Steam Workshop wallpapers found spreading crypto malware

Hackers are sneaking malware into Steam Workshop wallpaper downloads that are capable of stealing crypto wallet information and installing crypto miners.

The wallpaper malware operation, discovered by cybersecurity firm Kaspersky, relies on Wallpaper Engine, one of the many apps available on Valve’s Steam Workshop.

Kaspersky discovered that downloads were being loaded with malware that included “infostealers” such as Lumma and Vidar, and the ReEngine loader.

In the case of the Lumma infostealer, it’s capable of stealing data from crypto wallets and installing further malware that allows it to search for wallet files, browser extensions, and local keys from the likes of MetaMask, Electrum, and Exodus.

Read more: Crypto malware creators allegedly infected their own PCs

The RenEnginer loader, meanwhile, has been utilised in pirated game launchers for the likes of Assassin’s Creed, FIFA, and Need For Speed, and is also capable of crypto wallet data extraction. 

Kaspersky also noted that some hidden malware was installing crypto miners. This malware often would run unnoticed; however, a tell-tale sign of an illicit crypto miner is often an unusual decrease in computer performance. 

Crypto malware wallpaper download by tens of thousands

The infected wallpaper packages had anywhere between thousands and tens of thousands of downloads. 

Kaspersky claims that users from China and Russia were downloading most of them, with users also found in Singapore, Hong Kong, Germany, Vietnam, India and Canada.

The firm believes that the malware, which relied on the legitimacy of Steam Workshop, is likely the work of multiple individual bad actors and not a collective hacking group. 

Steam has reportedly removed all the identified malicious wallpaper packages. 

Read more: GitHub breach traced to poisoned VS Code extension

In 2023, a popular fan-made version of Super Mario Bros was found to have been laced with malware and infostealers that installed miners and stole personal information. 

Last year, it was theorised that the US might be helping actors deploy similar malware against Russian Solana developers in order to disrupt Kremlin-linked ransomware gangs.

In another case from 2025, one group of 16 alleged creators of a malware-as-a-service bot were charged by the US. 

The group allegedly leased the bot to bad actors and helped deploy malware to over 300,000 computers across the globe. They’re believed to have caused $50 million worth of damage.

Legal documents noted that the alleged creators also infected their own PCs both deliberately and accidentally.

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.