Steam Workshop abused to spread malware via Wallpaper Engine app

Threat actors are abusing Steam Workshop, Valve’s community hub for downloading game-related content, to push various malware hidden in wallpaper packages.

Infected wallpapers can lead to hijacking Steam accounts, compromising the system with a backdoor, or running cryptomining processes.

Steam Workshop is a built-in content-sharing platform on Valve’s Steam gaming service where users can upload and download community-created content for games and applications.

The content includes mods, maps, skins, save files, tools, and other user-generated content such as wallpapers.

Malware in the wallpaper

In a report today, researchers at cybersecurity company Kaspersky say that the attacks abuse the Wallpaper Engine desktop customization application available on Steam, which has nearly a million reviews.

Wallpaper Engine supports four wallpaper types that render videos, interactive scenes, web pages that can play audio and video, and applications, which are active windows from software that Wallpaper Engine sets as the desktop background.

Application wallpapers are executable Windows applications that can include games, desktop widgets, and system monitoring tools. Kaspersky warns that the feature represents a built-in security risk and has been abused to deliver malware to Steam users.

According to the researchers, attackers took advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine.

“We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times,” Kaspersky notes.

Analysis of compromised wallpapers revealed that the malware is bundled either directly in the package or inside password-protected archives that the user is tricked into opening.

The payloads execute automatically the moment the user installs the wallpaper, the researchers say.

Kaspersky tested one of these wallpapers posing as a game called NTRaholic, which launched as expected upon execution to reduce suspicion. However, a backdoor file part of the DarkKomet malware family was installed in the background.

A custom version of a system library called ‘AggregatorHost.dll’ was also installed to search for Steam accounts on the computer and steal account credentials.

The researchers found multiple cases involving other malware families, such as the Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains, showing that Wallpaper Engine was abused by multiple threat actors.

While Steam has identified and removed all the malicious wallpaper applications that Kaspersky identified, but researchers are warning that threat actors are likely to submit new ones.

Apart from downloading content from trusted sources, Kaspersky recommends users to scan anything fetched from Steam Workshop using an up-to-date antivirus product.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper