A sophisticated backdoor malware campaign has emerged targeting Windows users through a weaponized version of SteamCleaner, a legitimate open-source utility designed to clean junk files from the Steam gaming platform.
The malware establishes persistent access to compromised systems by deploying malicious Node.js scripts that maintain continuous communication with command-and-control servers, enabling attackers to execute arbitrary commands remotely.
The threat actors have weaponized the legitimate SteamCleaner tool, which has not received updates since September 2018, by injecting malicious code into the original source and distributing it through fraudulent websites posing as illegal software repositories.
Users seeking cracked software or keygens are redirected to GitHub repositories hosting the malware, which is delivered as Setup.exe.
The malicious installer is signed with a valid digital certificate from Taiyuan Jiankang Technology Co., Ltd., lending false legitimacy to the 4.66MB package and allowing it to bypass initial security scrutiny.
Upon execution, the malware installs itself in the C:Program FilesSteam Cleaner directory, deploying multiple components including Steam Cleaner.exe (3,472KB), configuration files, and batch scripts.
.webp "Beware of Malicious Steam Cleanup Tool Attack Windows Machines to Deploy Backdoor Malware 3")
ASEC security researchers identified that the attackers maintained the original SteamCleaner functionality while incorporating sophisticated anti-sandbox detection mechanisms.
The malware performs extensive environmental checks including system information analysis, port enumeration, WMI queries, and process monitoring.
When a sandboxed environment is detected, the malware executes only the legitimate cleaning functionality without triggering malicious behavior.
The payload delivery mechanism relies on encrypted PowerShell commands embedded within the malware.
.webp "Beware of Malicious Steam Cleanup Tool Attack Windows Machines to Deploy Backdoor Malware 4")
These commands orchestrate the installation of Node.js on the victim’s system and subsequently download two distinct malicious scripts from separate command-and-control infrastructure.
Both scripts are registered with the Windows Task Scheduler to ensure persistence, executing automatically at system startup and repeating every hour thereafter.
Command-and-Control Communication Protocol
The two Node.js scripts establish bidirectional communication channels with their respective C2 servers through structured JSON payloads.
When connecting to the C2 infrastructure, the malware transmits comprehensive system reconnaissance data including OS type and version, hostname, system architecture, and a unique machine identifier derived from the device GUID.
The first script, installed at C:WCM{UUID}UUID and registered as Microsoft/Windows/WCM/WiFiSpeedScheduler, connects to multiple C2 domains including rt-guard[.]com, 4tressx[.]com, kuchiku[.]digital, and screenner[.]com.
This script downloads files from attacker-specified URLs and executes them using CMD or PowerShell processes.
The second script operates from C:WindowsSetting{UUID}UUID with the task name Microsoft/Windows/Diagnosis/Recommended DiagnosisScheduler, communicating with aginscore[.]com.
This variant employs more aggressive obfuscation techniques and executes commands directly through Node[.]js’s native shell execution function.
The C2 communication occurs through two primary endpoints: /d for receiving commands and /e for transmitting execution results.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
