vx-underground: I learned quite a bit from this actually. I didn't know Steam was a Chromium app. Hence,...

Fast Alert Sensor Tier 2 Fast-alert source Malware-research community perspective Underground-source claims require extra corroboration source-attributed Telegram source claim Public Telegram post fast-alert sensor research source malware

Public Telegram feed monitored for malware and underground signals.

2.9K views 48 forwards 89 reactions Top 35.71% in source Source rank #6 Global pct 54.68

Original English English

I learned quite a bit from this actually.

I didn't know Steam was a Chromium app. Hence, you can kill Steam then relaunch it with the "-cef-enable-debugging" flag.

Once you'll launched Steam with this, you can inject Javascript into Steam using Chromium "webSocketDebuggingUrl" stuff.

This malware has a whole pseudo-framework of Javascript that can do:
- Alert Bell (?)
- Block pages
- "Help page" (?)
- Inventory manipulation
- Steam library manipulation
- Profile manipulation
- Steam redirections

Basically, this malware payload switches Steam into a Chromium debug state, then sends web debug requests (kind of like Chrome Dev Tools?) to manipulate the Steam pages. It injects Javascript.

The chat window that spawns is from a remote host they control. This is really cool.

Is it AI slop? Yes

Is this code EXTREMELY easy to reverse engineer? Yes

Did they unironically document their entire code base in Russian because it was (probably) written using Claude and the authors probably speak Russian? Yes

Is this extremely creative and cool? Yes

Special thanks to "pro" from 2c44. He handed me the payload and the decompiled Python. The malware .py was Base64 encoded ... so obtaining the original source was ridiculously easy.

Telegram media item Media served by Telegram. The preview loads from telegram.org when this card is visible. Open original Telegram post