Threat actor group EncryptHub has been implicated in a malware campaign that leveraged the popular gaming platform Steam to distribute info-stealing malware to unsuspecting users. Steam says EncryptHub was able to infiltrate Steam’s ecosystem by uploading a trojanized game, masquerading as a legitimate early-access title. This malicious game served as a delivery mechanism for stealer malware, targeting high-value data such as browser cookies and session tokens, saved passwords and authentication credentials, and cryptocurrency wallets and sensitive system files.
To evade detection, the game’s installation package mimicked legitimate system processes. In one example, malicious code impersonated the Windows Defender SmartScreen utility to appear trustworthy, while built-in scripts enabled persistence by reloading the malware after system reboots.
A Pattern of Malicious Software on Steam
This is not an isolated event. Earlier in 2025, games like PirateFi and Sniper: Phantom’s Resolution were also found to contain embedded info-stealing payloads. These titles employed social engineering tactics, including fake job offers, to trick users into downloading and installing them.
Once discovered, Valve quickly removed the infected titles from Steam’s platform. However, security reports confirmed that several users had already been compromised before the games were taken offline. In some cases, full system reformatting was recommended for affected users because of the extent of the malware’s infiltration.
Who is EncryptHub?
EncryptHub is a financially driven cybercriminal group known for multi-layered entry tactics and info-stealer distribution. Their operations commonly involve the trojanization of popular software—often via fake developer identities—and leveraging both legitimate storefronts and third-party distribution channels.
Previously, EncryptHub has targeted Web3 developers through fake AI-productivity tools, using sophisticated social engineering to gain access to credentials and digital assets.
