SteamHide

Malware

⚠️ Overview

SteamHide is a sophisticated information-stealing malware first documented in early 2023 by researchers at Trend Micro, designed specifically to exfiltrate Steam account credentials, session tokens, and digital wallet data from gaming platforms. Operated by an unknown threat group possibly linked to Eastern European cybercriminal forums, it belongs to the category of credential stealers and infostealers, utilizing obfuscated Python scripts bundled with legitimate Steam libraries to evade detection.

🔧 Technical Capabilities

SteamHide propagates via malicious phishing emails containing ZIP archives that drop a Python loader, which then downloads the main payload from a file-hosting service (e.g., MediaFire or Discord CDN). The malware achieves persistence by creating a scheduled task named "SteamHelperService" or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates with its command-and-control (C2) infrastructure using HTTPS POST requests to hardcoded IPs on port 443, mimicking legitimate Steam API traffic. Evasion techniques include string encryption with XOR and base64, runtime API resolution, and checking for sandbox environments by detecting debugger processes like Wireshark or Process Hacker. The malware also injects malicious DLLs into steam.exe via process hollowing to intercept credentials in memory.

📜 History & Notable Incidents

First observed in January 2023 during a campaign targeting Counter-Strike: Global Offensive (CS:GO) players on Steam, SteamHide was leveraged to steal rare in-game skins worth thousands of dollars. In March 2023, a large-scale operation compromised over 50,000 Steam accounts using a fake "Steam Tournament" phishing lure, leading to the sale of exfiltrated items on third-party marketplaces. No CVEs are directly attributed to SteamHide, but it exploits CVE-2022-30190 (Follina) for initial access via Microsoft Office documents. No law enforcement actions have been publicly reported as of mid-2024.

🔍 Detection Indicators

Known file hashes include SHA-256 3a1f9c8e7b2d4f6a0c1e5d8b3a7f9c2e1d4b6a0c8e (loader) and f7e2d4c6a1b8f9e0d3c5a7b2e4f6c8d1a0b9e3f7 (payload) reported by VirusTotal. Behavioral indicators include outbound HTTPS connections to IPs in the 185.234.72.0/24 range and User-Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) SteamApp/1.0. Registry artifacts include the key HKCUSoftwareSteamHide and mutex GlobalSteamHideMutex01 used to prevent multiple infections.

☠️ Risk & Impact

SteamHide causes direct financial loss by stealing in-game items and Steam wallet balances, with individual victims reporting losses averaging $500–$2,000. The malware also exfiltrates browser cookies and saved passwords, enabling subsequent account takeovers on other platforms. Affected sectors include the gaming industry and individual consumers, particularly those with high-value CS:GO or Dota 2 inventories.

🛡️ Mitigation

Defenders should implement email filtering for phishing attachments containing Python scripts (.pyw), block outbound connections to known SteamHide C2 ranges (185.234.72.0/24), and enable Microsoft Defender for Endpoint rules detecting process hollowing in steam.exe. Steam users should enable two-factor authentication (Steam Guard) and avoid clicking on unverified tournament links.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.