Security specialists have discovered four malicious Dota 2 game modes that a threat actor used to backdoor the players’ systems. Avast Threat Labs researchers discovered that the unidentified attacker built four game modes for the wildly played Dota 2 multiplayer online battle arena video game and released them on the Steam store to target the game’s followers.
The Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339) game modes, according to Jan Vojtek, an Avast malware researcher. Additionally, the attacker included a brand-new file called evil.lua, which was used to check the viability of server-side Lua execution. This malicious code fragment might be used to log, run arbitrary system commands, build coroutines, and send HTTP GET requests.
The twenty lines of malicious code included with the three newer game modes were far tougher to spot than the bundled backdoor that the threat actor inserted with the initial game mode that was made available on the Steam Store. The backdoor gave the threat actor access to the compromised devices from a distance, potentially enabling the installation of more malware.
A #dota2 exploit discovered in the wild! Like #gta5, #dota2 was also recently afflicted by a remote code execution exploit. Read our latest research blog to learn how a V8 bug from 2021 was exploited in the game to attack custom game mode players.https://t.co/Vacm98Yu0e
— Avast Threat Labs (@AvastThreatLabs) February 8, 2023
Dota 2: How V8 Bug was exploited in the Game
Complex browser zero-day exploit chains are frequently linked to V8 attacks. Although the browser may be V8’s most intriguing attack vector, it’s important to remember that Google’s open-source JavaScript engine is also included into numerous other projects. Security problems could occur if a JavaScript engine is used to run potentially malicious code across a security barrier.

One such problem impacts the hugely popular computer game Dota 2. Dota used a version of “v8.dll” that was compiled in December of last year. This shouldn’t come as a surprise build was susceptible to a number of CVEs, several of which have publicly available proof of concept (PoC) exploits. We found evidence of four published custom game modes in the wild using one of these vulnerabilities, CVE-2021-38003. The exploit alone allows for remote code execution against other Dota players because V8 was not sandboxed in Dota.
We informed Dota 2’s creator, Valve, of our results. In response, Valve updated the outdated and insecure version of V8 for Dota on January 12. Since Dota must be current for players to participate in online games, this update became effective immediately. Additionally, Valve removed the problematic custom game modes, alerted the players, and added new mitigations to lessen the attack surface of the game.
On Dota 2 Game Servers, Backdoor Lua Code Was Executed (Avast)
The backdoor was also utilized to download a Chrome exploit that has been exploited in the wild on players’ compromised systems. The vulnerability being exploited is CVE-2021-38003, a high-severity security weakness in Google’s V8 JavaScript and WebAssembly engine that was discovered as a zero-day vulnerability in October 2021 and patched.
Vojtek continued, “Because V8 was not sandboxed in Dota, the attack on its own permitted remote code execution against other Dota players.” The CVE-2021-38003 JavaScript attack was placed within a legal file that adds scoreboard features to the game, making it more difficult to find.
The Dota 2 MOBA game creator Valve upgraded the vulnerable V8 version on January 12, 2023, as a result of Avast’s discoveries. Previously, Dota 2 utilized a version of v8.dll that was created in December 2018.
Additionally, Valve disabled the malicious game modes and informed every player who had been a victim of the attack. “We may agree that this attack was not very large-scale in any case. Valve claims that fewer than 200 gamers were impacted “Vojtek tacked on.
The creator of the North GTA hack also made use of a Grand Theft Auto Online remote code execution vulnerability in January to integrate features that might ban and alter players’ accounts in a version that was released on January 20, 2023.
On January 21, the cheat’s developer deleted the features in a fresh version and issued an apology for the mayhem the cheat’s users had caused.
On February 2, Rockstar Games, the company that created Grand Theft Auto, released a security update to fix the Grand Theft Auto Online problem.
Conclusion
The video game “Dota 2” by video game creator, Valve, has a remote code execution vulnerability, according to Avast security analysts. The Avast team informed Valve of their discoveries, and in response, Valve updated Dota on January 12 to patch the V8 vulnerability. In addition, Valve announced the issue to the players and added new mitigations to lessen the attack surface of the game. Since Dota must be current for players to participate in online games, this update became effective immediately.
Dota made use of a version of “v8.dll” that was compiled in December of last year. This build was susceptible to a number of CVEs, several of which have publicly available proof of concept (PoC) exploits. We found evidence of four published custom game modes in the wild using one of these vulnerabilities, CVE-2021-38003. The exploit alone allows for remote code execution against other Dota players because V8 was not sandboxed in Dota.