Malware Disguised as SteamCleaner Uses Valid Signature to Inject Node.js RCE Backdoor

Researchers from the AhnLab Security Intelligence Center (ASEC) have discovered a new malware campaign that abuses a long-abandoned open-source project — SteamCleaner — to distribute Node.js-based remote command execution malware. The fake installer, circulating under the guise of a legitimate cleanup utility for the Steam gaming client, is signed with a valid digital certificate and uses advanced anti-sandboxing and obfuscation techniques to evade detection.

“When a system is infected with this malware, a malicious Node.js script resides on the user’s PC and communicates with the C2 server periodically, allowing threat actors to execute commands,” AhnLab confirmed.

SteamCleaner is a legitimate open-source utility originally designed to delete residual junk files from Valve’s Steam platform. However, the project has been inactive since September 2018, making it a perfect cover for attackers.

According to AhnLab’s analysis, the threat actor downloaded the open-source SteamCleaner code, injected malicious classes and methods, then rebuilt and distributed the program as an installer using InnoSetup, signed with a valid certificate to appear authentic.

“The threat actor added malicious code to the original source code, built it, packed it with an InnoSetup installer, and distributed the file signed with a valid certificate,” the report stated. “When this malware is executed, the code added by the threat actor is executed, and a malware that allows remote command execution is installed.”

Once installed, the malware copies itself into the C:\Program Files\SteamCleaner\ directory, masquerading as the legitimate program, and quietly executes malicious code in the background.

ASEC researchers identified that the malware’s distribution primarily occurs through websites offering illegal software, such as cracks and key generators. These sites redirect users to GitHub repositories hosting the malicious installers.

Among the known distribution URLs, AhnLab listed:

• hxxps://raw.githubusercontent[.]com/erindaude/3O/main/Setup.exe

The GitHub account in question was found hosting multiple repositories, each containing modified Setup.exe installers that deployed the same malicious payload.

The fake SteamCleaner executable incorporates numerous anti-sandbox detection mechanisms, allowing it to execute benign code in analysis environments while delivering its payload only on real user systems.

It performs system reconnaissance using WMI queries and checks for traces of virtualization environments such as VMware, VirtualBox, and QEMU by scanning for known processes, DLLs, and system paths.

Some of the detected indicators include:

• DLLs: VBoxMouse.sys, cuckoomon.dll, vboxogl.dll
• Processes: vboxservice, VGAuthService, vmusrvc, qemu-ga
• Paths: C:\Program Files\VMware, C:\Program Files\oracle\virtualbox guest additions

“In a sandbox environment, the original program is executed without any malicious behaviors,” AhnLab noted. This means that only on real user machines does the malware proceed to deploy the hidden Node.js scripts.

After bypassing sandbox detection, the malware decrypts and executes an embedded PowerShell command that installs Node.js and downloads two separate malicious scripts from attacker-controlled servers.

These scripts are then registered as scheduled tasks, ensuring persistent execution on every system reboot.

The first script functions as a downloader, capable of fetching and executing additional payloads using PowerShell or CMD. It connects to C2 servers such as rt-guard[.]com and 4tressx[.]com.

The second script receives commands directly from the C2 and executes them using Node.js’s exec function, then returns the results to the server — effectively giving the attacker remote shell access.

Although the C2 servers responded with empty commands at the time of analysis, ASEC believes the malware could be part of a larger Proxyware campaign — a monetization model where infected systems are hijacked to provide bandwidth to third parties.

Related Posts:

• APT organization steals D-Link company digital certificate to sign its malware
• 34 tech firms signed “Cybersecurity Tech Accord” agreement that does’nt support government hacking operations
• Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
• Node.js to Issue CVE for End-of-Life Versions
• The Escalating Threat of the EV Code Signing Certificate Black Market