January 2024 Incident Beginning as early as mid-January 2024, we began seeing Sims 4 script mods with malicious executable .exe code hidden in them. The mods masqueraded as being from existing creators or from a brand-new creator with a name similar to an existing one. In one known case, it appears that a creator’s account was hacked to update the creator’s own mod page. These mods also presented themselves as being previously existing mods. (Mac users: Because this is .exe code, it won’t affect you, but may produce LEs.) Mods known to have been compromised "PimpMySims4" (impersonated) – Cult Mod – was on Mod the Sims; now removed MySims4 – "Social Events - Unlimited Time" – was on Curseforge; now removed MSQSims (hacked) – on The Sims Resource, Feb. 5-8; all removed Mood Cheat Menu Motherlode Menu Seasons Cheat Menu Weather Forecast Cheat Menu PlayersWonderland (hacked) – Mouth Preset N16 ts4script file – on The Sims Resource, now removed V1 of an adult mod, with a January file date – on LoversLab How to check your system for the January 2024 malware To see if your system has been affected by the malicious code: select Windows-R In the window that opens, type this: %AppData%\Microsoft\Internet Explorer\UserData In the folder that opens, look for files called Updater.exe and/or Main.exe. If you are affected If you had one of these files, assume that any sensitive data on your PC may be compromised and take the steps below: Clear your system for this specific virus. (See below.) This must be done FIRST. If you have the Discord app or a cryptocurrency wallet app, uninstall them. This is important if not obvious: Starting these can trigger an attempt to reinstall this malware. Change your passwords. Add two-factor authentication where available. If you had saved credit card or similar information to a web browser, remove it and find out from your financial institution (or other relevant site) what action to take next. Reinstall Discord and cryptocurrency wallet apps from fresh downloads. Learn more about keeping your data secure in the future: https://answers.ea.com/t5/EA-Services-General-Questions/Answers-HQ-Online-Security-Newsletter-January/m-p/13449052/thread-id/447422 To clear your system: Download this fix created by Maxis mod-host partner Curseforge: SimsVirusCleaner Double-click the SimsVirusCleaner.exe file in your Downloads folder tor run it. This is a good time to run a general virus/malware scan on your computer. More things to know Curseforge and The Sims Resource updated their file screening for this method of malware inclusion. Type of mods affected: The least likely mods to be affected were mods that are only .package files and mods uploaded by mod creators on Patreon or their own sites. Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file. Downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system. New prevention/detection Sims 4 tool: TwistedMexi released a tool called ModGuard. April 2024 Incident [April 7, 2024] Malware via a mod that downloaded as only a text file with a link. Known cases: "S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023) “Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024) Do NOT follow the links in text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt). If you downloaded either of these, delete them and run a virus scan. NOTE: This type malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop. November 2024 Incident On November 5, 2024, on Mod the Sims, someone uploaded malicious versions of at least four mods. Unlike the earlier incident, no new accounts were involved, and one of the accounts breached was TwistedMexi's. No other compromised mods were found. It is not yet known what the effect of any malware included or called up was, so assume it's very bad. What to do If you downloaded any mods with .ts4script files from Mod the Sims on November 5, delete the mod and run a virus scan. If you don't already have it, download TwistedMexi's tool ModGuard. It will not protect against all possible script-file exploits, but it will help. Note that your other system protections cannot see what's in a .ts4script file. Changes to Mod Update News I will not be reporting on updates of mods/CC hosted only on Mod the Sims until further notice. Unfortunately, after a second incident within a year on the same site, I'm no longer confident about actively sending players there. Reports of the November malicious mod "updates" were on this site for at least an hour, and it's only because I hadn't got to my destination yet and happened to check my phone en route that news about them was reported here the same day. The mod list "Creator News" will report when modders using MTS add new hosts for their mods. - updated December 12, 2024

NOTE: Updated February 8 to add recovery steps re. Discord and cryptocurrency wallets. Further important updates will have added notes here so people subscribing to this post are messaged about them.

February 9 updates New Compromised Files The Sims Resource, which will now be implementing new test measures, has checked all ts4script files uploaded in 2024 and identified three more compromised mods from hacked accounts: MSQSims – Mood Cheat Menu – downloaded Feb. 5-8 MSQSims – Motherlode Menu – downloaded Feb. 5-8 PlayersWonderland – Mouth Preset N16 – ts4script file Also identified: V1 of an adult mod, with a January file date – uploaded at LoversLab New Important Notes ts4script files: Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file. Those are needed by mods that affect gameplay. If you’re downloading CC, look for ts4script files. Do not put them in your Mods folder. Report the CC that included it. downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system. New Tool TwistedMexi – ModGuard: Mod Malware Protection – download sources: Patreon (now), Curseforge (soon); NOTE: This tool has specific installation instructions. Follow them. CURRENT VERSION: 1.5 - ts4script file date: 28 Feb. 2024, on Patreon, linked from TwistedMexi's website; not yet updated on Curseforge This tool goes in your Mods folder and will do the following: Detect and block common virus vectors Find the mod doing it Notify you of the compromised mod Notify TwistedMexi’s team of the compromised mod TwistedMexi’s team can then inform others, and we can get the word out to everyone. NOTE: Every tool like this has workarounds that a bad actor will find. This tool is NOT a replacement for using caution and skepticism when you download mods. It also does NOT provide broader protection; it is specific to Sims 4 mods. [updated Feb. 28 for ModGuard v1.5]

Feb. 10 UPDATED TwistedMexi – ModGuard – critical update 1.1, Patreon, ts4script file dated 10 Feb. 2024 – additional virus vectors and other improvements – reminder: follow the installation instructions QUICK UPDATE TO THAT: 1.1 is crashing on Macs, but it's less urgent for you. Other Notes MSQSims reports on her social media that Mood Cheat Menu and Motherlode Cheat Menu were taken down as extra precautions by The Sims Resource, not because they were compromised like the other two Cheat Menus (the ones she had cleared for patch 1.1040). IMPORTANT: I am NOT yet clearing these for the purpose of the compromised-mod list on p. 1.

Feb. 12 Updated TwistedMexi – ModGuard – v1.4, Patreon (not yet available on Curseforge), ts4script file dated 12 Feb. 2024 – for fewer false positives

IMPORTANT Do NOT download from MOD THE SIMS until further notice More info to come.

Forum Discussion

luthienrising

Hero+

2 years ago

Malicous Script Mods and Malware

January 2024 Incident

Beginning as early as mid-January 2024, we began seeing Sims 4 script mods with malicious executable .exe code hidden in them.

The mods masqueraded as being from existing creators or from a brand-new creator with a name similar to an existing one. In one known case, it appears that a creator’s account was hacked to update the creator’s own mod page. These mods also presented themselves as being previously existing mods. (Mac users: Because this is .exe code, it won’t affect you, but may produce LEs.)

Mods known to have been compromised

"PimpMySims4" (impersonated) – Cult Mod – was on Mod the Sims; now removed
MySims4 – "Social Events - Unlimited Time" – was on Curseforge; now removed
MSQSims (hacked) – on The Sims Resource, Feb. 5-8; all removed
- Mood Cheat Menu
- Motherlode Menu
- Seasons Cheat Menu
- Weather Forecast Cheat Menu
PlayersWonderland (hacked) – Mouth Preset N16 ts4script file – on The Sims Resource, now removed
V1 of an adult mod, with a January file date – on LoversLab

How to check your system for the January 2024 malware

To see if your system has been affected by the malicious code:

select Windows-R
In the window that opens, type this:

%AppData%\Microsoft\Internet Explorer\UserData

In the folder that opens, look for files called Updater.exe and/or Main.exe.

If you are affected

If you had one of these files, assume that any sensitive data on your PC may be compromised and take the steps below:

Clear your system for this specific virus. (See below.) This must be done FIRST.
If you have the Discord app or a cryptocurrency wallet app, uninstall them. This is important if not obvious: Starting these can trigger an attempt to reinstall this malware.
Change your passwords.
Add two-factor authentication where available.
If you had saved credit card or similar information to a web browser, remove it and find out from your financial institution (or other relevant site) what action to take next.
Reinstall Discord and cryptocurrency wallet apps from fresh downloads.
Learn more about keeping your data secure in the future: https://answers.ea.com/t5/EA-Services-General-Questions/Answers-HQ-Online-Security-Newsletter-January/m-p/13449052/thread-id/447422

To clear your system:

Download this fix created by Maxis mod-host partner Curseforge: SimsVirusCleaner
Double-click the SimsVirusCleaner.exe file in your Downloads folder tor run it.
This is a good time to run a general virus/malware scan on your computer.

More things to know

Curseforge and The Sims Resource updated their file screening for this method of malware inclusion.
Type of mods affected: The least likely mods to be affected were mods that are only .package files and mods uploaded by mod creators on Patreon or their own sites. Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file.
Downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.
New prevention/detection Sims 4 tool: TwistedMexi released a tool called ModGuard.

April 2024 Incident

[April 7, 2024] Malware via a mod that downloaded as only a text file with a link.

Known cases:

"S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)
“Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)

Do NOT follow the links in text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).

If you downloaded either of these, delete them and run a virus scan. NOTE: This type malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.

November 2024 Incident

On November 5, 2024, on Mod the Sims, someone uploaded malicious versions of at least four mods. Unlike the earlier incident, no new accounts were involved, and one of the accounts breached was TwistedMexi's. No other compromised mods were found. It is not yet known what the effect of any malware included or called up was, so assume it's very bad.

What to do

If you downloaded any mods with .ts4script files from Mod the Sims on November 5, delete the mod and run a virus scan.
If you don't already have it, download TwistedMexi's tool ModGuard. It will not protect against all possible script-file exploits, but it will help. Note that your other system protections cannot see what's in a .ts4script file.

Changes to Mod Update News

I will not be reporting on updates of mods/CC hosted only on Mod the Sims until further notice. Unfortunately, after a second incident within a year on the same site, I'm no longer confident about actively sending players there. Reports of the November malicious mod "updates" were on this site for at least an hour, and it's only because I hadn't got to my destination yet and happened to check my phone en route that news about them was reported here the same day.
The mod list "Creator News" will report when modders using MTS add new hosts for their mods.

- updated December 12, 2024

11 Replies

luthienrising
Hero+
2 years ago
NOTE: Updated February 8 to add recovery steps re. Discord and cryptocurrency wallets.

Further important updates will have added notes here so people subscribing to this post are messaged about them.
luthienrising
Hero+
2 years ago
February 9 updates

New Compromised Files

The Sims Resource, which will now be implementing new test measures, has checked all ts4script files uploaded in 2024 and identified three more compromised mods from hacked accounts:

MSQSims – Mood Cheat Menu – downloaded Feb. 5-8

MSQSims – Motherlode Menu – downloaded Feb. 5-8

PlayersWonderland – Mouth Preset N16 – ts4script file

Also identified:

V1 of an adult mod, with a January file date – uploaded at LoversLab

New Important Notes

ts4script files: Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file. Those are needed by mods that affect gameplay. If you’re downloading CC, look for ts4script files. Do not put them in your Mods folder. Report the CC that included it.

downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.

New Tool

TwistedMexi – ModGuard: Mod Malware Protection – download sources: Patreon (now), Curseforge (soon); NOTE: This tool has specific installation instructions. Follow them.

CURRENT VERSION: 1.5 - ts4script file date: 28 Feb. 2024, on Patreon, linked from TwistedMexi's website; not yet updated on Curseforge

This tool goes in your Mods folder and will do the following:

Detect and block common virus vectors

Find the mod doing it

Notify you of the compromised mod

Notify TwistedMexi’s team of the compromised mod

TwistedMexi’s team can then inform others, and we can get the word out to everyone.

NOTE: Every tool like this has workarounds that a bad actor will find. This tool is NOT a replacement for using caution and skepticism when you download mods. It also does NOT provide broader protection; it is specific to Sims 4 mods.

[updated Feb. 28 for ModGuard v1.5]
luthienrising
Hero+
2 years ago
Feb. 10

UPDATED

TwistedMexi – ModGuard – critical update 1.1, Patreon, ts4script file dated 10 Feb. 2024 – additional virus vectors and other improvements – reminder: follow the installation instructions

QUICK UPDATE TO THAT: 1.1 is crashing on Macs, but it's less urgent for you.

Other Notes

MSQSims reports on her social media that Mood Cheat Menu and Motherlode Cheat Menu were taken down as extra precautions by The Sims Resource, not because they were compromised like the other two Cheat Menus (the ones she had cleared for patch 1.1040).

IMPORTANT: I am NOT yet clearing these for the purpose of the compromised-mod list on p. 1.
luthienrising
Hero+
12 months ago
Feb. 11

UPDATED

TwistedMexi – ModGuard – v1.2, Patreon (not yet available on Curseforge), ts4script file dated 11 Feb. 2024 – Mac compatibility, additional virus vectors and other improvements – reminder: follow the installation instructions

ADDED NOTE:With 1.2, an "inconclusive" report is a false positive and not an indication of a compromised file
luthienrising
Hero+
12 months ago
Feb. 12

Updated

TwistedMexi – ModGuard – v1.3, Patreon (not yet available on Curseforge), ts4script file dated 12 Feb. 2024 – "inconclusive" fixed
luthienrising
Hero+
12 months ago
Feb. 12

Updated

TwistedMexi – ModGuard – v1.4, Patreon (not yet available on Curseforge), ts4script file dated 12 Feb. 2024 – for fewer false positives
luthienrising
Hero+
12 months ago
Feb. 28

Updated

TwistedMexi – ModGuard – v1.5, Patreon (not yet available on Curseforge), ts4script file dated 28 Feb. 2024 – for better patch compatibility
luthienrising
Hero+
10 months ago
Apr. 7: NEW THREAT

NEW: Malware via a mod that is downloaded as only a text file that contains a link.

Known cases:

"S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)

“Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)

Do NOT follow the links in the text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).

If you downloaded either of these, delete them NOW and run a virus scan. NOTE: This malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.
luthienrising
Hero+
7 months ago
July 24: Updated the main post to reflect that this isn't a current issue but could still be useful info later.
luthienrising
Hero+
4 months ago
IMPORTANT

Do NOT download from MOD THE SIMS until further notice

More info to come.

About The Sims 4 Mods & Custom Content

Find expert tips, troubleshooting help, tutorials for mods and custom content, and The Sims 4 patch files in our forum.14,409 PostsLatest Activity: 3 years ago

Recent Discussions

Sims 4 Mod UI glitch
3 hours ago
Dumbhee
Can't save progress
7 hours ago
charmednmissouri
Stuck On Loading Screen
7 hours ago
Midnightgamer124
Sim_info_tests error
9 hours ago
Dee19962000
Infinite Loading for Chic Street Apartments
11 hours ago
miklc

Forum Discussion

Malicous Script Mods and Malware

Sims 4 Mod UI glitch

Can't save progress

Stuck On Loading Screen

Sim_info_tests error

Infinite Loading for Chic Street Apartments