A sophisticated backdoor malware campaign has emerged targeting Windows users through a weaponized version of SteamCleaner, a legitimate open-source utility designed to clean junk files from the Steam gaming platform.

The malware establishes persistent access to compromised systems by deploying malicious Node.js scripts that maintain continuous communication with command-and-control servers, enabling attackers to execute arbitrary commands remotely.

The threat actors have weaponized the legitimate SteamCleaner tool, which has not received updates since September 2018, by injecting malicious code into the original source and distributing it through fraudulent websites posing as illegal software repositories.

Users seeking cracked software or keygens are redirected to GitHub repositories hosting the malware, which is delivered as Setup.exe.

The malicious installer is signed with a valid digital certificate from Taiyuan Jiankang Technology Co., Ltd., lending false legitimacy to the 4.66MB package and allowing it to bypass initial security scrutiny.

Upon execution, the malware installs itself in the C:\Program Files\Steam Cleaner\ directory, deploying multiple components including Steam Cleaner.exe (3,472KB), configuration files, and batch scripts.

ASEC security researchers identified that the attackers maintained the original SteamCleaner functionality while incorporating sophisticated anti-sandbox detection mechanisms.

The malware performs extensive environmental checks including system information analysis, port enumeration, WMI queries, and process monitoring.

When a sandboxed environment is detected, the malware executes only the legitimate cleaning functionality without triggering malicious behavior.

The payload delivery mechanism relies on encrypted PowerShell commands embedded within the malware.

These commands orchestrate the installation of Node.js on the victim’s system and subsequently download two distinct malicious scripts from separate command-and-control infrastructure.

Both scripts are registered with the Windows Task Scheduler to ensure persistence, executing automatically at system startup and repeating every hour thereafter.

Command-and-Control Communication Protocol

The two Node.js scripts establish bidirectional communication channels with their respective C2 servers through structured JSON payloads.

When connecting to the C2 infrastructure, the malware transmits comprehensive system reconnaissance data including OS type and version, hostname, system architecture, and a unique machine identifier derived from the device GUID.

The first script, installed at C:\WCM{UUID}\UUID and registered as Microsoft/Windows/WCM/WiFiSpeedScheduler, connects to multiple C2 domains including rt-guard[.]com, 4tressx[.]com, kuchiku[.]digital, and screenner[.]com.

This script downloads files from attacker-specified URLs and executes them using CMD or PowerShell processes.

The second script operates from C:\WindowsSetting{UUID}\UUID with the task name Microsoft/Windows/Diagnosis/Recommended DiagnosisScheduler, communicating with aginscore[.]com.

This variant employs more aggressive obfuscation techniques and executes commands directly through Node[.]js’s native shell execution function.

The C2 communication occurs through two primary endpoints: /d for receiving commands and /e for transmitting execution results.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Malicious Steam Cleanup Tool Attack Windows Machines to Deploy Backdoor Malware appeared first on Cyber Security News.

The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has launched a sophisticated campaign targeting government organizations across South Asia by exploiting a critical directory traversal vulnerability in WinRAR.

Security researchers have identified the group’s first operational use of CVE-2025-6218, a flaw affecting WinRAR versions 7.11 and earlier that allows attackers to breach file system boundaries and execute malicious code on compromised systems.

APT-C-08 maintains established relationships with South Asian governments and has historically focused on stealing sensitive information from government agencies, the military-industrial complex, overseas institutions, and universities.

The threat group has demonstrated proficiency in weaponizing malicious documents as attack entry points, meticulously crafting socially engineered payloads designed to bypass security awareness.

This latest campaign represents a significant escalation, leveraging a vulnerability that remains difficult to patch due to WinRAR’s inconsistent update mechanisms across enterprise environments.

Security analysts and researchers identified the malware campaign by discovering weaponized RAR archives containing deceptively named files, such as “Provision of Information for Sectoral for AJK.rar.”

The malicious archive exploits CVE-2025-6218 by leveraging specially crafted file paths that contain spaces after directory traversal sequences, a technique that circumvents WinRAR’s path normalization.

When victims extract the archive, the exploit deposits a malicious Normal. dotm macro file into the Windows template directory at C:\Users[username]\AppData\Roaming\Microsoft\Templates, establishing persistence through Microsoft Word’s automatic template loading mechanism.

Infection Mechanism and Code Execution

The attack chain demonstrates a sophisticated understanding of Windows system architecture.

Upon extraction, the malicious Normal.dotm file (MD5: 4bedd8e2b66cc7d64b293493ef5b8942) runs when the victim opens any Word document, triggering VBA macros that execute the “net use” command to map remote directories to the local machine.

Subsequently, the macro launches winnsc.exe from the remote server, establishing command execution capabilities.

This two-stage infection approach ensures that opening the initial document triggers the infection without raising suspicion, allowing operators to maintain stealth while establishing persistent remote access.

The exploit’s low difficulty, combined with its high success rate, has prompted security communities to recommend immediate patching of all WinRAR installations and implementing application allowlisting to restrict macro execution in Microsoft Office templates.

Organizations handling sensitive government information should prioritize threat detection monitoring for suspicious network mapping activities and macro-based indicators of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT-C-08 Hackers Exploiting WinRAR Vulnerability to Attack Government Organizations appeared first on Cyber Security News.

A sophisticated phishing campaign has emerged, targeting organizations across Central and Eastern Europe by impersonating legitimate global brands to deceive users into surrendering their login credentials.

The attack utilizes self-contained HTML files delivered as email attachments, eliminating the need for external server hosting or suspicious URLs that traditional security systems typically detect.

Once opened, these attachments present convincing fake login pages for brands including Microsoft 365, Adobe, WeTransfer, FedEx, and DHL, creating a seamless user experience designed to bypass conventional email security controls.

The attack methodology demonstrates a clear understanding of regional business practices.

Threat actors distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations through RFC-compliant filenames such as RFQ_4460-INQUIRY.HTML.

This targeted approach focuses on industries with regular procurement workflows, including agriculture, automotive, construction, and education sectors, primarily in the Czech Republic, Slovakia, Hungary, and Germany.

Cyble security analysts identified that the campaign’s success relies on embedded JavaScript within HTML attachments that captures credentials and transmits them directly to attacker-controlled Telegram bots rather than traditional command-and-control servers.

Upon execution, victims encounter a carefully replicated login interface displaying brand-authentic branding with blurred background images for added legitimacy.

Campaign Overview

The credential capture mechanism functions by reading form field values and constructing API requests to send stolen data directly through the Telegram Bot API.

Technical analysis reveals two distinct implementation approaches among analyzed samples. The first variant implements CryptoJS AES encryption for obfuscation while capturing email addresses, passwords, IP addresses, and user-agent information before redirecting victims to legitimate company domains.

The second sample employs more advanced anti-forensics techniques, blocking keyboard combinations including F12, Ctrl+U/S/C/A/X, and right-click context menus to prevent code inspection and analysis.

The exfiltration function demonstrates technical sophistication by utilizing the native Fetch API for cleaner code implementation rather than jQuery dependencies.

The JavaScript constructs POST requests containing harvested credentials sent via HTTPS to api.telegram.org/bot endpoints with hardcoded bot tokens and chat IDs embedded directly in the payload.

This approach deliberately avoids suspicious network patterns while maintaining operational resilience through decentralized bot infrastructure.

Organizations should prioritize deploying HTML attachment controls and implementing content inspection policies to block or sandbox potentially malicious HTML files before delivery to end users.

Security teams are advised to hunt for api.telegram.org POST activity originating from client systems and conduct retroactive threat hunts for identified indicators to assess whether credentials have been compromised.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Leverages Popular Brands to Harvest Login Credentials appeared first on Cyber Security News.