Cyber Incident Victim: Valve Corporation
Date:
Sep 2014
Location:
Russia
Summary
Cybercriminals deployed malicious software targeting users of an online gaming platform, distributing Trojan.SteamBurglar.1 via fraudulent trade messages on Steam forums and chat, while a similar "Eskimo" malware was propagated through fake raffles on a video platform. The malware harvested valuable in-game items by identifying keywords like "legendary" and "rare," then transferred them to attacker-controlled accounts. It executed unauthorized actions including initiating trades, adding contacts, selling items at steep discounts (12-35%), and capturing screenshots. Although Steam Guard protected against account takeovers by requiring email verification for unrecognized devices, it was ineffective here since the malware operated directly from the victim's infected system, enabling theft through legitimate session activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2014, Steam users reported widespread theft of in-game items linked to a newly identified Trojan malware campaign. Cybercriminals utilized Steam’s chat and forum systems to send deceptive trade offers containing malicious attachments disguised as image files. These files delivered Trojan.SteamBurglar.1, a malware strain analyzed by Doctor Web, which injected itself into the steam.exe process to extract inventory data. The malware specifically targeted items marked with descriptors like "legendary," "immortal," or "rare" to maximize the value of stolen assets. Simultaneously, attackers employed Twitch bots to promote fraudulent raffles for Counter Strike: Global Offensive items, redirecting users to a Java application that harvested personal information while deploying F-Secure-identified "Eskimo" malware. This secondary payload executed automated attacks directly from compromised devices, enabling unauthorized friend additions, trade initiations, and marketplace transactions without triggering Steam Guard’s device-based authentication protocols.
The malware’s operational capabilities included screenshot capture, automated trade acceptance, and bulk sales of stolen items on Steam Community Market at 12–35% discounts to liquidate assets rapidly. Attackers funneled proceeds into purchasing higher-value items for transfer to controlled accounts. Steam Guard, designed to block unauthorized logins via email verification, proved ineffective as all malicious activities originated from users’ own infected machines. F-Secure documented the malware’s ability to mimic legitimate user behavior, including purchasing items and accepting friend requests, complicating detection. The incident impacted an unspecified number of Steam accounts over several weeks, with stolen digital goods ranging from common cosmetics to rare virtual weapons. Security researchers emphasized the attacks exploited trust in established platform features like chat systems and external gaming communities, highlighting limitations in default security measures against locally executed malware.