Additional information regarding malware suspicion on the Mod “Traffic” on Cities: Skylines II.

Over the weekend, we have had our experts - along with other DFIR teams - investigating the file, and we believe our initial suspicion of malware was accurate. While we cannot 100% confirm its purpose as of yet, our current belief is that it is a file designed to target Crypto Wallets on exposed systems, specifically Exodus crypto wallet. Regardless of whether this turns out to be confirmed or not, the file has enough suspicious activity that it should still be considered harmful.


Since our initial identification of the .dll file, 30 out of 72 security vendors now flag it as malware in their scans. Please update your antivirus/antimalware software as a general preventative measure. All mods uploaded to Paradox mods always get run through a virus scan as a general precaution.

If you have not read the original alert, you can find it here and the additional update with the precautions put in place since 24-11-01:

• We have conducted a specific, thorough scan of other files on the Paradox Mods platform for this malicious file, and no other mods appear to have it.
• We have worked in close cooperation with the author of the affected Mod “Traffic” to ensure their account is secure and no further tampering should occur with their work.

We will continue to share updates as we receive them, and we thank you for your cooperation.

-----------------------------------------------------------------------------------------------------
-----------<

Original statement shared on 2024-10-31:

Important update for all Cities: Skylines II Players:

There is a potential security issue that has affected the “Traffic” mod for Cities: Skylines II. Late Monday evening, an outside actor pushed an update to the mod, which includes a .dll file which we believe is malicious. We have already removed it and the current version as of 2024-10-31 15:35 CET is safe to download and use, but if your mod synced and you played the game using the mod between Monday and then, there is a possibility that you may have the malicious file.

• We are working to determine the nature of this .dll, and we will update you as soon as possible. In the meantime, please take the following steps as soon as possible to secure your system:
• If you have not played with the Traffic mod and have not subscribed nor downloaded it, there should be no risk to your system and nothing you need to do.
• If you have the Traffic mod and have not played Cities: Skylines 2 between Monday and today, let the mod sync as normal, and the malicious file should be deleted automatically. Please still scan your system with an anti-malware program like Windows Defender.
• If you have played using the affected version, please check your local files. If you have any malicious files installed, you will find them here; %AppData%\LocalLow\Colossal Order\Cities Skylines II\.cache\Mods\mods_subscribed\80095_13.
• Note that it is only specifically the 80095_13 folder that will contain malicious files; if you do not see this folder, you do not have the compromised version of the mod.
• If you do locate this folder, use an antivirus or antimalware program to quarantine it and/or remove it from your system, and run a thorough scan of your drives.
• As a precaution, we recommend changing your passwords.

We are working on the following steps to ensure you can enjoy our mods safely and securely:

• We will be going through all files uploaded to Paradox Mods and see if any other mods have had unexpected updates.
• We have contacted the modder whose mod was compromised and discussed our recommended steps to secure their account. They have updated Traffic to a safe version, so anyone playing with version v.0.2.4 is playing with a safe version.
• Paradox Mods will receive an update that notifies modders when their mods have been updated so that creators are quickly alerted to changes they have not personally made.

Sharing creative game content is at the heart of our community at Paradox, and we will continue to ensure you can explore mods safely.

As an important reminder, do not share your account information or passwords with anyone; we will never directly ask for your password or personal information.

-----------------------------------------------------------------------------------------------------
-----------<

Update added on 2024-11-01:

We are still working to determine the nature of the malicious file that was added to the “Traffic” mod. As a rule, all mods uploaded to Paradox mods have always been run through a virus scan as a general precaution. We are hard at work to secure our platform against further issues.

Since our original alert, we have taken the following steps to ensure the safety of our community:

• We have conducted a specific, thorough scan of other files on the Paradox Mods platform for this malicious file, and no other mods appear to have it.
• We have worked in close cooperation with the author of the affected Mod “Traffic” to ensure their account is secure and no further tampering should occur with their work.
• We have engaged a team of IT experts to analyze the malicious file and better understand any current and subsequent risks it may pose.

As of now, the precautions we suggested in our original statement are still suggested in order to protect your system. Cities: Skylines II should be perfectly safe to play, and will not put you at further risk. We will issue further updates when our security experts have finished their thorough analysis.