article featured image


Last month, a cybersecurity researcher tweeted about SteamHide, a new malware that conceals itself inside Steam profile pictures.

steamhide malware


Cybersecurity specialists believe that the SteamHide emerging-malware hiding inside profile images on the Steam gaming platform is being developed for an extensive operation.

According to G Data specialists, the Steam platform acts only as an agent which hosts the malicious file.

 The heavy lifting in the shape of downloading, unpacking, and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.


In a recent disclosure report, G Data analyst Karsteen Hahn stated that concealing malware in a picture file’s metadata is not a new practice, but using a gaming platform such as Steam is quite unique.

Threat actors hide their malware in harmless images frequently published online such as memes like “blinking white guy” used in the G Data analysis example.

white guy blingking malware image


How Does SteamHide Work?

The virus can update itself through a specified Steam profile. Just like the downloader, it will extract the executable from the PropertyTagICCProfile data in a picture of the Steam profile. The configuration enables modification of the ID for the image property and the search string to find the correct image on Steam. That means other image properties might be utilized later to conceal malware on Steam.

Those who fall victims to this profile image scam don’t even have to be on Steam or have any gaming platform installed, the virus can easily be updated by only uploading a new profile picture.

The researchers found that immediately after the execution, the malware terminates any security defenses and checks for administration rights, then copies itself to “LOCALAPPDATA” folder and persists by creating a key in a registry that G Data recognized as  “\Software\Microsoft\Windows\CurrentVersion\Run\BroMal”.

There’s also a method stub named “ChangeHash” that shows developers are working on increasingly elaborate iterations of the existing malware, and an instrument that authorizes the malware to send and receive commands over Twitter.

At the moment, the malware seems to be missing some functionalities and is being actively developed. There are a few code segments in the binary that aren’t used by now.

I am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT and SectopRAT.


We can’t say how easy this malware would be to root out. Steam’s most recent data showed the platform has more than 20 million users playing some of the most popular games: Counter-Strike: Global Offensive, Dota 2, and Apex Legends.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *