← all stories

Wallpaper Engine

Wallpaper Engine is removing all application-type wallpapers from the Steam Workshop after Kaspersky reported malware embedded in those files. Users have a one-week grace period ending July 7 to back up their files.

Synthesized from 2 Yomimono stories · updated Jul 1

In June 2026, the Steam utility Wallpaper Engine became the target of a coordinated malware campaign. Cybersecurity firm Kaspersky reported on June 16 that it had discovered several dozen infected wallpaper packages on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's application-type wallpaper feature, which can execute Windows programs, to bundle malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware included information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.

On June 30, the Wallpaper Engine team responded by announcing that it will delete all application-type wallpapers from the Steam Workshop, citing security risks. The feature, which allowed .exe files to run as wallpapers, accounted for only 0.5% of total wallpapers. Users have a one-week grace period to back up files. The removal eliminates a legacy feature that had become a vector for malware, affecting a very small portion of the user base but addressing a security controversy that drew significant attention.

Key facts

Malware discovery date
June 16, 2026
Number of infected wallpaper packages
Several dozen
Malware types found
Lumma, Vidar, RenEngine loader, DarkKomet backdoor
Primary target region
China (89.4% of downloads)
Removal announcement date
June 30, 2026
Percentage of wallpapers affected by removal
0.5% of total wallpapers
Grace period for backup
One week

Timeline

Synthesized by Yomimono from the cited Yomimono stories below, each itself sourced, then editorially reviewed. Every fact links the story it came from.

Facts

Announced
will delete all application-type wallpapers from the Steam Workshop · 2026-07-01
Noted
Malware Found in Wallpaper Engine Steam Workshop Wallpapers · 2026-06-17

Structured graph also available as JSON at /public/entities/wallpaper-engine. CC BY 4.0.

All coverage

Jul 1

Wallpaper Engine To Remove Application-Type Wallpapers After Malware Reports

The Wallpaper Engine Team announced on June 30 that it will delete all application-type wallpapers from the Steam Workshop within about a week, following reports of malware in the format. The decision comes after cybersecurity firm Kaspersky reported on June 16 that dozens of application-type wallpapers on the Steam Workshop contained malware, with each downloaded thousands or tens of thousands of times. Application-type wallpapers, which allow creators to run executable (.exe) files as wallpapers, account for only 0.5% of all wallpapers on the platform, and the number of affected users is very small. The team explained that the application type was a legacy feature from the software's early development, inspired by Android sideloading, and was hidden by default with a warning screen. Development has since progressed with built-in editors and SceneScript, a JavaScript-based language that can handle events like time and mouse clicks, making custom executables unnecessary. The team stated that the risks of maintaining the application type now outweigh its benefits. Users who wish to keep their application-type wallpapers can back them up locally before the deletion. The removal applies only to the Steam Workshop; users can still create application-type wallpapers on their own.

Jun 17

Malware Found in Wallpaper Engine Steam Workshop Wallpapers

Cybersecurity firm Kaspersky reported on June 16 that it discovered malware embedded in wallpapers for the popular Steam utility Wallpaper Engine. Dozens of infected wallpaper packages were found on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's 'application-type wallpaper' feature, which can execute Windows programs, to sneak in malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.