Bitdefender warns of fake GTA VI beta ads spreading malware

New research from cybersecurity firm Bitdefender has revealed a malicious campaign exploiting the anticipation surrounding the release of Grand Theft Auto VI (GTA VI). The latest release from US-based publisher Rockstar Games is among the most awaited titles in the gaming community. It is scheduled for release on PS5 and Xbox Series in Autumn 2025, with PC versions expected later.

Bitdefender researchers have detected suspicious Facebook ads promoting fake "GTA VI beta versions" for free download on PC. These ads, running between 16 and 18 July, were featured on a Facebook page claiming early access to the GTA VI beta for the first 100 people. Although none of these ads are currently active, they potentially reached hundreds of users across several European countries, including France, Poland, Romania, Germany, Spain, Hungary, Italy, Greece, the Netherlands, and Sweden, among others.

The ads lured gamers to join the supposed beta release and download the version onto their devices. Clicking the "Download" button redirected users to a malicious webpage where a fake download counter appeared before downloading a harmful file from Dropbox. This domain, created on 27 June 2024, appears to be hosting an Ethereum scam on its index page.

Andrei Mogage, a security researcher, provided an analysis of the malicious file downloaded through the Facebook ad. According to Mogage, the MSI file impersonates a legitimate GTA VI installer, but it is actually malware similar to the FakeBat loader. The malware uses an MSI file pretending to be genuine software to distribute malicious payloads created by other entities alongside PowerShell scripts.

“The MSI file downloaded through the Facebook ad impersonates a legitimate installer for GTA VI and mimics an installation process. The file itself is malicious, with many similarities with FakeBat loader malware,” Mogage explained. He further stated that recent versions of FakeBat typically include MSIX instead of MSI, although operators can choose to pay for the MSI format.

Mogage added that FakeBat loader malware has been commonly spread via fraudulent websites and ads. This malware supports the download of secondary malware, such as info-stealers and Remote Access Trojans (RATs), which can extract credentials and financial information from compromised systems or even unleash ransomware.

Bitdefender noted that the three harmful samples available for download from the ads are incomplete and cannot finish their execution to deploy further payloads on users' devices or begin data exfiltration. Nevertheless, the researchers warned that the threat actors behind the campaign might update their malicious software to exploit the user base more effectively.

Bitdefender’s Ionut Baltariu, an avid gamer, urged users to be cautious and avoid posts, ads, or messages claiming early access to the eagerly awaited GTA VI game. He provided several safety tips for gamers to protect themselves from such scams:

"Never download executables or files for games, especially exciting upcoming releases, from ads or posts on social media. Scammers and cybercriminals will also exploit news and hot topics to defraud internet users or conduct malware attacks," said Baltariu. He also recommended being wary of any downloadable files available via platforms like Dropbox, Discord, Trello, Google Drive, and Microsoft OneDrive.

Baltariu advised verifying information on the official game developer’s website before engaging with any ads or messages on social media platforms. He also emphasised the importance of staying informed about the latest scams and sharing this knowledge within the gaming community to enhance collective safety.

To bolster cybersecurity, Baltariu recommended using security solutions, such as those offered by Bitdefender, which block new and existing threats. These solutions can also provide tailored user profiles to reduce system workload and interruptions for a smoother gaming experience.