SteamTools v1.8.30: What a Deep Binary Analysis Revealed

An independent static analysis of the popular SteamTools application uncovered a hidden remote code execution capability, silent data harvesting, and multiple deception techniques designed to evade detection.

Overview

SteamTools is a Windows desktop application that markets itself as a tool to "enhance your Steam gaming experience." It has a professional-looking website, active community forums, and a Telegram channel. The installer is digitally signed with an Extended Validation (EV) certificate — the most trusted tier of code signing.

On the surface, it looks legitimate. Underneath, a thorough static analysis of the binary reveals a very different picture.

This article summarizes findings from a complete binary analysis. No software was executed during the research. All findings are derived from static analysis techniques including string extraction, PE header parsing, and digital signature verification. The full technical report with complete findings is published on GitHub.

The Installer

Property | Value

--- | ---

Filename | st-setup-1.8.30.exe

Size | 10.6 MB

Installer Type | NSIS 3 Unicode (64-bit)

Digital Signature | Valid — EV certificate

Signing Entity | NewWnight Global Tech Co., Ltd (Changsha, Hunan, China)

The installer drops 18 files into four directories. The two critical files are the main executable and a core library that contains the most concerning capabilities.

Key Finding 1: Remote Code Execution Capability

The most critical discovery is a function called HttpLoadDLL. Based on the binary strings analysis, this function:

  • Contacts several remote update servers
  • Downloads a library file from one of those servers
  • Decrypts the downloaded file (it arrives encrypted)
  • Loads and executes the code directly in memory

    • A confirmation string found near this function reads: "Downloaded and decrypted data successfully."

    Why This Is Significant

    This means the developers maintain a live channel to execute arbitrary code on every machine running the software. The user has no visibility into or control over what code is downloaded and run.

    The downloaded content is encrypted, which means:

  • Network monitoring tools cannot inspect the payload
  • Corporate firewalls cannot analyze the traffic
  • Even capturing the network traffic does not reveal what was actually executed

    • Today's payload may be benign. Tomorrow's could be anything — from a cryptocurrency miner to a credential stealer. Users have no way to know and no way to prevent it.

    Key Finding 2: Silent Data Access

    The analysis found strings indicating the software reads local Steam configuration files, specifically:

  • User account names
  • Display names
  • Unique Steam identifiers
  • Password-remember status

    • These are read from Steam's local configuration files without notifying the user. Combined with the binary's network upload capabilities (it contains a full HTTP client library with file upload support), there exists a technical path for this data to be transmitted externally.

    Key Finding 3: Deceptive Identity

    One of the most telling discoveries is the version information embedded in the core library:

    Field | Value in Binary | Legitimate Equivalent

    --- | --- | ---

    Company Name | Vale Corporation | Valve Corporation

    Product Name | Vale | Valve

    Description | Vale Dynamic Link Library | (various Valve DLLs)

    The name "Vale" is one letter away from "Valve" — the company that develops Steam. This is deliberate: if a user or analyst inspects the file properties, they see what appears to be a Valve product at a quick glance.

    This pattern of deception extends to the network level. One of the update server domains is designed to look like Steam's official content delivery network. This could bypass firewall rules that whitelist Steam traffic and confuse analysts reviewing network logs.

    Key Finding 4: Unsigned Main Executable

    The installer and the core library are both signed with an EV certificate. However, the main executable — the file that actually runs on the user's system — is not signed.

    This is unusual and strategically significant:

  • The signed installer passes Windows SmartScreen and antivirus checks during installation
  • The unsigned executable can be modified or replaced without invalidating any digital signature
  • Users see a "Verified Publisher" notice during installation but run unverified code afterward

    • Key Finding 5: Multiple Communication Channels

    The binary contains references to three distinct update servers. Two use unencrypted HTTP (not HTTPS), meaning:

  • Downloaded updates can be intercepted by anyone on the same network
  • A third party on public WiFi could potentially inject a different payload
  • The communication is vulnerable to interception at multiple points

    • The servers resolve to infrastructure in China, with one server domain currently inactive and another using a CDN service.

    Key Finding 6: Extensible Architecture

    The analysis found references to an embedded scripting engine with a plugin directory and a script compiler. This means:

  • The software can run custom scripts that extend its functionality
  • Scripts can be delivered through the update mechanism
  • The scripting engine likely has access to the software's core capabilities including network and file system operations

    • What the Binary Does NOT Contain

    Comprehensive string analysis found no evidence of:

  • Cryptocurrency mining components
  • Keyboard or screen capture
  • Browser credential access
  • Persistent startup mechanisms
  • Webcam or microphone access

    • However, the remote code execution capability means any of these could be deployed at any time through a server-side update to all users simultaneously.

    Risk Assessment Summary

    Risk | Severity | Notes

    --- | --- | ---

    Remote code execution | Critical | Live capability via encrypted download channel

    Account data exposure | High | Reads authentication-related local files

    Future threat deployment | High | Server-controlled, encrypted payloads

    Network interception | Medium | Two of three update channels use unencrypted HTTP

    Account termination | Medium | The platform provider actively detects unauthorized tools

    Legal liability | Medium | Unauthorized access to protected systems

    Recommendations

    If You Have Used This Software

  • Remove the software and all associated files immediately
  • Change passwords for any accounts accessed on that machine
  • Enable two-factor authentication on all important accounts
  • Run a thorough security scan to check for any components that may have been downloaded
  • Monitor accounts for unauthorized activity

    • General Guidance

  • Be cautious of any software that promises free access to paid features
  • A valid digital signature does not guarantee the software is safe — it only verifies the signer's identity
  • EV certificates can be obtained by any registered business willing to pay for them
  • If software requires you to disable security features to install it, that is a significant warning sign

    • Full Report

    The complete technical analysis including detailed binary structure, API inventories, all extracted URLs, file hashes for verification, and indicators of compromise is available at:

    github.com/Hegxib/SteamTools-Deep-Analyze

    The report is published for security research and user awareness purposes. Understanding the techniques used by deceptive software helps the community build better defenses and make more informed decisions about what they install.