Attackers abuse Steam Workshop to distribute malware disguised as desktop wallpapers, leading to infections and account theft.
Kaspersky researchers have uncovered an ongoing malware distribution campaign leveraging Steam Workshop and Wallpaper Engine, a popular Steam application used to create and share animated desktop wallpapers. Researchers identified multiple infected wallpaper packages which had accumulated thousands of downloads. Steam users in China and Russia were primarily targeted, with other victims located in Singapore, Hong Kong, Germany, Vietnam, India and Canada. The main goal of the attackers was stealing gaming accounts and deploying additional malware.
Steam Workshop is a built-in feature of the Steam gaming platform that allows users to easily find, install, and manage user-generated content like mods, custom maps, game items, and wallpapers. The Wallpaper Engine app supports several wallpaper formats, including videos, interactive scenes, web pages, and applications.
The application-based wallpaper feature allows executable programs to run directly on a user's Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content. Kaspersky identified dozens of infected wallpaper packages available through Steam Workshop. Many of these packages had thousands or even tens of thousands of downloads.
There were two primary delivery methods that attackers used. In some cases, malicious executable files, DLLs, and scripts were bundled directly with the wallpaper package. In others, attackers hid malware inside password-protected archives, with passwords embedded in archive names or configuration files. Once the wallpaper was installed, malicious payloads executed automatically.
For example, one of the malicious wallpaper samples discovered in December 2025 appeared to function legitimately at first, launching an embedded desktop game without any visible signs of compromise. In the background, however, the wallpaper deployed the DarkKomet backdoor and installed a modified library designed to target Steam users: it harvested account information and hijacked active Steam sessions.
Examples
of infected wallpaper packages on Steam
The attacks were likely conducted by multiple independent threat actors rather than a single group, and were not limited to a single malware family. Across multiple cases, Kaspersky detected malicious wallpapers distributing Lumma and Vidar infostealers and the RenEngine loader. Kaspersky's security solutions detect and block all malware associated with this campaign.
"Trusted platforms can be abused to distribute malware: the attacks rely on users trusting content hosted within legitimate ecosystems. While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content," commented Maxim Starodubov, a cybersecurity expert at Kaspersky.
Detailed information is available in a report on Securelist.
Kaspersky recommends users:
- Exercise caution when downloading any application, even from trusted sources
- Verify the reputation and legitimacy of content creators before installing any user-generated content
- Rely on proven cybersecurity solutions to detect threats
