Blitz Malware A Tale of Game Cheats and Code Repositories

In 2024, we discovered new Windows-based malware called Blitz. This article provides an in-depth analysis of the malware, examines its distribution, and reviews Blitz malware’s command and control (C2) infrastructure. We found a new version of Blitz in early 2025, which indicates this malware has been in active development.

The most recent version of Blitz was spread through backdoored game cheats. Blitz malware consists of two stages: a downloader and a bot payload. The developer of Blitz has abused the artificial intelligence (AI) code repository Hugging Face Spaces to host files and components of its C2 infrastructure. Our analysis also uncovered a Monero cryptocurrency miner as follow-up malware.

The malware developer created a social media presence to promote the distribution of these backdoored game cheats. By early May 2025, the author announced their departure, indicating they might have abandoned Blitz malware.

Hugging Face has locked the user account associated with this malware. It has also taken precautions to block the blob ID of the Blitz bot file to prevent it from being added in the future.

To read the complete article see: Blitz Malware: A Tale of Game Cheats and Code Repositories\n