Malicious Wallpaper Engine Downloads on Steam Workshop Infected Thousands of Users

Threat actors have been abusing Steam Workshop to distribute malware disguised as Wallpaper Engine wallpapers, according to security researchers from Kaspersky.

The campaign targets users of Wallpaper Engine, a popular Steam application that allows animated and interactive desktop backgrounds. While most wallpapers are harmless, the software also supports application wallpapers, which are executable Windows applications capable of running code on a user’s system.

Researchers warn that this functionality creates a built-in security risk that attackers have been exploiting since at least late 2025.

Malicious Wallpapers Uploaded to Steam Workshop

The attackers uploaded malicious wallpapers to Steam Workshop and disguised them as legitimate user-created content. Researchers identified dozens of infected application wallpapers, some of which accumulated thousands or even tens of thousands of downloads before being removed.

The malware was either bundled directly inside the wallpaper package or hidden within password-protected archives. In some cases, users were tricked into manually opening the archive, while other payloads could execute automatically when the wallpaper was installed.

One analyzed sample impersonated a game called NTRaholic. The wallpaper appeared to function normally, helping it avoid suspicion, but it secretly installed the DarkKomet backdoor in the background.

Multiple Malware Families Detected

Researchers found several malware families distributed through the malicious wallpapers.

These included the DarkKomet backdoor, the Lumma and Vidar information stealers, cryptocurrency miners, botnet loaders, RanEngine malware, and ransomware payloads.

In one case, attackers used a modified AggregatorHost.dll file to search for Steam account data and steal user credentials.

The wide range of payloads suggests the campaign was designed for multiple objectives, including credential theft, financial fraud, system compromise, and ransomware deployment.

Potential Impact on Victims

Users who install infected wallpapers could face a variety of security risks, including Steam account theft, credential harvesting, unauthorized remote access, cryptocurrency mining abuse, botnet infection, and ransomware attacks.

Researchers noted that application wallpapers are particularly dangerous because users may not realize they are installing executable software rather than simple image-based backgrounds.

Steam Removes Identified Threats

Steam has removed the malicious wallpaper applications identified during the investigation. However, researchers warn that similar malicious uploads are likely to appear again in the future.

Users are advised to download Steam Workshop content only from trusted creators and exercise caution when installing application wallpapers. Security experts also recommend scanning downloaded content with an up-to-date antivirus solution before running it.

Meanwhile, researchers have also reported new SprySOCKS malware attacks targeting government organizations, the misuse of Microsoft Teams by Backdoor.Turn malware, and a recently patched Microsoft 365 Copilot SearchLeak vulnerability that could have exposed sensitive emails and enterprise data.

Via BleepingComputer