Potential C2 via Steam Community Page

Rule Info

Name
Potential C2 via Steam Community Page
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious DNS queries to steamcommunity.com that may indicate using the Steam Community page to extract domain or IP address fronting for command-and-control (C2) communication. This technique has been observed in various malware families, including CastleRAT, lummas, and others.
Reference
https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
Date
2026-04-15 00:00:00
Modified
None
Id
c82ee67e-554d-4abb-bae5-b518f26c0316
Tags
attack.command-and-control attack.t1102.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022