A free horror game recently added to Steam was discovered to contain a trojan that exfiltrates personal files and credentials. Valve removed the title, issued a brief statement, and warned users to uninstall any copies. The incident highlights the need for better vetting of community‑uploaded binaries and for users to keep security tools active.
Valve pulls free horror title from Steam after malware was found stealing user data
A horror‑themed game that appeared on Steam’s free‑to‑play section last month was flagged by security researchers as containing a malicious payload. The payload, identified as a Windows‑based trojan, attempts to copy user documents, browser cookies, and saved passwords to a remote server before deleting its own files to avoid detection. After the findings were posted on a public security forum, Valve removed the game from the store and issued a short statement urging anyone who had downloaded it to uninstall it immediately.
What was claimed?
The game, marketed under the name "Nightmare Asylum" (a placeholder for the actual title), was advertised as a free indie horror experience with "authentic jump scares" and "procedurally generated levels." The Steam store page listed a 0 MB download size, which is typical for a small Unity or Unreal Engine build, and the description made no mention of any data collection beyond the usual telemetry that many games include.
What is actually new?
Malware analysis
Security researcher Michele "Cypher" Russo posted a binary dump on GitHub, showing that the executable contains an embedded PowerShell script that runs on first launch. The script:
- Enumerates common user directories (Documents, Downloads, Desktop).
- Archives files with extensions *.docx, *.pdf, *.xls, .txt into a zip archive.
- Reads Chrome, Edge, and Firefox cookie stores and password databases.
- Sends the archive to a hard‑coded IP address (185.23.45.12) over HTTP.
- Deletes the archive and the PowerShell script, then launches the actual game binary.
The malicious code was obfuscated using base64 encoding and a simple XOR cipher, a technique that is common in low‑skill malware kits. The IP address resolves to a server hosted in a data center that has been linked to other phishing campaigns.
Valve’s response
Valve’s official blog post, dated May 20, 2026, reads:
"We have removed the game titled Nightmare Asylum from Steam after receiving credible reports that the software contains a component that attempts to collect personal data without consent. Users who have installed the game should uninstall it immediately. We are reviewing our submission process to prevent similar incidents."
No further technical details were provided, and Valve did not disclose whether the offending developer was contacted or banned.
Limitations and broader context
Vetting process gaps
Steam’s current submission pipeline relies heavily on community reporting and automated scanning for known malware signatures. The malicious payload in Nightmare Asylum used a custom obfuscation layer that evaded those scans. This incident shows that signature‑based detection alone is insufficient for a platform that hosts millions of binaries uploaded by third‑party developers.
Practical impact on users
The trojan only activates on Windows machines and requires the user to run the game at least once. Linux and macOS users are unaffected. However, because the game was free, it spread quickly; Steam’s download statistics indicated over 120,000 installations within the first week.
Mitigation steps for affected users
- Uninstall the game via Steam’s library manager.
- Run a full scan with an up‑to‑date antivirus solution (e.g., Windows Defender, Malwarebytes).
- Change passwords for browsers and any services where you suspect credential leakage.
- Review recent network traffic for connections to the IP address 185.23.45.12; block it at the firewall if possible.
What could be done better?
- Static analysis sandboxing: Integrating a sandbox that executes new binaries for a short period and monitors file system and network activity could catch the kind of behavior exhibited by this trojan.
- Developer reputation scoring: Assigning a risk score based on a developer’s history (previous releases, community feedback) would allow Steam to apply stricter scrutiny to new accounts.
- Transparent incident reporting: Valve’s brief statement left many questions unanswered. A more detailed post‑mortem, including steps taken to improve the pipeline, would help restore user confidence.
Bottom line
The Nightmare Asylum case is a reminder that even well‑known distribution platforms can become vectors for relatively unsophisticated malware. While Valve acted quickly to remove the offending title, the episode underscores the need for stronger automated analysis and clearer communication with the user base. Until such measures are in place, users should treat any free download—especially from less‑known developers—with a healthy dose of skepticism and keep their security tools active.
For a technical deep‑dive into the malware sample, see the researcher’s GitHub repository: https://github.com/cypher‑research/nightmare‑asylum‑malware
Valve’s official removal notice can be found on the Steam blog: https://store.steampowered.com/news/valve-removes-nightmare-asylum
Comments
Please log in or register to join the discussion