Steam Workshop Wallpapers Spread Infostealers, Backdoors

Attackers have weaponized Steam Workshop to distribute infostealers, backdoors, and cryptominers through malicious desktop wallpapers, according to research published by Kaspersky. The campaign targets users of Wallpaper Engine, a popular Steam application with tens of millions of users that renders animated desktop backgrounds.

The operation has been active since late 2025, with China accounting for 89% of malicious downloads. Researchers identified dozens of infected wallpaper packages, each accumulating thousands of downloads before removal.

How the Attack Works

Wallpaper Engine includes a feature called "application wallpapers"—essentially executable Windows applications that render as desktop backgrounds. Attackers exploited this functionality to bundle malware directly into wallpaper packages distributed through Steam Workshop.

Kaspersky documented two primary distribution methods. In the first approach, wallpaper archives contain executable files alongside legitimate assets. A launcher file simultaneously displays the expected wallpaper while silently installing malware in the background. Users see what they downloaded—anime-themed wallpapers, game scenes, abstract visuals—while backdoors and credential stealers establish persistence.

The second method uses password-protected archives. Credentials are hidden within the archive filename or embedded in JSON configuration files, adding a layer of obfuscation. Once users extract the contents using the provided password, payloads execute automatically.

Malware Arsenal

The campaign deployed multiple malware families across different wallpaper packages:

• DarkKomet: A remote access trojan providing full system control
• Lumma and Vidar: Commercial infostealers that harvest browser credentials, cryptocurrency wallets, and session tokens
• RenEngine: A loader capable of deploying additional payloads
• Cryptominers and ransomware: Secondary payloads dropped after initial compromise

One particularly dangerous component was a modified system library named AggregatorHost.dll. This DLL specifically targeted Steam installations, locating the application on victim systems and extracting account credentials. Active Steam sessions could be hijacked without requiring password theft, enabling immediate account takeover.

Vidar has proven especially versatile for attackers—we covered a separate campaign last week where Vidar spread through fake TikTok and Instagram tutorials promising free Spotify Premium access.

Geographic Targeting

Steam users in China bore the brunt of this campaign, representing 89% of infections. Russia followed at 5.5%, with smaller victim pools in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. The heavy China focus suggests either deliberate targeting or that specific wallpaper themes popular in the region were weaponized.

This isn't the first time gaming platforms have been abused for malware distribution. Earlier this month, researchers documented a WordPress malware campaign that used Steam profiles for command-and-control communication, hiding instructions within profile metadata using Unicode obfuscation.

Detection and IOCs

Kaspersky detects the malicious payloads under multiple signatures including HEUR:Trojan-PSW.Win32.gen, HEUR:Backdoor.Win32.DarkKomet, and Trojan-Dropper.Python.Agent. The researchers published 13 file hashes, 7 command-and-control server addresses, and 14 malicious Steam Workshop URLs in their technical report.

One identified C2 server operated at 120.48.156[.]17, hosting a PHP-based control panel. Payloads were also distributed via Dropbox and Google Drive links embedded within wallpaper packages.

Protecting Yourself

Steam has removed the identified malicious wallpapers, but the underlying vulnerability remains. Wallpaper Engine's application wallpaper feature runs executable code by design—a capability researchers described as presenting "a security risk."

For users of Wallpaper Engine:

1. Scan existing wallpapers with updated antivirus software
2. Avoid executable wallpapers from unknown creators
3. Check download counts and reviews before installing Workshop content
4. Monitor for unexpected processes spawned after wallpaper installation
5. Review Steam login history for unauthorized sessions

This attack vector echoes similar abuse of browser extension marketplaces. Just last week, 152 Chrome "live wallpaper" extensions were caught harvesting user data and faking organic search traffic—a reminder that any platform allowing user-generated executable content presents supply chain risks.

Why This Matters

Steam Workshop hosts millions of user-created items across thousands of games and applications. While Valve reviews submissions for obvious policy violations, the platform cannot feasibly sandbox every executable package. Users effectively trust that Workshop contributors aren't distributing malware.

The same trust model that makes platforms like Steam Workshop valuable also makes them attractive for abuse. With Wallpaper Engine's 35+ million users on Steam, even a small percentage of infections translates to significant victim counts. The 89% concentration in China—despite Steam's global reach—suggests this was a targeted operation, not opportunistic distribution.

For gamers and organizations with gaming-related applications in their environments: treat Workshop downloads with the same scrutiny you would any third-party software. The pretty animated wallpaper might come with an unwanted backdoor.