MALWARE WARNING

November 5, 2024: New malware found on MTS

We have been made aware that several mods on ModTheSims have been compromised and altered to include a new and malicious file called mod.pyc. At this time, it appears the attack was limited to just the accounts of TwistedMexi and moxiemason. No other hacks have been detected or reported, and there does not appear to be any high-level breach into ModTheSims’s systems or staff accounts. The fact that two unrelated MTS accounts were compromised simultaneously appears to have been a coincidence. The staff at ModTheSims have added new security measures to restrict the ability of new and inactive accounts to upload files, which should hopefully stop this from happening in the future.

The following files are the sources of the malware:

• Tmex-UI.ts4script
• Tmex-Framework.ts4script
• twistedmexi__fullhouse_ui_framework.ts4script
• moxiemason_nomosaic_uiframework.ts4script
• mod.pyc

All of these are fake files with new names that were never part of the original mods, so if you have any of these installed, then you need to take measures to make sure you secure your computer and personal data.

Fortunately, the specific kind of attack is covered by ModGuard and if you had that installed already then you should be okay. This is a great reminder to everyone to install ModGuard!! However, if you did not have ModGuard installed and ran the game with any of the above files installed, you may be in significant trouble. We still do not know the full extent of what the malware is capable of, it appears to be a data scraper. It likely only affects Windows devices. In a worst case scenario, you may need to wipe your OS and change your passwords from a different, uninfected device. 

Remain Vigilant

While this malware was caught and dealt with quickly, the last time this happened there was a series of different attacks across several websites for several days. Keep these tips in mind:

• Download and install ModGuard
• If you see an update, check for patch notes or an announcement from the creator on their normal social media accounts
• If you see a creator posting on a brand new account or using a platform they don’t normally use, double and triple check that they are legitimate posts
• If a mod updates and suddenly it has a script file that it didn’t have before, ask what it is for and make sure the post is legitimate

WARNING: extremely malicious malware found in mods!

Recently some mods were uploaded to different pages (MTS, TSR, Curseforge and LoversLab), which contain malicious malware code in the script file. The script files are modifidied to download and run an unknown exe file silently without the user knowing.

Here are the mods we know for sure were affected by the recent malware outbreak:

• “Cult Mod v2” uploaded to ModTheSims by PimpMySims (impostor account)
• “Social Events – Unlimited Time” uploaded to CurseForge by MySims4 (single-use account)
• “Weather and Forecast Cheat Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
• “Seasons Cheats Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
• “Motherlode Menu” by MSQSIMS (hacked, real account)
• “Mood Cheat Menu” by MSQSIMS (hacked, real account)
• “Mouth Preset N16” by PlayersWonderland (hacked, real account)
• “Cult Sex Mod V1” from LoversLab

Please note that none of these modders mentioned above are responsible for the malware. Please do not send them harassing messages.

If you believe you downloaded or updated any of these mods in the last two or three weeks, take the proper safety measures now!

Due to this malware using an exe file, we believe that anyone using a Mac or Linux device is completely unaffected by this.

If the exe file was downloaded and executed on your Windows device, it has likely stolen a vast amount of your data and saved passwords from your operating system, your internet browser (Chrome, Edge, Opera, Firefox, and more all affected), Discord, Steam, Telegram, and certain crypto wallets. Thank you to anadius for decompiling the exe.

To quickly check if you have been compromised, press Windows + R on your keyboard to open the Run window. Enter “%AppData%/Microsoft/Internet Explorer/UserData” in the prompt and hit OK. This will open up the folder the malware was using. If there is a file in this folder called “Updater.exe”, you have unfortunately fallen victim to the malware. We are unware at this time if the malware has any function which would delete the file at a later time to cover its tracks.

To quickly remove the malware from your computer, Overwolf has put together a cleaner program to deal with it. This program should work even if you downloaded the malware outside of CurseForge. Download “SimsVirusCleaner.exe” from their github page linked here and run it. Once it has finished, it will give you an output about whether any files have been removed.

If you think you may have been affected by any of these mods, it is vitally important that you change your passwords for all your important accounts as soon as possible. If your credit card information was stored on your computer or in any of your accounts linked to your passwords, you may need to contact your bank or credit card company to inform them your card number is not secure.

Further investigations suggest that the malware tries to infect Discord and crypto wallet programs, and simply removing the malicious exe file may not be enough. If they are infected, running Discord or the crypto wallet will attempt to reapply the malware to your device. If you were affected by the compromised mods, you should also uninstall Discord and any crypto wallet programs and then, once you are sure the malware is gone, re-install them from a fresh download to clear out any remnants of the malware.

We’d also like to remind everyone to enable Two-Factor Authentication (2FA) to add an extra layer of security even if your password is stolen. Many software programs and web-based accounts support some kind of 2FA these days; for Discord, you can start the set up process in your user settings under the “My Account” tab. For a detailed guide, check out the Discord official website here.

Increased security measures on Curseforge and TSR

Curseforge has confirmed that:

• all files containing malware have been found and removed for good
• new automatic security screenings are already in effect, which scan all mods, looking specifically for malware like this
• all mods that have been uploaded to Curseforge since the beginning of January 2024 have been scanned and double checked and no further contaminated mods were found

TSR has confirmed that:

• all files containing malware have been found and removed for good
• all mods that have been uploaded to TSR since the beginning of January 2024 have been scanned and double checked and no further contaminated mods were found
• all accounts that had been hacked have been recovered and secured and are being closely monitored for any suspicious activity
• additional security measures and scans are currently being worked on and will be implemented as soon as possible; until these are ready, uploading script files to TSR is not possible, to ensure the safety of everyone