Attackers abuse Steam Workshop to distribute malware disguised as desktop wallpapers, leading to infections and account theft.
Kaspersky researchers have uncovered an ongoing malware distribution campaign leveraging Steam Workshop and Wallpaper Engine, a popular Steam application used to create and share animated desktop wallpapers. Researchers identified multiple infected wallpaper packages which had accumulated thousands of downloads. Steam users in China and Russia were primarily targeted, with other victims located in Singapore, Hong Kong, Germany, Vietnam, India and Canada. The main goal of the attackers was stealing gaming accounts and deploying additional malware.
Steam Workshop is a built-in feature of the Steam gaming platform that allows users to easily find, install, and manage user-generated content like mods, custom maps, game items, and wallpapers. The Wallpaper Engine app supports several wallpaper formats, including videos, interactive scenes, web pages, and applications.
The
application-based wallpaper feature allows executable programs to run directly
on a user's Windows computer, allowing attackers to distribute malicious
software under the guise of legitimate content. Kaspersky identified dozens of
infected wallpaper packages available through Steam Workshop. Many of these
packages had thousands or even tens of thousands of downloads.
There were
two primary delivery methods that attackers used. In some cases, malicious
executable files, DLLs, and scripts were bundled directly with the wallpaper
package. In others, attackers hid malware inside password-protected archives, with
passwords embedded in archive names or configuration files. Once the wallpaper
was installed, malicious payloads executed automatically.
For
example, one of the malicious wallpaper samples discovered in December 2025
appeared to function legitimately at first, launching an embedded desktop game
without any visible signs of compromise. In the background, however, the
wallpaper deployed the DarkKomet backdoor and installed a modified library designed
to target Steam users: it harvested account information and hijacked active
Steam sessions.
The attacks
were likely conducted by multiple independent threat actors rather than a
single group, and were not limited to a single malware family. Across multiple
cases, Kaspersky detected malicious wallpapers distributing Lumma and Vidar infostealers
and the RenEngine loader. Kaspersky's security solutions detect and block all
malware associated with this campaign.
"Trusted
platforms can be abused to distribute malware: the attacks rely on users
trusting content hosted within legitimate ecosystems. While many of the malware
families involved are well-known, the delivery mechanism enables attackers to
reach large numbers of potential victims through seemingly harmless content,"
commented Maxim Starodubov, a cybersecurity expert at Kaspersky.
Detailed information is available in a report on Securelist.
Kaspersky recommends users:
- Exercise caution when downloading any application, even from trusted sources
- Verify the reputation and legitimacy of content creators before installing any user-generated content
- Rely on proven cybersecurity solutions to detect threats
