In context: Released in 2013, Dota 2 is still one of the most popular multiplayer experiences among MOBA aficionados. And for 15 months, millions of Dota 2 players were potentially vulnerable to remote code execution attacks because of Valve's carelessness.

Valve is infamously known for taking its sweet time making a new Half-Life game (actually, any new game) or counting up to three. The digital distribution giant co-founded by Gabe Newell is seemingly as lax regarding dangerous security vulnerabilities, putting players of one of its most popular titles at risk and letting hackers go wild with their malicious experimentations.

The free-to-play MOBA title Dota 2 is still extremely popular even though it was initially released almost 10 years ago on July 9, 2013. Like many other games, Dota 2 embeds a build of the V8 JavaScript engine created by Google for the Chrome/Chromium project. The fundamental issue here is that, until recently, Valve still used an outdated build of the V8 engine compiled in December 2018.

The more than four-year-old version was riddled with potentially dangerous security bugs. What's worse is Dota 2 doesn't run V8 with any sandbox protection. A bad actor could have exploited the issue to run malicious code remotely against Dota players. According to Avast, that's what happened before Valve finally updated the V8 engine.

Avast researchers discovered that an unknown hacker was testing a potential exploit against CVE-2021-38003, an extremely dangerous security flaw in the V8 engine with an 8.8/10 severity rating. At first, the hacker made a seemingly benign test by publishing a new custom game mode --- a way for players to change the Dota 2 experience --- with an exploit code for CVE-2021-38003 embedded inside.

After that, the hacker published three other game modes, using a more covert approach by adopting a simple backdoor of only "about twenty lines of code." The backdoor could execute arbitrary JS scripts downloaded from a command-and-control server via HTTP. The clever trick allowed the attacker to keep the exploit code hidden and easily update it without submitting a new custom game mode for review and potential discovery. In other words, it would have allowed the hacker to dynamically execute JavaScript code (and likely the CVE-2021-38003 exploit) in the background.

Google patched CVE-2021-38003 in October 2021. Meanwhile, the unknown hacker started experimenting in March 2022. Dota 2 developers didn't bother fixing the issue until January 2023, when Avast informed them of its findings. Further analysis to find other exploits was unsuccessful, while the true motivations of the Dota 2 hacker remain unknown.