{
	"id": "b98407ca-9ceb-42b4-a223-b4df9d385412",
	"created_at": "2026-04-06T01:28:59.984329Z",
	"updated_at": "2026-04-10T03:20:25.117871Z",
	"deleted_at": null,
	"sha1_hash": "cbbc6eb3b60935a2cdccc7ff5165f241f1b53ae4",
	"title": "SteamHide: Hiding Malware in Plain Sight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2192234,
	"plain_text": "SteamHide: Hiding Malware in Plain Sight\r\nBy Karsten Hahn\r\nPublished: 2021-09-03 · Archived: 2026-04-06 00:09:43 UTC\r\n06/08/2021\r\nPicture this: Malware Hides in Steam Profile Images\r\nReading time: 4 min (1190 words)\r\nSteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can\r\nalso update already infected machines by adding new profile images to Steam. The developers seem to have a few\r\nmore ambitious goals.\r\nSuspicious steam profile images\r\nResearcher @miltinhoc tweeted in May 2021 about new malware[1][2] that uses Steam profile images to hide itself\r\ninside them.\r\nThe low quality image (see picture below) shows three frames of the \"white guy blinking\" meme alongside the\r\nwords January, a black screen, and September. The image content itself does not seem to make sense.\r\nCommon online EXIF tools don't show anything interesting about the image except for a warning that the length of\r\nthe ICC profile data is not valid. That's because instead of an ICC profile the malware is placed in encrypted form\r\ninside the PropertyTagICCProfile value. The ICC profile's purpose is to map colors correctly for output devices\r\nlike printers.\r\nImplications and Affected Users\r\nWhile hiding malware in an image file's metadata is not a new phenomenon, using a gaming platform such as Steam\r\nis previously unheard of. From attacker's point of view, this approach makes sense: Replacing the malware is as\r\neasy as just replacing a profile image file. There is also a huge number of legitimate accounts - and blocklisting the\r\nSteam platform outright would have many undesired side effects.\r\nIt should be noted that in order to become a target for this method, no installation of Steam - or any other game\r\nplatform - is required. The Steam platform merely serves as a vehicle which hosts the malicious file. The heavy\r\nlifting in the shape of downloading, unpacking and executing the malicious payload is handled by an external\r\ncomponent which just accesses the profile image on one Steam profile. This payload can be distributed by the usual\r\nmeans, from crafted emails to compromised websites.\r\nhttps://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nPage 1 of 5\n\nThe Steam profile image is neither infectious nor executable. It serves as carrier for the actual malware[2]\r\n. It needs a\r\nsecond malware[1] to be extracted. This second malware sample[1] is a downloader. It has the hardcoded password \"\r\n{PjlD\\\\bzxS#;8@\\\\x.3JT\u0026\u003c4^MsTqE0\" and uses TripleDES to decrypt the payload from the image.\r\nI found newer samples[3][4] of this malware via Virustotal retrohunt. The downloader uses a different Steam profile\r\nbut the very same technique to hide malware in images. Below is the output of another online EXIF extraction tool.\r\nPayload Functionality\r\nThe sample first queries Win32_DiskDrive for VMWare and VBox and terminates if any of those exist.\r\nIt will then check if it has administrator rights and attempt privilege escalation via cmstp.exe\r\nOn the first run it copies itself to the LOCALAPPDATA folder using the name and extension specified in the\r\nconfiguration. In sample[2] the filename is uNoFGmsEX.txt\r\nSteamHide persists itself by creating the following key in the registry:\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BroMal\r\nThe mutex is named Global\\\u003cGUID\u003e were GUID is the globally unique identifier for a certain class in the malware.\r\nSteamHides initial command-and-control server IP is saved in a specific pastebin paste.\r\nThe malware can update itself via a given Steam profile. Just like the downloader it will extract the executable from\r\nthe PropertyTagICCProfile data in an image of the Steam profile. The configuration allows to change the ID for\r\nthe image property and the search string to find the correct image on Steam. That means other image properties\r\nmight be used in the future to hide malware on Steam.\r\nThe future of SteamHide\r\nSteamHide currently lacks functionality and seems to be in active development. There are a few code segments in\r\nthe binary that aren't used by now.\r\nThe malware checks if Teams is installed by looking for the existance of SquirrelTemp\\SquirrelSetup.log, but there\r\nisn't anything done with this information. The method is called EnumerateVulnerable and possibly serves to check\r\ninstalled applications on the infected system, so they can be abused for exploits.\r\nhttps://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nPage 2 of 5\n\nThere is a method stub named ChangeHash(), but it is not implemented yet. It seems the malware developer plans\r\nto include polymorphism in future versions.\r\nIt has a CodePieceManager, which can compile source code to MSIL assemblies. It might be used to add\r\nfunctionality on the fly or to apply metamorphism.\r\nFuthermore there is a method that allows sending Twitter requests, which might in the future enable the malware to\r\neither receive commands via Twitter or to act as a Twitter bot.\r\nI am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT, SectopRAT\r\nSteam profile containing images with SteamHide malware\r\nHash listing\r\nDescription Filename SHA256\r\n[1] Steam\r\nprofile\r\ndownloader,\r\nHide binary\r\ninside image.exe\r\n148914b6c64c51130a42159e4100e6eb670852901418d88c1c0383bf0cd1e339\r\nhttps://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nPage 3 of 5\n\ndownloads\r\n[2]\r\n[2]\r\nSteamHide\r\nbackdoor\r\nFinalMalware.exe b41868a6a32a7e1167f4e76e2f3cf565b6c0875924f9d809d889eae9cb56a6ae\r\n[3] Steam\r\nprofile\r\ndownloader,\r\ndownloads\r\n[4]\r\nHide binary\r\ninside image.exe\r\n368c97aef6c41b83d06c0ebb1f52679ff96a9aea35499a1caa8c3115cd16880b\r\n[4]\r\nSteamHide\r\nbackdoor\r\nFinalMalware.exe 194c18dc8bc923887ff6b6f2acacd00b54890ca1c52233581c7802fd176dc056\r\nUpdate: Clearing Up Some Confusion\r\nJune 14, 2021\r\nSince this article was published, a number of users have contacted us asking whether they are at an increased risk of\r\ninfection if they have Steam installed.\r\nTherefore we would like to clarify that Steam users are NOT at an increased risk in this case. The Steam\r\nplatform - specifically the profile pictures - are just serving as a download platform. This method of malware\r\ndistribution also is not a bug in the Steam ecosystem itself. As mentioned in this article, the payload is hidden in\r\nthe metadata of the image file in question.\r\nThose profile pictures need to be specially crafted in order to contain malware. Even opening such a modified\r\nimage with an image viewing application will not result in an infected system.\r\nA profile picture that contains malware has to be deliberately placed on a profile on the Steam platform by a\r\nmalicious user. The profile in question of course needs to be under the control of the malicious actor, too.\r\nThe type of payload implanted in the image file is at the discretion of the actor.\r\nThis may consist of any type of malware. The malware is inactive unless it is unpacked and decrypted by a\r\nseparate malware downloader that accesses the image file. The downloader may be hidden in email attachments\r\nor on a manipulated website. Those do not necessarily have any association with Steam or gaming in general.\r\nHosting malicious file on a third party platform is a common practice among malware authors. Typically,\r\ncompromised web servers are abused for this.\r\nOther than abusing the Steam platform for hosting the malicious file, there is nothing worth noting about the\r\nimplanted malware itself.\r\nIt should also be pointed out that so far, this method appears to be under developmentand has not yet seen\r\nactive use on a broader scale.\r\nRelated articles:\r\nhttps://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nPage 4 of 5\n\nKarsten Hahn\r\nPrincipal Malware Researcher\r\n Content\r\nSuspicious steam profile images\r\nPayload Functionality\r\nThe future of SteamHide\r\nHash listing\r\nUpdate: Clearing Up Some Confusion\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nhttps://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images"
	],
	"report_names": [
		"36861-malware-hides-in-steam-profile-images"
	],
	"threat_actors": [],
	"ts_created_at": 1775438939,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbbc6eb3b60935a2cdccc7ff5165f241f1b53ae4.pdf",
		"text": "https://archive.orkl.eu/cbbc6eb3b60935a2cdccc7ff5165f241f1b53ae4.txt",
		"img": "https://archive.orkl.eu/cbbc6eb3b60935a2cdccc7ff5165f241f1b53ae4.jpg"
	}
}