CURRENT ISSUE! Malicious Script Mods and Other Malware
CURRENT INCIDENT: Malicious ts4script files in multiple compromised accounts on Mod the Sims and an 18+ site, beginning March 1, 2026.
Posts with full details:
Multiple Mod the Sims accounts compromised. Malicious ts4script files have been uploaded to multiple mods, including to mods/CC that should not have one. Delete immediately and run a full-system malware and virus check.
18+ website also compromised. If you have recently downloaded an 18+ mod from an 18+ website and you don't use ModGuard, check if you've been infected with malware: Look in your Sims 4 install location for a file called "out.exe" (or "out" if extensions are hidden). Do not run the file. Do this:
- Delete the file
- Delete recently downloaded 18+ mods
- Empty your Recycle Bin to permanently delete them
- Run a full virus and malware scan
- Change your passwords
See see the section in How to Use Mods and CC about "Safe Simming" for advice on how to avoid downloading compromised files. Download TwistedMexi's Modguard mod (from his website or Curseforge) to help protect you from the file you thought was okay, even after being cautious.
*****************************************************************************************
January 2024 Incident
Beginning as early as mid-January 2024, we began seeing Sims 4 script mods with malicious executable .exe code hidden in them.
The mods masqueraded as being from existing creators or from a brand-new creator with a name similar to an existing one. In one known case, it appears that a creator’s account was hacked to update the creator’s own mod page. These mods also presented themselves as being previously existing mods. (Mac users: Because this is .exe code, it won’t affect you, but may produce LEs.)
Mods known to have been compromised
- "PimpMySims4" (impersonated) – Cult Mod – was on Mod the Sims; now removed
- MySims4 – "Social Events - Unlimited Time" – was on Curseforge; now removed
- MSQSims (hacked) – on The Sims Resource, Feb. 5-8; all removed
- Mood Cheat Menu
- Motherlode Menu
- Seasons Cheat Menu
- Weather Forecast Cheat Menu
- PlayersWonderland (hacked) – Mouth Preset N16 ts4script file – on The Sims Resource, now removed
- V1 of an adult mod, with a January file date – on LoversLab
How to check your system for the January 2024 malware
To see if your system has been affected by the malicious code:
- select Windows-R
- In the window that opens, type this:
%AppData%\Microsoft\Internet Explorer\UserData
- In the folder that opens, look for files called Updater.exe and/or Main.exe.
If you are affected
If you had one of these files, assume that any sensitive data on your PC may be compromised and take the steps below:
- Clear your system for this specific virus. (See below.) This must be done FIRST.
- If you have the Discord app or a cryptocurrency wallet app, uninstall them. This is important if not obvious: Starting these can trigger an attempt to reinstall this malware.
- Change your passwords.
- Add two-factor authentication where available.
- If you had saved credit card or similar information to a web browser, remove it and find out from your financial institution (or other relevant site) what action to take next.
- Reinstall Discord and cryptocurrency wallet apps from fresh downloads.
- Learn more about keeping your data secure in the future: https://answers.ea.com/t5/EA-Services-General-Questions/Answers-HQ-Online-Security-Newsletter-January/m-p/13449052/thread-id/447422
To clear your system:
- Download this fix created by Maxis mod-host partner Curseforge: SimsVirusCleaner
- Double-click the SimsVirusCleaner.exe file in your Downloads folder tor run it.
- This is a good time to run a general virus/malware scan on your computer.
More things to know
- Curseforge and The Sims Resource updated their file screening for this method of malware inclusion.
- Type of mods affected: The least likely mods to be affected were mods that are only .package files and mods uploaded by mod creators on Patreon or their own sites. Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file.
- Downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.
- New prevention/detection Sims 4 tool: TwistedMexi released a tool called ModGuard.
April 2024 Incident
[April 7, 2024] Malware via a mod that downloaded as only a text file with a link.
Known cases:
- "S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)
- “Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)
Do NOT follow the links in text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).
If you downloaded either of these, delete them and run a virus scan. NOTE: This type malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.
November 2024 Incident
On November 5, 2024, on Mod the Sims, someone uploaded malicious versions of at least four mods. Unlike the earlier incident, no new accounts were involved, and one of the accounts breached was TwistedMexi's. No other compromised mods were found. It is not yet known what the effect of any malware included or called up was, so assume it's very bad.
What to do
- If you downloaded any mods with .ts4script files from Mod the Sims on November 5, delete the mod and run a virus scan.
- If you don't already have it, download TwistedMexi's tool ModGuard. It will not protect against all possible script-file exploits, but it will help. Note that your other system protections cannot see what's in a .ts4script file.
April 13, 2025 incident
Some SimFileShare CC compromised
Do not download mods from SimAndy or TheNinthWaveSim or Pixelunivairse mods/CC from SimFileShare. The accounts are compromised. Files present include an executable (.exe) file presumed to be malicious. If you downloaded files from these creators after about April 11, delete them and run a virus scan
The owner of SFS has removed all known compromised files, and SFS is permitting file uploads again. Please remain cautious about what you download, especially files that were updated in early April 2025.
March 2026 incident
Multiple Mod the Sims accounts compromised. Ts4script files uploaded, including to mods/CC that should not have one. Files contents clearly malicious. If you downloaded any ts4script files from Mod the Sims beginning March 1, 2026, delete immediately and run a full-system malware and virus check. All compromised files have been removed. An 18+ mod-hosting website is also compromised.
If you have recently downloaded an 18+ mod from an 18+ website and you don't use ModGuard, check if you've been infected with malware: Look in your Sims 4 install location for a file called "out.exe" (or "out" if extensions are hidden). Do not run the file. Do this:
- Delete the file
- Delete recently downloaded 18+ mods
- Empty your Recycle Bin to permanently delete them
- Run a full virus and malware scan
- Change your passwords
Current Impact of Incidents on Mod Update News
- Updates of mods/CC hosted only on Mod the Sims are on pause.
- updated March 2, 2026
