Malware Found in Wallpaper Engine Steam Workshop Wallpapers
The incident shows that even a legitimate, well-reviewed Steam utility with around 100,000 daily active users can become a vector for malware through user-generated content, and that attackers are refining their methods to bypass platform moderation.
Key Facts
- Attackers exploited Wallpaper Engine's 'application-type wallpaper' feature, which can execute Windows programs, to hide malicious code in wallpaper packages.
- The malware includes information-stealing tools Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor, with China accounting for 89.4% of downloads and Russia for 5.5%.
- Kaspersky believes multiple independent threat actors are behind the attacks, and while the malicious wallpapers were removed by the time of publication, new ones may appear.
Reporting from 3 sources: Automaton, GIGAZINE, Game Spark.
Cybersecurity firm Kaspersky reported on June 16 that it discovered malware embedded in wallpapers for the popular Steam utility Wallpaper Engine. Dozens of infected wallpaper packages were found on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's 'application-type wallpaper' feature, which can execute Windows programs, to sneak in malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.
Kaspersky's Securelist report details the specific mechanics of the attack. One sample from December 2025 functioned as a normal desktop game while deploying the DarkKomet backdoor and installing a modified library to collect Steam account information and hijack logged-in sessions. Attackers could then use the hijacked account to upload more malicious wallpapers to the Steam Workshop.
The malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. The sample images provided by Kaspersky primarily featured anime-style female characters, with titles and art style tailored specifically for China.
Kaspersky advised users to "keep in mind that Steam may not detect everything. We strongly recommend running an antivirus scan before actually applying these wallpapers." The geographic distribution of downloads beyond the primary targets includes Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%).
Synthesized by Yomimono from the 3 cited sources below, including Japanese-language reporting where cited, then editorially reviewed before publishing.