Attackers use Steam Workshop to spread malware through Wallpaper Engine

Kaspersky researchers said June 16 that attackers used Valve's Steam Workshop to deliver malware through Wallpaper Engine packages.

Attackers target Windows users who install application wallpapers, a Wallpaper Engine feature that lets users run executable apps as desktop backgrounds. Kaspersky linked the campaign to account theft, backdoor installation, cryptomining and ransomware attempts.

Valve runs Steam Workshop as a content hub for Steam users. Players and creators use it to publish mods, maps, skins, save files, tools and wallpapers. Wallpaper Engine extends that model to desktop customization, and its Steam page shows broad adoption among Windows users.

Kaspersky researchers said attackers uploaded malicious wallpaper packages to Steam Workshop from at least late 2025. Users installed those wallpapers through Wallpaper Engine, and Windows ran the embedded payloads after installation.

The risk comes from application wallpapers. Wallpaper Engine users can choose video wallpapers, interactive scenes, web content and application wallpapers. Application wallpapers use executable Windows programs, which gives attackers a direct path to run code if they can persuade users to install a package.

Kaspersky found malware inside the wallpaper package or inside password-protected archives that attackers asked users to open. That password trick can help attackers dodge automated scanning because security tools cannot inspect the archive without the password.

In one case, Kaspersky tested a wallpaper that posed as a game called NTRaholic. The game opened as expected, which helped hide the infection. At the same time, attackers installed a DarkKomet backdoor and placed a modified AggregatorHost.dll file on the system.

Kaspersky said the modified library searched the computer for Steam accounts and stole account credentials. That gives attackers a way to hijack Steam accounts, drain inventories, abuse payment details or use the account to spread more malicious content.

The researchers saw more than one malware family. Attackers used Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine and ransomware strains. That mix points to several groups using the same delivery route rather than one malware crew running one campaign.

Valve removed the malicious wallpaper applications Kaspersky reported. Users should expect attackers to upload replacement packages because Steam Workshop gives them access to a large audience and a trust signal that random download sites lack.

Security teams should treat this as a software supply chain issue at the user endpoint. A user who installs Workshop content has installed code from a creator account that may have no vetting, no build chain and no accountability.

Home users should avoid Wallpaper Engine application wallpapers from unknown creators. If they install Workshop content, they should scan the files with a current antivirus tool before they run them and avoid password-protected archives that arrive inside wallpaper packages.

Steam users should enable Steam Guard, use a unique password and watch for inventory trades or login alerts they did not initiate. Anyone who installed a suspicious wallpaper should revoke active Steam sessions, change the account password from a clean device and scan the Windows system.

Administrators who manage gaming PCs, labs or shared workstations should block untrusted executable content from Steam library paths where possible. Endpoint teams should monitor for unusual child processes launched from Wallpaper Engine directories and watch for credential theft tools such as Lumma or Vidar.

Kaspersky's report shows how attackers abuse a feature that users treat as cosmetic. Application wallpapers run code. Steam Workshop gives attackers distribution. Users and defenders need to treat those downloads with the same caution they apply to any Windows executable.