World of Warcraft players have been hit with a malicious trojan that hijacks accounts even when they're protected by two-factor authentication, officials have warned.

The malware is infecting systems by posing as an installer of Curse, a legitimate add-on that helps players manage other World of Warcraft add-ons. On Friday, officials with WoW developer Blizzard warned that trojanized versions of Curse available on unofficial sites were posing as the authorized Curse client. Once installed on end-user computers, the imposter versions were being used to take over accounts. In some cases, users reported that their accounts were hijacked even after the passwords were changed and even when the accounts were protected by Authenticator, a two-factor authentication system that sends a temporary password to players' smartphones.

"We've been receiving reports regarding a dangerous trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," Blizzard officials wrote on Friday. "The trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

In an update, Blizzard officials wrote, "The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse website. This site was popping up in searches for 'curse client' on major search engines, which is how people were lured into going there."

Antivirus providers are in the process of updating their products to detect and remove the malicious add-on. In the meantime, users can create an MSInfo file and look for a file called "Disker" or "Disker64" in the startup program section. Infected users whose AV programs aren't yet detecting the trojan should thoroughly remove the fake Curse files and run scans with an updated Malwarebytes client. More detailed removal instructions are here.

Blizzard's warning helps explain why some users reported that their accounts were repeatedly hijacked even after users changed passwords and locked down accounts with the Authenticator. It also highlights the importance of double-checking the address of sites offering installers or updates. Frequently, the pages and program names of trojanized apps will appear identical to the real thing. In those cases, the only way to spot a malicious imposter is to make sure the address matches the official provider. The only site readers should visit for downloads of Curse is curse.com.