Malware on Game Pass: Microsoft Promotes Call of Duty Game That Hijacks Computers

My advice: Abandon the ship or abandon the hope!

Yesterday my friend sent me a link with a warning: “All Call of Duty games below Vanguard are dangerous when you play multi or zombies with randoms. Literally a hacker got into someone’s computer because they connected to his PC through playing together in a lobby and displayed a notepad message and opened gay porn”. Well, I live separately in an alternative digital world and don’t have much time even for the proverbial Doom. But today I couldn’t resist and checked what this was about.

That was the first message, then a tsunami followed on X, reddit… The gaming specialists community is, to put it mildly, paralyzed and there was a series of incidents… scatological, especially since many of these people are high-class specialists who manage quite specific IT areas. If my signalist writes that something is wrong, it means things are really bad. Let’s check if this easter egg is what we want to find and whether playing zombies we won’t become zombies ourselves?

Last 8 Hours on Reddit: Mass Panic

Discussion exploded on r/WWII. Brinkura posted a screenshot of a disturbing message that appeared on his computer during gameplay. The post already has 33 upvotes and dozens of comments within a few hours - in a community that’s usually quite calm.

sanslayer reports: “My cmd had something written and wallpaper was changed. Happened after 5 hour play time.” This doesn’t sound like a joke or coincidence.

ZETA_115 just paid for Game Pass, installed the game, played two matches on Shipment and already has a problem. “i litteraly paid the game pass , install de game 2 matches of shipment and this happends”.

The worst is booksMyname69: “the hacker typed ; ty for all of your accounts ill put it in good use and then suddenly i got booted out and dialog box with written multiple logins on your account it happed to all 11 players in lobby and he stole all of their accounts including mine”.

These aren’t isolated cases. These are coordinated attacks.

Anatomy of Attack: Chaos and Trolling

Hackers don’t limit themselves to silent system takeovers. They leave provocative “signatures” of their attacks:

• Notepad messages: “Marc E Meyer just RCEd your Ass please contact Mitchell Silberberg and Knupp LLP”
• Control over additional monitors: Opening pornographic content on the second screen during gameplay
• Complete system takeover: Changing wallpapers, opening command prompt, forced application shutdown
• Various variants: “Mark E Mayer”, “Marc E Payer” - probably intentional disinformation

The goal is to maximally shock the victim and create chaos, not silently take over the system for financial gain.

Disinformation and False Leads

Various theories about the attackers’ identity appear in discussions, including mentions of “adrian”. However, most of these are probably information noise typical of crisis situations. What matters are the facts: mass RCE attacks through peer-to-peer in WWII, complete system takeovers, and lack of response from corporations.

Streamers as First Victims

The attacks also affected well-known content creators with large reach:

BAMS (@Bamslol, 1.4M subscribers) warned after the attack: “WW2 on Xbox PC Gamepass was fun while it lasted. It is now NOT safe to play WW2 on PC in 2025 Just got hit offline by someone that had my own Gamertag.”

@Wrioh was attacked live during streaming: “I JUST GOT HACKED PLAYING WW2! EVERYONE DO NOT PLAY WW2 ON GAMEPASS!”

@Drivnn confirmed the problem: “just so everyone is aware WW2 gamepass is not safe at all.”

The fact that attacks affected influencers with large reach made information about the problem spread rapidly. Microsoft and Activision remain silent.

Microsoft: Corporate Responsibility at Its Finest

Going through the comments, I found a gem from One-West1890: “They’re advertising it front page on the PC Game Pass app knowing full damn well that it’s dangerous.”

I checked. Indeed - Call of Duty: WWII is promoted on the front page of PC Game Pass at the moment when dozens of users report their computers being hijacked.

This isn’t a coincidence or an unnoticed error. Microsoft knows about the problem - reports have been flowing in for hours. But Game Pass has its marketing logic, and user security apparently doesn’t fit into the priorities.

Deep Silence Over Mass Fix - When Maintenance Says More Than PR

July 2, 2025 - the day after RCE attack reports went viral - Activision conducted mysterious 4-hour maintenance on 10 titles simultaneously: WWII, Black Ops 2, Modern Warfare 2 (2009) and other older games.

Without explaining the reason.

The timing isn’t coincidental - this is probably a “silent fix” aimed at stopping attacks without admitting to problems. The strategy of “fix quietly and hope no one notices”.

The official Call of Duty Updates account announced only: “Scheduled maintenance affecting 10+ Call of Duty titles from 3:00-7:00 AM PT”. No mention of security, no warning for players.

Meanwhile, Microsoft continues to promote WWII on the Game Pass front page. Without warnings, without disclaimers, without mentioning security. It’s like selling a car with broken brakes and staying silent about the problem.

Remote Code Execution: When Game = Malware

To understand the severity of the situation, we need to discuss what exactly we’re dealing with. Remote Code Execution (RCE) is a vulnerability that allows an attacker to execute arbitrary code on the victim’s computer. In the case of Call of Duty WWII, this means that mere presence in a lobby with a hacker is enough for complete control takeover of your system.

The mechanism is simple: old CoD games use peer-to-peer (P2P) architecture, where players connect directly to each other. This means your computer receives and processes data directly from strangers. And when game code contains buffer overflow vulnerabilities, a properly crafted data packet is enough to rewrite memory and execute malicious code.

Interestingly, consoles remain safe. The closed architecture of Xbox and PlayStation effectively blocks these types of attacks. The problem affects only PC versions. And well, the separation of work from entertainment paid off for those who don’t take gaming breaks on company equipment?

LMAO Factory Reset Procedure: When Scanning Isn’t Enough and Brain Stopped Working

The internet exploded with advice on how to “fix” a hacker attack. We have a full range of LMAO solutions:

Starmanof1 gives the most substantive advice: “Don’t just do a ‘reset.’ That often leaves parts of the malware behind. Instead, get a clean copy of the OS ISO and put it on a USB stick, and use that to completely reinstall Windows while being completely disconnected from the WiFi.”

Brinkura tries magic: “I have done every malware scan I possibly can and found nothing so far.”

BigWayneCarter96 believes in miracles: “I just scanned for viruses and changed passwords and logged out of everything thinking about doing a factory reset”.

And my favorite: “Have you tried turning it off and on again?”

When experienced players talk about full Windows reinstallation as the only option, while others hope that Malwarebytes will handle rootkits - we’re dealing with something much more serious than regular cheats. This is malicious software at a level that requires burning the computer and buying a new one. Or at least pretending the problem doesn’t exist. I wrote at the beginning: abandon the ship or abandon the hope!

Most popular “LMAO solutions” from Reddit:

• ✅ Scanning with 47 different antiviruses
• ✅ Changing Steam password (because that will surely help)
• ✅ Turning computer off and on
• ✅ Praying to Saint Kaspersky but restarting the router first
• ❌ Actually understanding you have a rootkit in your system and you’ll be screwed without lube

History Repeats: CVE-2018-20817 and Friends

But not only you were and will be screwed, the author of this text also owns worthless PC games now. This isn’t a new problem. Official vulnerability registers have documented critical gaps in older Call of Duty games for years:

• CVE-2018-20817: Critical buffer overflow vulnerability in SteamAuthClient function (CVSS score: 9.8/10)
• CVE-2019-20893: RCE in Modern Warfare 2 through joinParty packets (CVSS: 9.8/10)
• CVE-2018-10718: Another critical buffer overflow in MW2 (CVSS: 10.0/10)

All these vulnerabilities concern exactly the same architectural problem - unsecured P2P communication in older games. The problem has existed for years, is documented and… completely ignored by publishers.

Threat Table: Which Games Are Safe?

“Security Through Abandonment” Strategy (Jumping from Sinking Ship Head First)

Activision has a simple security strategy for older games: abandon them and focus on new ones. This makes business sense - every new Call of Duty brings billions of dollars, so why waste resources on seven-year-old titles?

The problem is that simultaneously these games are still actively sold in digital stores. Call of Duty WWII on Steam currently costs about 249 PLN probably through Turkey, or VPN through some village in India might be cheaper… But it’s still like selling a car with broken brakes, justifying that “it’s an old model”.

Game Pass additionally worsens the situation, introducing masses of new players to potentially dangerous software. Microsoft revitalizes old games without solving their fundamental security problems.

Community Patches: Last Resort with a Hook. Are They Safe?

Faced with total lack of response from big corporations, the gaming community created its own solutions. (slowly a stench creeps in, I can smell it…) Plutonium Project offers modified versions of older games with patched RCE vulnerabilities. IW4x does the same for Modern Warfare 2. Alterware handles a range of other titles.

The problem is that these projects operate in legal and technical gray areas. They use techniques similar to malware (which the creators openly admit), require disabling antivirus and operate on closed source code “for security”. It’s getting serious here, though some say it’s community perfume!

This means that to protect ourselves from exploits, we must trust anonymous creators who themselves admit their software behaves like malware. This is a paradox that perfectly illustrates how badly the gaming industry has failed in cybersecurity matters.

In my opinion, you can’t trust something made by an anonymous guy who’s recommended by other anonymous guys and convinces you his code can’t be audited and is encrypted so hackers can’t do reverse engineering. Well, I don’t trust him.

Vacation Timing Disaster: Game Pass as Accidental Catalyst

The worst part of this whole situation is the timing. Call of Duty WWII was added to PC Game Pass on June 30, 2025. Mass RCE attacks began on July 1, 2025. And you just fired up an old game before your trip to “chill out in peace” before heading off to the forest.

But in the case of CoD and the series, this isn’t coincidental. For years the game had a small PC player base, so hackers were interested in it, but only Game Pass provided thousands of new, unsuspecting targets. Microsoft unknowingly created the perfect environment for cyberattacks. Wow, congratulations on corporate responsibility.

ByteDance used a similar strategy earlier with TikTok - spent billions of dollars on acquiring Musical.ly and marketing to get masses of user data for their AI algorithms. In 2018, ByteDance spent $1 billion on TikTok marketing, which earned only $0.15 billion. By 2023, revenues grew to $18 billion - a 1800% return on investment.

Here we have the opposite situation: Microsoft provided masses of users to hackers who already had ready tools to attack them. This is the unconscious creation of a “testing environment” on a mass scale. But does a corporate suit care about this when they only answer to the holy investor?

Gaming as Cyber Dump

The Call of Duty story is a symptom of a much bigger problem. We live in times when large corporations distribute potentially dangerous software, shifting all responsibility to end users.

Microsoft promotes the game on the Game Pass front page, ignoring mass reports of computer hijacking. Activision abandoned older titles, focusing on monetizing new ones. Steam still sells games with critical CVE 10.0 vulnerabilities without any warnings.

Meanwhile, hackers - possibly AI-assisted - automate attacks on an industrial scale. And the only lifeline are community patches created by anonymous developers in legal gray areas.

This isn’t the future we dreamed of when gaming became mainstream. I’m completely omitting the problem of cheats and that playing some games is a nightmare because of people who bend the system with scripts. The scale of the phenomenon is amplified by the fact that everyone wants to play like a YouTube streamer who… what isn’t mentioned, also plays with cheats, which has come out live multiple times.

Guys! This analogy is obviously trolling - but the fact that Microsoft serves hackers better than their own users remains embarrassing.

Why Malware in Game Pass Affects Us All

You might think: “I don’t play Call of Duty, so this doesn’t affect me.” But this thinking is wrong for several reasons:

First, it’s a precedent. If large corporations can freely distribute software with critical RCE vulnerabilities, the problem will spread to other games and applications.

Second, P2P architecture is used in many other games, especially older ones. Minecraft, StarCraft, Age of Empires - all may have similar problems.

Third, it shows how dependent we are on digital platforms that treat security as optional. Today it’s Game Pass, tomorrow it could be Epic Games Store, Steam, or any other distributor.

Fourth, gaming has become mainstream. Millions of people use the same computers for work and entertainment. Taking control of the system during gaming means access to professional, personal, and banking data.

My Advice: Nostalgia Isn’t Worth the Risk

Play on console, don’t use computers for games and entertainment, it’s an archaic approach that can lead to disaster!

I like playing zombies and solving easter eggs. I know the feeling of nostalgia for old maps and mechanics. But in 2025, this nostalgia can cost us complete control over our computers.

If you want to play Call of Duty on PC (which I don’t recommend!), focus ONLY on the newest titles with active security support. Black Ops 6 have their problems with cheaters, but at least they don’t turn your computer into a zombie.

Practical rules: You won’t find them here, buddy… I only have one: Abandon the ship or abandon the hope :)

If you got hacked: I have no advice for you… same as above: Abandon the ship or abandon the hope :-]

I honestly doubt that corporate scum from Microsoft, Steam, or Activision would ever read this text. Time to stop making money from selling the digital equivalent of anti-personnel mines and finally deal with responsibility for the products you distribute.

UPDATE July 5, 2025: Activision responds after 72 hours of silence

Saturday, July 5, 2025 - 2:03 AM: After three days of documented RCE attacks and community warnings, @CODUpdates finally acknowledged the crisis: “Call of Duty: WWII on PC Microsoft Store was brought offline while we investigate reports of an issue.” The late-night announcement came 72 hours after the first documented compromises and only after widespread social media pressure from affected players and content creators.

The response specifically targets the Microsoft Store version rather than addressing the broader PC vulnerability affecting Steam and other platforms. The phrasing “reports of an issue” notably understates the severity of confirmed Remote Code Execution attacks that granted attackers complete system access to victims’ computers.

This limited response raises questions about whether the underlying vulnerability will be properly addressed or if players on other PC platforms remain at risk. The three-day delay between documented attacks and official acknowledgment highlights the inadequate security response protocols for critical gaming platform vulnerabilities.

Selected Sources

Reddit discussion

X discussion

• Cybersecurity
• Microsoft