MALWARE WARNING

WARNING: extremely malicious malware found in mods!

Recently some mods were uploaded to different pages (MTS, TSR, Curseforge and LoversLab), which contain malicious malware code in the script file. The script files are modifidied to download and run an unknown exe file silently without the user knowing.

Here are the mods we know for sure were affected by the recent malware outbreak:

• “Cult Mod v2” uploaded to ModTheSims by PimpMySims (impostor account)
• “Social Events – Unlimited Time” uploaded to CurseForge by MySims4 (single-use account)
• “Weather and Forecast Cheat Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
• “Seasons Cheats Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
• “Motherlode Menu” by MSQSIMS (hacked, real account)
• “Mood Cheat Menu” by MSQSIMS (hacked, real account)
• “Mouth Preset N16” by PlayersWonderland (hacked, real account)
• “Cult Sex Mod V1” from LoversLab

Please note that none of these modders mentioned above are responsible for the malware. Please do not send them harassing messages.

If you believe you downloaded or updated any of these mods in the last two or three weeks, take the proper safety measures now!

Due to this malware using an exe file, we believe that anyone using a Mac or Linux device is completely unaffected by this.

If the exe file was downloaded and executed on your Windows device, it has likely stolen a vast amount of your data and saved passwords from your operating system, your internet browser (Chrome, Edge, Opera, Firefox, and more all affected), Discord, Steam, Telegram, and certain crypto wallets. Thank you to anadius for decompiling the exe.

To quickly check if you have been compromised, press Windows + R on your keyboard to open the Run window. Enter “%AppData%/Microsoft/Internet Explorer/UserData” in the prompt and hit OK. This will open up the folder the malware was using. If there is a file in this folder called “Updater.exe”, you have unfortunately fallen victim to the malware. We are unware at this time if the malware has any function which would delete the file at a later time to cover its tracks.

To quickly remove the malware from your computer, Overwolf has put together a cleaner program to deal with it. This program should work even if you downloaded the malware outside of CurseForge. Download “SimsVirusCleaner.exe” from their github page linked here and run it. Once it has finished, it will give you an output about whether any files have been removed.

If you think you may have been affected by any of these mods, it is vitally important that you change your passwords for all your important accounts as soon as possible. If your credit card information was stored on your computer or in any of your accounts linked to your passwords, you may need to contact your bank or credit card company to inform them your card number is not secure.

Further investigations suggest that the malware tries to infect Discord and crypto wallet programs, and simply removing the malicious exe file may not be enough. If they are infected, running Discord or the crypto wallet will attempt to reapply the malware to your device. If you were affected by the compromised mods, you should also uninstall Discord and any crypto wallet programs and then, once you are sure the malware is gone, re-install them from a fresh download to clear out any remnants of the malware.

We’d also like to remind everyone to enable Two-Factor Authentication (2FA) to add an extra layer of security even if your password is stolen. Many software programs and web-based accounts support some kind of 2FA these days; for Discord, you can start the set up process in your user settings under the “My Account” tab. For a detailed guide, check out the Discord official website here.

Download TwistedMexi’s new ModGuard to protect yourself from the malware!

TwistedMexi has released ModGuard, a script designed to prevent malicious mods from downloading anything harmful and alert you to the danger. We strongly recommend that everyone – even Mac users – installs this mod as soon as possible. Please share the link with others, too.

ModGuard by TwistedMexi is available to everyone for immediate download:

In response to the recent virus activity we’ve seen with compromised modder accounts, TwistedMexi created a tool that will do the following

• Block common virus vectors.
• Find the mod that tried to deliver a virus.
• Notify the player of the compromised mod.
• Notify our team of the compromised mod.

DOWNLOAD MODGUARD HERE.

We strongly advise that everyone – even Mac users – installs this Mod urgently!

Increased security measures on Curseforge and TSR

Curseforge has confirmed that:

• all files containing malware have been found and removed for good
• new automatic security screenings are already in effect, which scan all mods, looking specifically for malware like this
• all mods that have been uploaded to Curseforge since the beginning of January 2024 have been scanned and double checked and no further contaminated mods were found

TSR has confirmed that:

• all files containing malware have been found and removed for good
• all mods that have been uploaded to TSR since the beginning of January 2024 have been scanned and double checked and no further contaminated mods were found
• all accounts that had been hacked have been recovered and secured and are being closely monitored for any suspicious activity
• additional security measures and scans are currently being worked on and will be implemented as soon as possible; until these are ready, uploading script files to TSR is not possible, to ensure the safety of everyone

If any more information comes to light, we will update this post accordingly.

Join our Discord Server to keep up to date with any development on this topic.