Valve corporation A.I CyberSecurity Scoring
Valve corporation
Company Information
Website:https://www.valvesoftware.com
Employees number:1,730
Number of followers:286,133
NAICS:51126
Industry Type:Computer Games
Homepage:valvesoftware.com
Valve corporation Risk Score (AI oriented)
Between 600 and 649
Valve corporationComputer Games
Updated:
17/06/2026
17/06/2026
608/1000
Poor
Caa
Valve corporation Global Score (TPRM)
xxxx
Valve corporationComputer Games
Score locked

Valve corporationPoor
Current Score
608Caa (POOR)
01000
5 incidents
-11.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
610
JUNE 2026
627
Cyber Attack
17 Jun 2026 • Valve corporation
Valve: Steam Workshop Malware Campaign Uses Wallpaper Engine to Steal Accounts and Infect Gamers
Sophisticated Malware Campaign Exploits Steam Workshop to Target Gamers
608
CRITICAL-19
VAL1781684649
Sophisticated Malware Campaign Exploits Steam Workshop to Target Gamers
A recent malware campaign has leveraged Steam Workshop and Wallpaper Engine to distribute backdoors, infostealers, and crypto miners, primarily affecting gamers in China (89% of cases) and Russia (5.5%), with additional infections reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
### How the Attack Works
Threat actors abused Wallpaper Engine’s "application" wallpaper type, which allows standalone executables to run as animated desktop backgrounds. By embedding malicious payloads within these wallpapers often hidden in password-protected archives or bundled with legitimate files attackers tricked users into executing arbitrary code upon installation.
Once activated, the malware deployed in multiple stages:
1. A backdoor (e.g., Synaptics.exe, linked to the DarkKomet family) was dropped.
2. A secondary module (e.g., ._cache_GAME1.exe) installed a tampered system library (AggregatorHost.dll).
3. The library hijacked active Steam sessions, harvesting authentication tokens and credentials.
4. Stolen data was exfiltrated to attacker-controlled servers (e.g., hxxp://120.48.156[.]17/ey.php), enabling account takeovers and further malicious uploads via compromised profiles.
### Malware Arsenal & Impact
The campaign distributed a diverse toolkit, including:
- Infostealers (Vidar, Lumma)
- Backdoors (DarkKomet)
- Crypto miners (sapping system resources)
- Ransomware variants
- Python-based trojans
Localized artwork and titles suggested deliberate targeting of Chinese users, though the infrastructure could be repurposed globally.
### Steam’s Response & Detection
Steam removed identified malicious Workshop items, but the incident highlights platform moderation challenges against persistent abuse. Security vendors detected samples using heuristics like HEUR:Trojan-PSW.Win32.gen and HEUR:Backdoor.Win32.DarkKomet, though proactive defenses are required to mitigate risks.
The attack underscores a growing trend: legitimate community platforms are increasingly weaponized to bypass traditional security measures.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
623
APRIL 2026
623
MARCH 2026
623
Vulnerability
18 Mar 2026 • Valve corporation
Jenkins and Valve: New DDoS Malware Exploits Jenkins to Attack Valve Source Engine Game Servers
New DDoS Botnet Targets Valve Source Engine Game Servers via Exposed Jenkins Instances
619
MEDIUM-4
JENVAL1777645518
New DDoS Botnet Targets Valve Source Engine Game Servers via Exposed Jenkins Instances
Security researchers at Darktrace uncovered a sophisticated DDoS botnet exploiting misconfigured Jenkins servers to launch attacks against Valve Source Engine game infrastructure, including Counter-Strike and Team Fortress 2 servers. The malware, first detected on March 18, 2026, via Darktrace’s CloudyPots honeypot network, stands out for its cross-platform capabilities and precise targeting of the gaming sector a growing focus for cybercriminals, which Cloudflare ranks as the fourth most attacked industry globally.
The attack begins with threat actors scanning for Jenkins instances with weak or default credentials, leveraging an exposed remote code execution (RCE) endpoint to deploy malicious payloads. Once inside, the malware delivers Windows and Linux variants: on Windows, it downloads a disguised system update file, while on Linux, it executes a Bash script to fetch and run a payload from the /tmp directory. Both use a Vietnamese-hosted IP (103[.]177.110.202) for command-and-control (C2) and payload delivery an unusual consolidation that reduces operational resilience.
The botnet employs multiple DDoS techniques, including UDP floods, TCP push attacks, and HTTP request floods, with a particularly effective method called "attack_dayz." This tactic exploits Valve Source Engine’s query protocol, sending small requests that trigger disproportionately large responses, overwhelming servers with minimal attacker bandwidth. The malware also ensures persistence by:
- Manipulating Jenkins environment variables ("dontKillMe") to evade process timeouts.
- Renaming itself to mimic legitimate Linux kernel processes ("ksoftirqd/0" or "kworker").
- Using double forking and redirecting logs to /dev/null to avoid detection.
- Ignoring termination signals (SIGTERM) to resist manual shutdowns.
Once active, the malware connects to the C2 server, reporting system details and awaiting attack commands. It supports three utility functions: PING (keep-alive), !stop (termination), and !update (self-updating). Darktrace recommends blocking TCP port 5444 (used for C2 communication) and the identified attacker IP at the network perimeter, alongside securing Jenkins instances with strong authentication and restricting public access.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
FEBRUARY 2026
622
JANUARY 2026
619
DECEMBER 2025
611
NOVEMBER 2025
613
OCTOBER 2025
610
SEPTEMBER 2025
607
AUGUST 2025
604
MAY 2025
701
Breach
01 May 2025 • Valve corporation
Valve Corporation
Steam User Records Leak
591
CRITICAL-110
VAL546051425
Valve Corporation, the owner of Steam, faced a potential breach involving the leak of 89 million Steam user records with one-time access codes. The data was advertised for sale by a threat actor known as Machine1337. A sample of 3,000 records, containing historic SMS text messages with one-time passcodes for Steam, was examined by BleepingComputer. The incident is suspected to be a supply-chain compromise involving Twilio, a cloud communications company providing APIs for SMS and 2FA messages. Twilio denied any breach, but acknowledged investigating the situation. The data's origin is unclear, but it may come from an SMS provider intermediating communication between Twilio and Steam users. Steam users are advised to enable Steam Guard Mobile Authenticator for added security.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2025
764
Breach
01 Feb 2025 • Valve corporation
Valve
Malicious Code in PirateFi Game on Steam Platform
698
CRITICAL-66
VAL000021525
Valve Corporation experienced a significant cybersecurity incident when the game PirateFi on its Steam platform was found to contain malicious code, designed to steal browser cookies and hijack accounts. The malware, identified as 'Trojan.Win32.Lazzzy.gen', prompted Valve to advise affected users to undertake a full reformat of their operating systems to eradicate the threat. This action indicates a substantial impact, where personal user data was likely compromised. The scale of the incident is notable, with an estimated reach of over 800 users who downloaded the game. The immediate removal of the game and public notification highlight Valve's response to containing the situation and preventing further damage.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2012
767
Breach
08 Feb 2012 • Valve corporation
Valve Corporation
Valve Corporation Data Breach
709
MEDIUM-58
VAL1028080425
The California Office of the Attorney General reported a data breach involving Valve Corporation on February 8, 2012. The breach is related to a network intrusion that likely resulted in the unauthorized access to a database containing user names, email addresses, encrypted billing addresses, and encrypted credit card information, although no evidence of credit card misuse has been found.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Valve corporation ??
What was Valve corporation's A.I Rankiteo Cyber Score in June 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in May 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in April 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in March 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in February 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in January 2026 ??
What was Valve corporation's A.I Rankiteo Cyber Score in December 2025 ??
What was Valve corporation's A.I Rankiteo Cyber Score in November 2025 ??
What was Valve corporation's A.I Rankiteo Cyber Score in October 2025 ??
What was Valve corporation's A.I Rankiteo Cyber Score in September 2025 ??
What was Valve corporation's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Valve corporation's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Valve corporation ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Valve corporation's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?