao is launched along with it.\r\nUpon launching, the Joao downloader first sends basic information about the infected computer – device name,\r\nOS version and information on user privileges – to the attacker’s server because the malware keeps its operations\r\n“silent” and since the game works as expected, there’s nothing suspicious about the whole infection process from\r\nthe user’s point of view.\r\nCompared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in\r\nthe game’s installation folder.\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 2 of 8\n\nFigure 2: Joao downloader in the game’s installation folder\r\nAfter the communication with the server has been established, server-side logic decides whether and which\r\ncomponents will be sent to the victim’s computer. The Joao components we discovered during our research had\r\nbackdoor, spying, and DDoS capabilities.\r\nHas my computer been infected? How do I clean it?\r\nDownloading lots of games from different sources and unsure if any of this applies to you? For a quick check of\r\nJoao’s presence on your computer, you can try running a search for “mskdbe.dll” – if the search returns a result,\r\nyour computer has most likely been infected with the Joao malware. If no such file is found, it doesn’t\r\nautomatically mean you haven’t crossed paths with the malware – the crooks can rename the file at any moment.\r\nTherefore, it’s best to use a reliable security solution to detect the threat and remove it for you – you can also use\r\nESET’s Free Online Scanner.\r\nHow to stay safe?\r\nWith the gamescom fair underway, let’s take a look at how you can enjoy gaming without being faced with\r\nthreats.\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 3 of 8\n\nFavor official sources whenever possible. The MMORPGs targeted by these particular attackers are just a\r\nfraction of what might be lurking under download links on thousands of other unofficial websites and\r\nforums distributing games.\r\nKeep your games updated. Games, too, have vulnerabilities that can be exploited by malicious actors.\r\nMake sure you have all available patches applied.\r\nUse a reliable security solution and keep it turned on while gaming. At any point of your gaming\r\nexperience, things might take a wrong turn – and you want to be prepared for that. Many security solutions\r\ntoday have a gamer mode option that lets you enjoy your games without interruptions while also keeping\r\nyour computer protected.\r\nKeep in mind that there are other threats targeting gamers. Check out ESET’s further security tips for\r\ngamers.\r\nAdditional information\r\nESET’s systems have detected Joao all around the world. The following map shows which countries have been\r\nmost affected:\r\nFigure 3: Joao detections distribution based on ESET’s detection systems\r\nIoCs\r\nJoao downloader :  mskdbe.dll  – Win32/Joao.A\r\nHashes:\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 4 of 8\n\nIoCs\r\n49505723d250cde39087fd85273f7d6a96b3c50d\r\nd9fb94ac24295a2d439daa1f0bf4479420b32e34\r\n4ede2c99cc174fc8b36a0e8fe6724b03cc7cb663\r\ne44dbadcd7d8b768836c16a40fae7d712bfb60e2\r\nb37f7a01c5a7e366bd2f4f0e7112bbb94e5ff589\r\nfdbb398839c7b6692c1d72ac3fcd8ae837c52b47\r\n5ab0b5403569b17d8006ef6819acc010ab36b2db\r\nc3abd23d775c85f08662a00d945110bb46897c7c\r\n00a0677e7f26c325265e9ec8d3e4c5038c3d461d\r\nc1b4c2696294df414cfc234ab50b2e209c724390\r\n844f20d543d213352d533eb8042bd5d2aff4b7d4\r\n2ce51e5e75d8ecc560e9c024cd74b7ec8233ff78\r\n12a772e2092e974da5a1b6e008c570563e9acfe9\r\n287c610e40aff6c6f37f1ad4d4e477cb728f7b1d\r\n5303a6f8318c2c79c2188377edddbe163cd02572\r\n6f17c3ab48f857669d99065904e85b198f2b83f5\r\n51dfe50e675eea427192dcc7a900b00d10bb257a\r\nec976800cd25109771f09bbba24fca428b51563e\r\n13e05e44d1311c5c15c32a4d21aa8eadf2106e96\r\n0914913286c80428b2c6dec7aff4e0a9b51acf50\r\n1e9c0a2a75db5b74a96dbfd61bcdda47335aaf8b\r\n392b54c5a318b64f4fd3e9313b1a17eac36320e1\r\nba40012bdee8fc8f4ec06921e99bc4d566bba336\r\n6d130e6301f4971069513266a1510a4729062f6d\r\nbeea9351853984e7426107c37bc0c7f40c5360e0\r\na34d6a462b7f176827257991ef9807b31679e781\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 5 of 8\n\nIoCs\r\nac86700c85a857c6d8c72cb0d34ebd9552351366\r\naf079da9243eb7113f30146c258992b2b5ceb651\r\n1e6125b9c4337b501c699f481debdfefea070583\r\na158f01199c6fd931f064b948c923118466c7384\r\n350fc8286efdf8bcf4c92dc077088dd928439de9\r\n2da8a51359bf3be8d17c19405c930848fe41bb04\r\nComponents:\r\nJoaoShepherd.dll – Win32/Joao.B\r\njoaoDLL.dll – Win32/Joao.C\r\njoaoInstaller.exe – Win32/Joao.D\r\nJoaoShepherd.dll (x64) – Win64/Joao.B\r\njoaoInstaller.exe (x64) – Win64/Joao.D\r\nHashes:\r\n0d0eb06aab3452247650585f5d70fa8a7d81d968\r\nf96b42fd652275d74f30c718cbcd009947aa681a\r\n6154484d4acf83c21479e7f4d19aa33ae6cb716c\r\nd338babd7173fa9bb9b1db9c9710308ece7da56e\r\nef2a21b204b357ca068fe2f663df958428636194\r\n6b0e03e12070598825ac97767f9a7711aa6a7b91\r\n28ca2d945731be2ff1db1f4c68c39f48b8e5ca98\r\nd08120dd3fa82a5f117d91e324b2baf4cbbcaea5\r\nf95aef3ca0c4bd2338ce851016dd05e2ee639c30\r\n9b2d59a1aa7733c1a820cc94a8d5a6a5b4a5b586\r\nceb15c9fd15c844b65d280432491189cc50e7331\r\n3331ac2aecfd434c591b83f3959fa8880141ab05\r\n2ff2aadc9276592cbe2f2a07cf800da1b7c68581\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 6 of 8\n\nIoCs\r\n3bceb54eb9dd2994b1232b596ee0b117d460af09\r\n86617e92fc6b8625e8dec2a006f2194a35572d20\r\n18a74078037b788f8be84d6e63ef5917cbafe418\r\n4b0c1fcd43feab17ca8f856afebac63dedd3cd19\r\n6bfa98f347b61d149bb2f8a2c9fd48829be697b6\r\n7336e5255043841907e635b07e1e976d2ffb92b5\r\n745396fedd66a807b55deee691c3fe70c5bc955d\r\n574f81b004cb9c6f14bf912e389eabd781fe8c90\r\nd7751fc27efbc5a28d348851ce74f987d59b2d91\r\n19bf7b5ad77c62c740267ea01928c729ca6d0762\r\necc0ade237fa46a5b8f92ccc97316901a1eaba47\r\n7075ffa5c8635fb4afeb7eea69a910e2f74080b3\r\n47f68b6352243d1e03617d5e50948648f090dc32\r\n7a4f05fc0906e3e1c5f2407daae2a73b638b73d9\r\nb6d7da761084d4732e85fd33fb670d2e330687a2\r\nab69fb7c47e937620ab4af6aa7c36cf75f262e39\r\n0e9e2dcf39dfe2436b220f13a18fdbce1270365d\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 7 of 8\n\nSource: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nhttps://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/"
	],
	"report_names": [
		"gamescom-2017-fun-blackhats"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434127,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf73a77539cdc5a4e7eef62a86c42b1dbd65e0ef.pdf",
		"text": "https://archive.orkl.eu/cf73a77539cdc5a4e7eef62a86c42b1dbd65e0ef.txt",
		"img": "https://archive.orkl.eu/cf73a77539cdc5a4e7eef62a86c42b1dbd65e0ef.jpg"
	}
}