Key Highlights
- Attackers have been using Steam Workshop since late 2025 to spread malware hidden inside Wallpaper Engine wallpapers.
- The malware can steal Steam accounts and secretly install crypto miners, backdoors, and other malicious tools.
- Thousands of users downloaded infected wallpapers, with victims found mainly in China and Russia, as well as several other countries.
Attackers have been spreading malware through Steam Workshop since late 2025, targeting gamers worldwide, especially in China and Russia, according to researchers at cybersecurity firm Kaspersky.
In a report released on Tuesday, the firm said the attackers embedded malicious code inside Wallpaper Engine wallpapers to steal accounts and deploy crypto miners and backdoors through normal-looking downloads without users noticing.
Kaspersky said it discovered dozens of infected wallpaper packages circulating on Steam Workshop. Many of these files were downloaded thousands, and in some cases tens of thousands, of times before being detected and removed.
The attacks mainly targeted users in China and Russia, but infections were also found in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. At first glance, the wallpapers looked normal and worked like any other user-made content, which helped them spread widely without raising suspicion.
How attackers hid malware inside wallpaper files
The attackers used two main methods to deliver malware:
- In the first method, they bundled harmful files such as EXE programs, DLL libraries, and scripts directly inside the wallpaper package.
- In the second method, they hid malware inside password-protected archives with the password often placed in the file name or configuration files, making it easy for the malware to be unlocked automatically or tricking users into opening it.
Once the wallpaper is installed or activated, the hidden code runs automatically in the background.
A simple game that secretly stole Steam accounts
Kaspersky mentioned a case uncovered in December 2025 when a wallpaper launched a simple mini-game that worked normally on the surface.
However, behind the scenes, it installed a backdoor called Synaptics.exe, linked to the DarkKomet malware family. At the same time, it modified system components to track Steam activity and steal login sessions. This allowed attackers to take over accounts while users continued playing or using their computers normally.
The campaign involved multiple threat actors, not a single group. Different malware types were detected, including Lumma and Vidar infostealers and RenEngine loaders. In some cases, infected systems also showed signs of crypto mining activity, which slows down computers and increases power usage.
“Attackers abuse Steam Workshop to distribute malware disguised as desktop wallpapers, leading to infections and account theft,” the researchers said. Infected systems could suffer stolen Steam accounts, crypto mining activity, or even ransomware-like behavior affecting performance and files.
Why the Steam Workshop became an easy target
Steam Workshop allows users to publish mods, wallpapers, and tools that other players can download directly inside the Steam platform. Because of its open sharing system, content spreads quickly once it is uploaded.
Wallpaper Engine supports different formats, including videos, scenes, web pages, and application-based wallpapers, which are Windows programs running in the background. This structure makes it easy for creators to share content, but also creates opportunities for hidden code to spread.
Once a malicious wallpaper is uploaded, it can remain visible until reported or removed, allowing repeated downloads across multiple countries and users over time. Meanwhile, this is also similar to IronWorm, an advanced malware that was recently discovered to target developers.
Also Read: PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong
