Cybercriminals are exploiting the Steam gaming platform to host command and control (C2) domains by using Steam user accounts. This allows malware to fetch details for establishing a destination for C2 or data exfiltration. A recent investigation revealed a threat actor hiding their C2 domains with a substitution cipher, which, when decoded, uncovered a new indicator of compromise (IOC).
The HYAS Threat Intelligence team linked this IOC to a large number of malware samples. The malicious domain, protected by Cloudflare and registered with Dynadot, shares patterns with other domains, suggesting control by the same actor. The consistent registration patterns point to a likely Russian origin. Continued monitoring of these IOCs is essential to mitigate threats.