{ "id": "61452dda-1ff2-40e5-8f62-6a0fcc65e33f", "created_at": "2026-04-06T00:14:20.323255Z", "updated_at": "2026-04-10T03:22:01.6225Z", "deleted_at": null, "sha1_hash": "aa9c94e9ed3538a8c38c104f7e8cc56de0bc399a", "title": "Hacked Steam accounts spreading Remote Access Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1905179, "plain_text": "Hacked Steam accounts spreading Remote Access Trojan\r\nBy Lawrence Abrams\r\nPublished: 2016-10-01 · Archived: 2026-04-05 15:43:11 UTC\r\nYesterday, I stumbled on a post where a Reddit user named Haydaddict was alerting people about some hacked\r\nSteam accounts spreading malware. As I am always interested in new malware, I took a look to see what could be\r\ndiscovered.\r\nAccording to the post, the hacked accounts were being used to SPAM suspicious links using Steam chat. These chat\r\nmessages would tell the recipient to go to videomeo.pw to watch a video. \r\nSteam Chats\r\nWhen the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in\r\norder to watch the video.\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 1 of 6\n\nFake Video Page\r\nIf a target downloads the installer and executes it, they will find that it does not appear to do anything. This is because the\r\nFlash Player installer is actually a Trojan that executes a PowerShell script called zaga.ps1, which will download a 7-\r\nzip archive, 7-zip extractor, and a CMD script from the zahr.pw server.\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 2 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 3 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nZaga.ps1 PowerShell Script\r\nOnce the files are downloaded, the PowerShell script will then launch the CMD file, which will extract the\r\nsharchivedmngr to the %AppData%\\lappclimtfldr folder and configure Windows to automatically start\r\nthe mcrtvclient.exe program when a user logs in. This program is actually a renamed copy of the NetSupport Manager\r\nRemote Control Software. \r\nWhen the program is launched, it will connect to the NetSupport gateway at leyv.pw:11678 and await commands. This\r\nallows the attacker to remotely connect to the infected computer and take control over it.\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 4 of 6\n\nNetManager Configuration File\r\nFor those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the\r\nspecified folders.\r\nFurthermore, all users must be careful with what links they visit and what downloads they install.  These days it is becoming\r\nmore and more frequent for accounts to be hacked and then for attackers to use them to distribute malware.  Stay vigilant, be\r\ncareful, and make sure you have an antivirus software installed.\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nhttps://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" ], "report_names": [ "hacked-steam-accounts-spreading-remote-access-trojan" ], "threat_actors": [], "ts_created_at": 1775434460, "ts_updated_at": 1775791321, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa9c94e9ed3538a8c38c104f7e8cc56de0bc399a.pdf", "text": "https://archive.orkl.eu/aa9c94e9ed3538a8c38c104f7e8cc56de0bc399a.txt", "img": "https://archive.orkl.eu/aa9c94e9ed3538a8c38c104f7e8cc56de0bc399a.jpg" } }