While cybersecurity measures have improved over the years, cybercriminals continue to find new ways to distribute malware. Kaspersky recently revealed an ongoing campaign that abuses Steam Workshop and Wallpaper Engine to distribute malicious files, with the aim of stealing Steam accounts and deploying additional malware on victims’ systems.
According to the cybersecurity company, researchers have identified multiple malicious wallpaper packages that have amassed thousands of downloads. Most victims come from China and Russia, although researchers have also noted some cases in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.

For those unfamiliar, Steam Workshop is a platform that allows users to share and download community-created content for games and applications on Steam. These content can range from custom maps, mods, in-game items, and wallpapers. Meanwhile, Wallpaper Engine lets users customise their desktop backgrounds using images, videos, webpages, and interactive scenes.
According to Kaspersky, attackers can abuse Wallpaper Engine as a malware delivery vector because it allows executable programmes to run directly on a user’s Windows PC. This allows attackers to disguise malicious software as legitimate content. The cybersecurity company also identified dozens of infected wallpaper packages on Steam Workshop, many of which had accumulated thousands or even tens of thousands of downloads.

The report details two main methods of delivering the malware. In some cases, they bundle executable files, DLLs, and scripts directly into the wallpaper package. In others, they hide the malware inside password-protected archives, with the passwords stored in archive names or configuration files. Once Wallpaper Engine installs and loads the infected wallpaper, it executes the malicious components on the system.
The cybersecurity company shared sample wallpapers discovered in December 2025. It seemed and functioned legitimately on the surface. However, without the user’s knowledge, the wallpaper had already activated the DarkKomet backdoor and installed a modified library designed to harvest Steam account information and hijack active Steam sessions.
Kaspersky also mentioned that the Securelist blog has more detailed information on how these attacks are carried out, as well as examples of infected wallpapers. It is also worth noting that some of the infected items and mods appear to feature adult-themed content. Kaspersky’s reporting does not explain this pattern, but attackers may intend it to increase the likelihood of users clicking on or downloading the content, so users should exercise caution when interacting with such files.
The company believes the attack likely involves multiple independent actors rather than a single group, and the malware spans multiple families. Researchers identified infostealers such as Lumma and Vidar, alongside the RenEngine loader distributed through malicious wallpapers.
The firm recommends exercising caution when downloading apps, even from trusted sources. If users need to download an app, they are advised to verify its reputation and ensure it comes from legitimate developers.
(Source: Kaspersky)




