Researchers at Kaspersky have uncovered dozens of malicious wallpapers distributed through Steam Workshop that were designed to steal Steam accounts and infect systems with malware.
The campaign abuses Wallpaper Engine, a popular Steam application for animated desktop backgrounds, and has already affected thousands of users, primarily in China and Russia.
Kaspersky researchers identified multiple malicious “application wallpapers” uploaded to Steam Workshop that contained embedded malware. Unlike standard video or animated wallpapers, application wallpapers can execute standalone Windows programs, creating an opportunity for attackers to run malicious code directly on victims' systems.
Wallpaper Engine is one of Steam's most popular customization tools, allowing users to create and share animated desktop wallpapers. The application supports video-based wallpapers, interactive scenes, web-based wallpapers, and application wallpapers that can run third-party software as part of the desktop experience. According to Kaspersky, the latter category has become an attractive distribution channel for cybercriminals because it enables executable code to be shared via Steam Workshop.
Kaspersky
The researchers found dozens of malicious wallpaper packages that collectively accumulated thousands, or even tens of thousands, of downloads before being removed. Attackers used several methods to conceal malware within these packages. In some cases, the wallpaper archive contained malicious executables, DLLs, or scripts alongside the legitimate wallpaper files. Other samples stored malware inside password-protected archives, with the password either displayed in the archive name itself or embedded in JSON configuration files included with the wallpaper.
One of the samples analyzed by Kaspersky appeared to be a harmless game-themed wallpaper uploaded in December 2025. When launched, the wallpaper displayed a fully functional desktop game and showed no visible signs of malicious activity. However, the wallpaper simultaneously executed malware in the background.
The wallpaper dropped a backdoor named Synaptics.exe, identified as part of the DarkKomet malware family, onto the victim's machine. At the same time, an executable launched the legitimate game while installing a modified version of AggregatorHost.dll, a Windows library that had been altered to include malicious functionality.
The trojanized DLL searched the system for Steam processes and attempted to harvest account credentials and session data. Kaspersky found that the malware then hijacked active Steam sessions and transmitted the collected information to a command-and-control server.
Once attackers gained access to a victim's active Steam session, they could take over the account and potentially use it to distribute additional malicious wallpapers through Steam Workshop, further expanding the campaign.
Kaspersky's analysis suggests the activity is not linked to a single threat actor. Instead, multiple independent groups appear to be exploiting the same distribution method. The researchers observed a wide range of malware families embedded within malicious wallpapers, including infostealers, backdoors, cryptocurrency miners, ransomware, and botnet loaders.
Among the threats identified were DarkKomet, Lumma Stealer, Vidar, and the RenEngine loader.
Researchers noted that while the campaign currently appears focused on Chinese-speaking gamers, the technique could easily be adapted to target users worldwide.
By the time Kaspersky published its report, Valve had removed the identified malicious wallpapers and associated links from Steam Workshop. However, the researchers warned that new malicious uploads continue to appear, requiring ongoing vigilance.
Leave a Reply