Steam Gaming Platform Hosting Malware

Emerging malware is lurking in Steam profile images.


Look out for SteamHide, an emerging malware that disguises itself inside profile images on the gaming platform Steam, which researchers think is being developed for a wide-scale campaign.

The Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: “The heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.”

The technique is called steganography and it’s not new — but Steam profiles being used as attacker-controlled hosting sites, is.

“While hiding malware in an image file’s metadata is not a new phenomenon, using a gaming platform such as Steam is previously unheard of,” G Data analyst Karsteen Hahn said about SteamHide in a new disclosure report, which builds on the original find by @miltinh0c on Twitter:

The malware downloader is hiding in the Steam profile image’s metadata, specifically in the International Color Consortium (ICC) profile, a standardized set of data to control color output for printing. Attackers hide their malware in benign images commonly shared online, including memes like “blinking white guy” used in the G Data analysis example.

“The low-quality image shows three frames of the ‘white guy blinking’ meme alongside the words January, a black screen, and September,” Hahn added.

Victims of the malware don’t have to be on Steam or have any gaming platform installed, G Data’s researchers found. The profile image data only hosts the malware — to make it onto a victim’s machine, it must be fetched by a loader that’s been loaded onto a compromised device, the report explained.

Attackers Have Big Plans for SteamHide

Once executed on a victim machine, the malware terminates any security protections and checks for administration rights, the researchers found, then copies itself to “LOCALAPPDATA” folder and persists by creating a key in a registry that G Data identified as “\Software\Microsoft\Windows\CurrentVersion\Run\BroMal.”

For now, that’s all it does. But G Data said the developers of SteamHide have hidden tools inside their malware that aren’t currently being used, but could be dangerous later; including checking if Teams is installed on the infected machine, and a method stub named “ChangeHash” that indicates developers are working on increasingly complex iterations of the existing malware. There’s also a tool that enables the malware to send and receive commands over Twitter.

There could be new versions soon: Updating the malware only requires uploading a new profile pic.

“I am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT and SectopRAT,” according to researchers.

It’s hard to say how easy the malware and attacker-controlled profiles would be to root out: Steam’s most recent data said the platform has more than 20 million users playing games, including popular titles like Counter-Strike: Global Offensive, Dota 2 and Apex Legends. Steam’s parent company Valve hasn’t responded to Threatpost’s request for comment on SteamHide.

This isn’t the first time Steam has been hit with cybersecurity issues. For instance, last December, Steam had to fix critical bugs that allowed a remote attacker to crash another player’s game, take over the computer and hijack all the computers connected to a third-party server.

This article was updated at 9 a.m. on June 11, 2021 to add clarity around how Steam is being used by cybercriminals.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles


  • Smartman on

    So a computer already has to be infected. Such a clickbaity title. This is not dangerous at all, they could use different means of hosting a malware code other than hiding it in image metadata.
  • Angrybeaver on

    This is by no means close to new. This is known as steganography. It is used a lot in the cyber space, but normally to exfiltrate data. The image alone cannot execute code, not without some form of human interaction. So as was mentioned this can update malware by a new image... meaning that is more than likely what this is. It is just a way of communicating with machines already infected with the underlying malware.
  • MomsMabley on

    Yet, this article doesn't aptly describe how to prevent it. Do you get it from downloading this meme, a pic of it, what? This article is light on anything more than crying, 'FIRE!'
  • Martin Firth on

    What an awful article and completely misleading. I hope Valve sue you.
  • Anonymous on

    @Smartman this is Epic in their ridiculous crusade of making Steam look bad.
  • David Hinely on

    It's a novel use for a common threat delivery method. Only issue, in itself it isn't a threat, you still need to be infected with a virus for this delivery method to be used. Since it's been found, purging can begin, easiest way is to remove images with corrupt metadata, or to scan for the known threats and remove them. [external link removed]

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.