Gaming peripheral manufacturer Endgame Gear has confirmed a significant security breach where hackers compromised its official software distribution system. For nearly two weeks, the company’s OP1w 4K V2 mouse configuration tool was used to secretly distribute the dangerous Xred malware to unsuspecting Windows users, highlighting a concerning trend in supply chain attacks within the gaming industry.
Key Takeaways
- Hackers infiltrated Endgame Gear’s official software distribution, infecting the OP1w 4K V2 mouse configuration tool.
- The malware, identified as Xred, was distributed from June 26 to July 9, 2025.
- Users reported suspicious activity after downloading the tool from the official vendor page.
- Xred is a sophisticated backdoor capable of extensive system compromise, data theft, and spreading via USB drives.
- Endgame Gear replaced the infected files but initially did not issue a public warning.
The Attack Vector
The breach, which spanned from June 26 to July 9, 2025, allowed attackers to distribute malware directly through Endgame Gear’s official product page. This made the malicious software appear legitimate and difficult for users to detect. The incident came to light when users on Reddit’s MouseReview community noticed unusual behavior after downloading the configuration tool, confirming the infected file originated from the official vendor.
Xred Malware Capabilities
The malware payload was identified as Xred, a potent Windows-based backdoor known to be active since at least 2019. This remote access trojan is designed for comprehensive system compromise. Its capabilities include:
- Data Collection: Gathers sensitive system information such as MAC addresses, usernames, and computer names, transmitting it via hardcoded SMTP email addresses.
- Persistence: Establishes a permanent presence by creating a hidden directory (
C:\ProgramData\Synaptics\) and a Windows Registry Run key, masquerading as legitimate Synaptics driver software. - Keylogging: Employs keyboard hooking techniques to capture sensitive data, including potential banking credentials.
- Worm-like Behavior: Spreads through USB drives by creating
autorun.inffiles and infects Excel files with malicious VBA macros.
Endgame Gear’s Response and Mitigation
Endgame Gear confirmed the incident in an official statement, assuring customers that their file servers were not compromised and no customer data was accessed. The company stated, "access to our file servers was not compromised, and no customer data was accessible or affected on our servers at any time." The manufacturer replaced the infected files with clean versions on July 17. To prevent future occurrences, Endgame Gear has implemented enhanced security measures, including:
- Additional malware scanning procedures.
- Reinforced anti-malware protections on hosting servers.
- Plans to digitally sign all future software files.
