Kaspersky Warns: Malware Hidden in Steam Wallpaper Engine Packages Is Stealing Gamer Accounts
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
Kaspersky Warns: Malware Hidden in Steam Wallpaper Engine Packages Is Stealing Gamer Accounts
Cybersecurity researchers at Kaspersky have uncovered an active campaign abusing the Steam Workshop to distribute malware disguised as desktop wallpapers, targeting users primarily in China and Russia since late 2025.
What Happened
On June 16, 2026, Kaspersky published a report revealing that attackers have been abusing the Steam Workshop — the community content-sharing hub built into the Steam gaming platform — to spread malware through the popular Wallpaper Engine application. Wallpaper Engine, which boasts nearly one million user reviews, lets players apply animated and interactive wallpapers to their desktops. Kaspersky found that malicious actors have been exploiting a specific wallpaper type within the app known as “application wallpapers,” which are capable of running executable Windows programs as part of the desktop background — a legitimate feature that attackers have turned into an attack vector.
Researchers discovered dozens of infected wallpaper packages on the Steam Workshop. Some had been downloaded tens of thousands of times before being identified. By the time Kaspersky published its findings, Valve had already removed the flagged malicious items from the platform. However, Kaspersky explicitly warned that new infected wallpapers continue to appear, and that users should not rely on Steam’s moderation alone to stay protected.
“Trusted platforms can be abused to distribute malware: the attacks rely on users trusting content hosted within legitimate ecosystems.”
— Maxim Starodubov, Cybersecurity Expert, KasperskyHow the Attack Works: Two Delivery Methods
Kaspersky’s analysis identified two distinct methods used to package and deliver malicious payloads inside Wallpaper Engine content:
Method 1 — Direct bundling: Malicious executables, DLLs, and scripts are embedded directly within the wallpaper package. Once the wallpaper is installed and launched by Wallpaper Engine, the malicious payload executes automatically in the background, often with no visible signs of compromise to the user.
Method 2 — Password-protected archives: Attackers conceal malware inside password-protected compressed files, with the password embedded in the archive’s filename or an accompanying configuration file. This technique is designed to bypass automated scanning systems that cannot inspect the archive’s contents without the correct password.
In one documented December 2025 case, a malicious wallpaper appeared fully functional on the surface — launching an embedded desktop game — while silently deploying the DarkKomet backdoor and installing a tampered system library (AggregatorHost.dll) designed to harvest Steam session tokens and account credentials.
Payloads Detected
Malware Families Identified in This Campaign
- DarkKomet — remote access backdoor used to hijack Steam sessions
- Lumma Infostealer — harvests credentials, browser data, and crypto wallets
- Vidar Infostealer — targets saved passwords, browser history, and account tokens
- RenEngine Loader — a downloader that installs additional malware stages
- Cryptominers — silently consume CPU/GPU resources for cryptocurrency mining
- Ransomware — file-encrypting malware observed in a subset of packages
Who Is Being Targeted
Geographic distribution of malicious download attempts reveals a heavy concentration of victims in China and Russia, though the campaign has reached users across multiple countries. Kaspersky’s telemetry indicates the localized artwork and titles of many malicious wallpapers were specifically tailored for Chinese-speaking users, suggesting deliberate targeting — though the underlying infrastructure could be redeployed globally with minimal effort.
Geographic Distribution of Malicious Download Attempts
Why Application Wallpapers Are a Built-In Risk
Unlike standard video or scene wallpapers, application wallpapers in Wallpaper Engine can run actual Windows executables as part of the desktop background. This is an intentional product feature used legitimately for desktop widgets, system monitors, and mini-games. However, Kaspersky warns that this same capability represents a structural security risk: any executable bundled in a Workshop package runs with user-level permissions the moment the wallpaper is applied — making them an effective malware delivery vessel that operates within a trusted, familiar interface.
Kaspersky’s Recommendations
Kaspersky issued the following guidance to Steam and Wallpaper Engine users:
- Verify the reputation and legitimacy of content creators before downloading any Workshop item, especially application-type wallpapers.
- Scan any downloaded Wallpaper Engine package with an up-to-date antivirus solution before applying it — do not rely solely on Steam’s moderation.
- If you recently installed a suspicious wallpaper, remove it, inspect the downloaded project folder on disk, run a full system scan, and secure your Steam account by revoking active sessions.
- Enable Steam Guard two-factor authentication to limit the damage from any potential session token theft.
- Treat any user-generated content that runs executable code with elevated suspicion, regardless of the platform it is hosted on.
Platform Response
Valve has removed all malicious wallpaper applications identified in Kaspersky’s report from the Steam Workshop. However, researchers stress this is not a permanent solution: new infected wallpapers continue to be submitted, and the platform’s moderation cannot guarantee that future submissions will be caught before reaching users. Neither Valve nor the Wallpaper Engine developer had issued a public statement at the time of publication.
Kaspersky’s security solutions detect and block all malware families associated with this campaign. The full technical report, including detailed detection verdicts and indicators of compromise, is available on Kaspersky’s Securelist research blog.
