Paradox recently confirmed that the popular Cities Skylines 2 'Traffic' mod had been updated with a malicious file. This file was not added to the mod by the mod's creator, and the CS2 publisher quickly pushed a new, safe version that removed the suspect file. Now, Paradox provides a new statement, explaining that the file may have targeted the cryptocurrency wallets of any exposed Cities Skylines 2 players. The publisher reiterates that the file should be considered harmful and removed from your PC if it is present.
'Traffic' is a Cities Skylines 2 mod that adds new tools for managing vehicle flow in the city-building game. Paradox reported that on Monday October 28, an "outside actor" pushed an update for the mod that added what was believed to be a malicious file. That file was removed by Paradox, working in conjunction with Traffic's creator, and a new version of the mod was added to the official Paradox Mods platform. However, if any Cities Skylines 2 players used the version of the mod that contained the malicious file - i.e, if they had their mods set to update automatically, and then played CS2 between October 28 and Friday October 31 while using the Traffic mod - it is possible that they have been exposed to the malicious file.
Paradox advises players to run antivirus and malware detection programs, and to search a specific file repository - %AppData%\LocalLow\Colossal Order\Cities Skylines II\.cache\Mods\mods_subscribed\80095_13 - for any suspect .dll files.
Now, the publisher explains that it believes the malicious file may have targeted players who use the crypto wallet platform Exodus, and says that it is working with digital forensics and incident response (DFIR) teams to collect more information.
"Over the weekend, we have had our experts - along with other DFIR teams - investigating the file, and we believe our initial suspicion of malware was accurate," Paradox says. "While we cannot 100% confirm its purpose as of yet, our current belief is that it is a file designed to target crypto wallets on exposed systems, specifically Exodus crypto wallet.
"Regardless of whether this turns out to be confirmed or not, the file has enough suspicious activity that it should still be considered harmful. Since our initial identification of the .dll file, 30 out of 72 security vendors now flag it as malware in their scans. Please update your antivirus/antimalware software as a general preventative measure. All mods uploaded to Paradox mods always get run through a virus scan as a general precaution."
The publisher says that it has "conducted a specific, thorough scan" of other files on the Paradox Mods platform and that no other mods appear to contain the malicious .dll file. Paradox has also worked with the creator of Traffic to ensure that their account is secure and that "no further tampering should occur with their work."