Hackers are once again targeting Steam users, but this time they are not using infected games. Instead, they are hiding malware inside wallpapers shared through Steam Workshop.
Security researchers from Kaspersky found a campaign where malicious files were spread through Wallpaper Engine. The app is one of the most popular tools on Steam for animated and interactive desktop wallpapers, with millions of installs.
The issue comes from how Wallpaper Engine works. Along with normal image and video wallpapers, it also supports “application wallpapers”. These are not simple media files. They are executable programs that run on Windows when applied. This gives attackers a direct way to run code on a user’s PC if they manage to upload a malicious wallpaper.
Researchers found dozens of infected wallpapers on Steam Workshop. Many of them had already been downloaded thousands or even tens of thousands of times before removal. These files were being shared like normal community content, which made detection harder.
Once installed, the wallpapers behave normally. But in the background, they can install malware. Some samples were found delivering the DarkKomet backdoor. Others included infostealers like Lumma and Vidar, which are used to collect login credentials, including Steam account details. In some cases, ransomware and crypto miners were also detected.
The infection method varies. Some wallpapers carry malicious executables or scripts directly inside their packages. Others hide payloads inside password-protected archives. Users are either tricked into opening them, or the content is triggered automatically during installation.
One case involved a wallpaper disguised as a simple game-like experience. While the wallpaper appeared to run normally, it also dropped hidden components in the background. These included a backdoor and tools designed to steal Steam session data and credentials.
After installation, malware components such as modified system libraries were used to locate Steam on the system and extract sensitive information. In some cases, attackers were able to hijack active Steam sessions.
The distribution channel is what makes this campaign notable. Steam Workshop is part of Valve, a platform most users trust by default. That trust is what attackers are abusing to spread infected content at scale.
After Kaspersky reported the issue, Valve removed the identified malicious wallpapers from Workshop. However, researchers warn that similar uploads can still reappear, since the system relies heavily on user-generated content.
The attacks were also not limited to a single malware family. Different groups appear to be using the same method to spread DarkKomet, infostealers, and other payloads. Most activity was seen targeting users in China and Russia, but other regions, including India, were also affected in smaller numbers.
Security experts suggest users should be careful while downloading wallpapers or mods from Workshop. Even trusted platforms can carry risk when content is uploaded by unknown creators. Antivirus protection and caution before installing executable-based wallpapers can reduce exposure, but cannot fully eliminate the risk.
Read: 10+ Best Wallpaper Engine Wallpapers
If you use Wallpaper Engine, the main risk comes from downloading and running content from Workshop without checking it properly. The safest approach is to stick to well-known creators and avoid random uploads that have little history or feedback.
Before applying any new wallpaper, especially from Workshop, it is a good idea to scan the downloaded files with a trusted antivirus tool. Keeping real-time protection enabled can also help detect suspicious activity if something slips through.
If you recently installed Wallpaper Engine content from Steam Workshop and something feels unusual, you should treat it as a possible compromise. So, disconnect your PC from the internet for a short time. This can stop further data from being sent out.
Next, run a full system scan using a trusted antivirus. Do not rely only on quick scans. A full scan is needed because these threats often hide in system folders and background processes.
You should also immediately change your Steam password from a clean device, not the infected PC. Enable Steam Guard if it is not already on, and log out of all active sessions from Steam account settings.
