The FBI has issued a public call for assistance regarding an active campaign involving malicious software distributed via the Steam gaming platform. While Steam is traditionally considered a trusted ecosystem, this threat highlights a growing trend of threat actors abusing legitimate distribution channels—supply-chain attacks via digital storefronts.
For SOC analysts and IR responders, this is not just a "consumer" issue. Corporate environments permitting "Bring Your Own Device" (BYOD) or allowing gaming on corporate endpoints are at immediate risk of initial access vectors, infostealer deployment, and ransomware precursors. We must treat this with the same severity as a compromised software update.
Technical Analysis
Affected Platform:
- Steam Client (Windows, macOS, Linux)
- Specifically, compromised game titles uploaded to the Steam Store.
Threat Vector: This is a Supply Chain / Trusted Source attack. The attack chain does not exploit a vulnerability in the Steam client software itself (CVE-wise) but abuses the developer upload mechanism.
Attack Chain:
- Initial Access: Threat actors compromise a legitimate developer account or create a fraudulent developer identity.
- Delivery: Malicious binaries are packaged as a "game" or "demo" and uploaded to Steam.
- Execution: The victim (user) downloads and launches the title via the Steam client.
- Payload: The executable delivers malware (likely infostealers or remote access trojans) directly to the user's device under the guise of a game process.
Exploitation Status:
- Active Exploitation: Confirmed. The FBI request for victim information indicates active campaigns are currently in the wild.
- CISA KEV: Not listed yet, as this is abuse of a service rather than an unpatched software vulnerability.
Detection & Response
Detection requires pivoting from the Steam client process (steam.exe or steamwebhelper.exe) to the child processes spawned by specific game titles. Defenders should hunt for anomalies where "games" execute system utilities or establish unauthorized network connections.
━━━ DETECTION CONTENT ━━━
YAML
---
title: Steam Client Spawning System Shell
id: 85a3b4c1-9d6e-4f2a-a8b0-1c2d3e4f5a6b
status: experimental
description: Detects Steam client spawning cmd.exe, powershell.exe, or wscript.exe. Legitimate games rarely invoke system shells directly.
references:
- https://www.fbi.gov/news/stories
author: Security Arsenal
date: 2024/05/22
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: 'steam'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate game mods (rare)
- Steam troubleshooting by user
level: high
---
title: Suspicious Network Connection from Steam Common Directory
id: 92c1d5e2-0a7f-4b3c-9d8e-1f2a3b4c5d6e
status: experimental
description: Detects executables in the Steam "steamapps" directory establishing non-Steam network connections to external IPs.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2024/05/22
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|contains: '\steamapps\common\'
DestinationPort:
- 443
- 80
Initiated: 'true'
filter_legit_steam:
DestinationIpAddress|contains:
- '192.16'
- '162.254'
- '208.64'
condition: selection and not filter_legit_steam
falsepositives:
- Multiplayer games connecting to custom servers
level: medium
---
title: Steam Game Executable Persisting to Startup Folder
id: 73f0a4b1-8e2c-4d1a-b3c5-9e8f0a1b2c3d
status: experimental
description: Detects a process running from the Steam library attempting to write a file to the Windows Startup folder for persistence.
references:
- https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2024/05/22
tags:
- attack.persistence
- attack.t1547
logsource:
category: file_event
product: windows
detection:
selection:
Image|contains: '\steamapps\common\'
TargetFilename|contains: '\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\'
condition: selection
falsepositives:
- Legitimate game launchers configuring auto-start (verify binary reputation)
level: high
KQL — Microsoft Sentinel / Defender
// KQL for Microsoft Sentinel / Defender 365
// Hunt for Steam processes spawning suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath has @"Steam"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256, FolderPath
| order by Timestamp desc
VQL — Velociraptor
-- Velociraptor VQL Artifact
-- Hunt for suspicious child processes of Steam
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid as ParentPid, Parent.Name as ParentName
FROM pslist()
WHERE Parent.Name =~ "steam.exe" OR Parent.Name =~ "steamwebhelper.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "bash", "sh")
PowerShell
# Remediation Script: Steam Library Verification
# Identifies unsigned executables in Steam library folders (High Triage Value)
$SteamPath = "${env:ProgramFiles(x86)}\Steam"
if (-not (Test-Path $SteamPath)) {
$SteamPath = "$env:ProgramFiles\Steam"
}
$LibraryFolders = @()
$ConfigFile = "$SteamPath\steamapps\libraryfolders.vdf"
if (Test-Path $ConfigFile) {
# Parse VDF to find library locations (Basic parsing logic)
$Content = Get-Content $ConfigFile
$Matches = [regex]::Matches($Content, '"path"\s+"([^"]+)"')
foreach ($Match in $Matches) {
$LibraryFolders += $Match.Groups[1].Value
}
} else {
Write-Warning "Steam config not found."
}
# Default path if parsing failed or not found
$DefaultApps = Join-Path -Path $SteamPath -ChildPath "steamapps\common"
if (Test-Path $DefaultApps) { $LibraryFolders += $DefaultApps }
Write-Host "Scanning Steam Libraries for Unsigned Executables..." -ForegroundColor Cyan
foreach ($Lib in $LibraryFolders) {
$CommonPath = Join-Path -Path $Lib -ChildPath "steamapps\common"
if (Test-Path $CommonPath) {
Get-ChildItem -Path $CommonPath -Filter *.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$Sig = Get-AuthenticodeSignature -FilePath $_.FullName
if ($Sig.Status -ne "Valid") {
[PSCustomObject]@{
File = $_.FullName
Status = $Sig.Status
Signer = $Sig.SignerCertificate.Subject
}
}
}
}
}
Remediation
- Identify and Isolate: Review logs for the Sigma rules above. If a match is found, isolate the endpoint immediately.
- User Verification: Interview the user associated with the machine. The FBI is specifically asking for victims to reach out via FBI Internet Crime Complaint Center (IC3). If a user downloaded a specific suspicious game, note the title for the report.
- Artifact Removal: Uninstall the specific malicious game title via the Steam Client interface. Do not simply delete the folder; use the interface to ensure registry hooks are removed.
- Credential Reset: Assume credential theft. Force a password reset for the affected user and rotate any API keys or tokens stored on that machine.
- Policy Enforcement: Update acceptable use policies. Steam should generally be blocked on high-security corporate workstations unless strictly required for business purposes (e.g., game development).
Category
soc-mdr
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
socthreat-intelmanaged-socsteammalwaresupply-chainfbi-alertendpoint-detection
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.