Beyond The Dark malware: Valve removes free horror game

Beyond The Dark malware ran on Steam for roughly ten days before Valve pulled it around May 17–18, 2026. The free horror game crashed on launch every time — while a malicious DLL quietly stripped cryptocurrency wallet credentials and browser passwords in the background. YouTuber Eric Parker published the breakdown. His video hit 130,000 views before Valve acted.

TL;DR: Beyond The Dark (app ID 3393800) was a hijacked Steam listing. The original game, Rodent Race, was uploaded in December 2024. Someone took over the developer's account in early May 2026 and replaced it with a fake horror title that crashed on launch while a malicious DLL ran in the background stealing browser passwords and crypto wallet data. Peak concurrent players: five. Valve removed it, said nothing publicly. If you launched it, assume your credentials are compromised.

Beyond The Dark malware — what it was (quick answer)

The game crashed every time you tried to play it. While the crash screen showed, a file called UnityPlayer.dll was active in memory, scanning your browser extensions for cryptocurrency wallets — MetaMask specifically — and phoning home to a remote server. From there it pulled down additional payloads capable of harvesting stored passwords and wallet credentials.

The crash-on-launch behavior was deliberate. A player who saw an error screen had no reason to open task manager.

Key takeaways

• Beyond The Dark was originally Rodent Race (app ID 3393800), listed on Steam in December 2024
• Attackers hijacked the developer's account and pushed a malicious update in early May 2026
• The malware hid in UnityPlayer.dll — game crashed on launch while the DLL ran silently
• Targets: MetaMask and other crypto wallet extensions, Chrome browser passwords, stored credentials
• Peak concurrent players during the active window: five
• Eric Parker (200k+ subscribers) exposed the malware; his video reached 130k+ views before removal
• Valve removed the game with no public statement and no confirmed user notification

What happened — the account hijack

This wasn't a new submission that slipped past Valve's review. The listing that carried the malware had been on Steam since December 2024 as Rodent Race — a completely different game. Around two weeks before removal, someone hijacked the original developer's account and used Steam's standard update pipeline to overwrite everything: new name, new screenshots, new description, malicious build.

Steam's update review for accounts with established standing is lighter than the process for brand-new submissions. An account that's been on the platform for over a year pushing a game update doesn't get the same scrutiny as a first-time publisher. The attackers knew this. The malicious build ran for roughly ten days before community reports triggered removal.

What the malware did

The UnityPlayer.dll payload was a dropper. After the game crashed, the DLL ran a checklist: profile the system, collect the MAC address, enumerate installed Chrome extensions, and flag any cryptocurrency wallet extensions. Once it found what it was looking for, it connected to a command-and-control server and downloaded zip archives containing secondary payloads. Those secondary tools handled the actual credential extraction — browser-stored passwords, active sessions, wallet data.

The pattern here is standard infostealer methodology. Nothing novel technically. What's notable is the delivery vector: a free game on a trusted platform, carrying a year of legitimate account history.

What to do if you launched it

If you installed and ran Beyond The Dark before it was removed around May 17–18, 2026:

1. Uninstall the game and delete remaining files
2. Run a full antivirus scan with updated definitions
3. Change all browser-stored passwords — from a different, clean device
4. Revoke active sessions for financial services, email, and any account that matters
5. If you held funds in MetaMask or another browser wallet: move everything to a fresh wallet on a clean device, now — assume the old wallet address is known
6. Re-enable two-factor authentication everywhere you have it

Peak concurrent was five players during the infected window. If you were one of them, the above isn't optional.

Why Steam's update pipeline missed this

Valve's submission process is most rigorous for new accounts and first-time uploads. Accounts with history — especially those that have been on the platform for over a year without problems — get through updates faster. That gap is a known attack surface, and it's been used before.

Valve hasn't publicly addressed the account hijacking vector or committed to tighter update review for established accounts. Eric Parker's investigation circulated for at least a day before removal. The community found this faster than Valve did.

There's a related piece worth reading if you're thinking about Steam accountability more broadly: the Subnautica 2 EULA breakdown covers what players actually agree to when they buy through the platform — not malware, but Krafton's corporate terms with arbitration clauses and fan art licensing that most people skip past.

Related Reading

• Subnautica 2 EULA Explained — What Krafton's Terms Mean — Krafton's corporate EULA applied to an indie-developed game: arbitration clauses, fan art licensing, and the VPN prohibition.
• Best Bullet Heaven Games 2026 — five verified Steam picks with 25k+ reviews each and clean histories, all under $15.
• Subnautica 2 Early Access — Tips for New Players — what a legitimate early access Steam game looks like in practice.

References

• Steam removes Beyond The Dark over malware reports — CyberInsider
• Valve removes free horror game — Insider Gaming
• Beyond The Dark removal analysis — Spilled.gg
• Eric Parker malware investigation (YouTube)

Frequently asked questions

What was Beyond The Dark on Steam? Beyond The Dark (app ID 3393800) was a free horror game on Steam that turned out to be malware. The listing was a hijacked version of an earlier game called Rodent Race. Someone took over the developer's account in early May 2026 and replaced the game with a malicious build targeting crypto wallets and browser credentials.

Did Beyond The Dark steal data? Yes. It contained a malicious UnityPlayer.dll that ran while the game crashed on launch, scanning for MetaMask and other crypto wallet extensions, then connecting to remote servers to download additional payloads for stealing passwords and wallet credentials.

Has Valve commented on Beyond The Dark? No. The game was removed around May 17–18, 2026 following community reports, but Valve issued no public statement about the incident or notified affected users.

How did it get through Steam's review? The attacker hijacked an existing developer account with over a year of Steam history. Update review for established accounts is less strict than new submission review — the malicious build went through as a normal game update.

What should I do if I installed it? Uninstall, run antivirus, change all browser-stored passwords from a clean device, revoke active financial sessions, and move any cryptocurrency to a fresh wallet on a different device immediately.

How many people were exposed? Peak concurrent players during the active window was five. Limited reach, but anyone who launched it before removal was directly exposed to the infostealer payload.