Steam Workshop abused to spread malware via Wallpaper Engine app
Steam Workshop is being abused to distribute malware via the Wallpaper Engine application.
Summary
Threat actors are exploiting Steam Workshop, Valve's content hub, by hiding malware within wallpaper packages for the popular Wallpaper Engine application. These malicious wallpapers can lead to Steam account hijacking, system compromise with backdoors, or cryptomining. Kaspersky researchers discovered numerous such malicious wallpapers, some downloaded tens of thousands of times, which delivered malware families like DarkKomet, Lumma, Vidar, and even ransomware.
Full text
Steam Workshop abused to spread malware via Wallpaper Engine app By Bill Toulas June 16, 2026 02:27 PM 0 Threat actors are abusing Steam Workshop, Valve's community hub for downloading game-related content, to push various malware hidden in wallpaper packages. Infected wallpapers can lead to hijacking Steam accounts, compromising the system with a backdoor, or running cryptomining processes. Steam Workshop is a built-in content-sharing platform on Valve's Steam gaming service where users can upload and download community-created content for games and applications. The content includes mods, maps, skins, save files, tools, and other user-generated content such as wallpapers. Malware in the wallpaper In a report today, researchers at cybersecurity company Kaspersky say that the attacks abuse the Wallpaper Engine desktop customization application available on Steam, which has nearly a million reviews. Wallpaper Engine supports four wallpaper types that render videos, interactive scenes, web pages that can play audio and video, and applications, which are active windows from software that Wallpaper Engine sets as the desktop background. Application wallpapers are executable Windows applications that can include games, desktop widgets, and system monitoring tools. Kaspersky warns that the feature represents a built-in security risk and has been abused to deliver malware to Steam users. According to the researchers, attackers took advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine. "We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times," Kaspersky notes. Malicious wallpaper applicationSource: Kaspersky Analysis of compromised wallpapers revealed that the malware is bundled either directly in the package or inside password-protected archives that the user is tricked into opening. The payloads execute automatically the moment the user installs the wallpaper, the researchers say. Observed attack flowSource: Kaspersky Kaspersky tested one of these wallpapers posing as a game called NTRaholic, which launched as expected upon execution to reduce suspicion. However, a backdoor file part of the DarkKomet malware family was installed in the background. A custom version of a system library called 'AggregatorHost.dll' was also installed to search for Steam accounts on the computer and steal account credentials. Stealing Steam dataSource: Kaspersky The researchers found multiple cases involving other malware families, such as the Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains, showing that Wallpaper Engine was abused by multiple threat actors. While Steam has identified and removed all the malicious wallpaper applications that Kaspersky identified, but researchers are warning that threat actors are likely to submit new ones. Apart from downloading content from trusted sources, Kaspersky recommends users to scan anything fetched from Steam Workshop using an up-to-date antivirus product. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New Shai-Hulud malware wave compromises 600 npm packagesPopular node-ipc npm package compromised to steal credentialsFake OpenAI repository on Hugging Face pushes infostealer malwareGlassWorm malware attacks return via 73 OpenVSX "sleeper" extensionsNew IronWorm malware hits 36 packages in npm supply-chain attack
Indicators of Compromise
- malware — DarkKomet
- malware — Lumma
- malware — Vidar
- malware — RanEngine