---

CURRENT INCIDENT:  Some SimFileShare accounts compromised. See here.

 

January 2024 Incident

Beginning as early as mid-January 2024, we began seeing Sims 4 script mods with malicious executable .exe code hidden in them. 

 

The mods masqueraded as being from existing creators or from a brand-new creator with a name similar to an existing one. In one known case, it appears that a creator’s account was hacked to update the creator’s own mod page. These mods also presented themselves as being previously existing mods. (Mac users: Because this is .exe code, it won’t affect you, but may produce LEs.)

Mods known to have been compromised

• "PimpMySims4" (impersonated) – Cult Mod – was on Mod the Sims; now removed
• MySims4 – "Social Events - Unlimited Time" – was on Curseforge; now removed
• MSQSims (hacked) – on The Sims Resource, Feb. 5-8; all removed
  
  • Mood Cheat Menu
  • Motherlode Menu
  • Seasons Cheat Menu
  • Weather Forecast Cheat Menu
• PlayersWonderland (hacked) – Mouth Preset N16 ts4script file – on The Sims Resource, now removed
• V1 of an adult mod, with a January file date – on LoversLab

How to check your system for the January 2024 malware

To see if your system has been affected by the malicious code:

1. select Windows-R
2. In the window that opens, type this:

%AppData%\Microsoft\Internet Explorer\UserData

3. In the folder that opens, look for files called Updater.exe and/or Main.exe.

If you are affected

If you had one of these files, assume that any sensitive data on your PC may be compromised and take the steps below:

1. Clear your system for this specific virus. (See below.) This must be done FIRST.
2. If you have the Discord app or a cryptocurrency wallet app, uninstall them. This is important if not obvious: Starting these can trigger an attempt to reinstall this malware.
3. Change your passwords.
4. Add two-factor authentication where available.
5. If you had saved credit card or similar information to a web browser, remove it and find out from your financial institution (or other relevant site) what action to take next.
6. Reinstall Discord and cryptocurrency wallet apps from fresh downloads.
7. Learn more about keeping your data secure in the future: https://answers.ea.com/t5/EA-Services-General-Questions/Answers-HQ-Online-Security-Newsletter-January/m-p/13449052/thread-id/447422

To clear your system:

1. Download this fix created by Maxis mod-host partner Curseforge: SimsVirusCleaner
2. Double-click the SimsVirusCleaner.exe file in your Downloads folder tor run it.
3. This is a good time to run a general virus/malware scan on your computer.

More things to know

• Curseforge and The Sims Resource updated their file screening for this method of malware inclusion.
• Type of mods affected: The least likely mods to be affected were mods that are only .package files and mods uploaded by mod creators on Patreon or their own sites. Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file.
• Downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.
• New prevention/detection Sims 4 tool: TwistedMexi released a tool called ModGuard.

---

April 2024 Incident

[April 7, 2024] Malware via a mod that downloaded as only a text file with a link.

Known cases:

• "S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)
• “Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)

Do NOT follow the links in text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).  

If you downloaded either of these, delete them and run a virus scan. NOTE: This type malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.

---

November 2024 Incident

On November 5, 2024, on Mod the Sims, someone uploaded malicious versions of at least four mods. Unlike the earlier incident, no new accounts were involved, and one of the accounts breached was TwistedMexi's. No other compromised mods were found. It is not yet known what the effect of any malware included or called up was, so assume it's very bad.

What to do

• If you downloaded any mods with .ts4script files from Mod the Sims on November 5, delete the mod and run a virus scan.
• If you don't already have it, download TwistedMexi's tool ModGuard. It will not protect against all possible script-file exploits, but it will help. Note that your other system protections cannot see what's in a .ts4script file.

 

April 13, 2025 incident 

Some SimFileShare CC compromised 

Do not download mods from SimAndy or TheNinthWaveSim or Pixelunivairse mods/CC from SimFileShare. The accounts are compromised. Files present include an executable (.exe) file presumed to be malicious. If you downloaded files from these creators after about April 11, delete them and run a virus scan

The owner of SFS has removed all known compromised files, and SFS is permitting file uploads again. Please remain cautious about what you download, especially files that were updated in early April 2025.

 

Current Impact of Incidents on Mod Update News

• Updates of mods/CC hosted only on Mod the Sims or only on SimFileShare may be delayed. 

 

- updated April 24, 2025