EXECUTIVE SUMMARY:
A newly identified malware campaign is being distributed under the guise of a legitimate Steam client cleaner utility. The malicious installer is signed with a valid certificate and targets Windows systems by mimicking the open‑source tool “SteamCleaner”. Once executed, it persists on the host and establishes communication with attacker‑controlled command‑and‑control (C2) servers, enabling remote execution of arbitrary commands on the compromised machine.
The malware augments the original binary with extra functionality and includes multiple anti-analysis checks to evade sandboxing. When executed it launches an embedded PowerShell payload that installs Node.js and deploys two distinct Node.js scripts retrieved from remote operator servers; those scripts are registered as scheduled tasks that run at system boot and on an hourly schedule. One script download and executes additional files using command interpreters while the other accepts and runs arbitrary commands via Node's exec API. Both scripts collect and transmit system telemetry to the operator and return command output. Observed artifacts include download locations, sample MD5 hashes, and command-and-control infrastructure. The implant can install proxying software or any arbitrary payload specified by the operator.
Its use of a valid installer and code signing, the malware can bypass casual inspection, emphasizing the importance of avoiding software downloads from untrusted sources. Organizations should block identified C2 domains, monitor for unusual scheduled tasks and Node.js installations, and remove infected files while rebuilding compromised systems as needed. Strengthening endpoint protection, EDR rules, and user awareness is critical to preventing infection.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys & Startup Folder |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| E1055 | Process Injection | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: